问题描述
深信服AD配置多个VIP地址共用一个服务,且后端有多个实服务器,业务运行使用正常,但是切换到我司LB后,业务时通时不通,需要分析原因
过程分析
1、深信服AD对于虚服务的处理逻辑是优先匹配前置策略,然后匹配节点池,所以首先检查这两处的配置;
2、检查后发现使用了轮询IP机制,会话保持是源IP机制,关于底层其他的机制暂未知晓;
3、针对多个VIP和多个实服务器我司配置是保持了持续性组,但是没有配置跨虚服务持续性组;
结论:如果不配置跨虚服务持续性组,那么会话可能会到不同的实服务器上,导致转发异常,需要开启跨虚服务的持续性组解决此问题
解决方法
深信服AD对应的配置(列举了json文件的主要内容点):
"/slb/virtual-service": [
{
"name": "HTTP-HTTPS-EZProxy",
"description": "***.***",
"state": "ENABLE",
"service": "TCP-PROXY",
"vips": [
"60.190.224.201",
"60.190.224.202",
"210.33.7.201",
"210.33.7.202"
],
"vports": [
"80",
"443"
],
"pool": "BlankNode", //节点池
"pre_rules": [
"http-https-***.***" //前置策略
],
"tcp_sched_stream_cache": {
"state": "DISABLE"
},
"snat": "DISABLE",
"dnat": "ENABLE",
"dnat_translated_address": "",
"dnat_translated_port": 0,
"tcp_profile": "七层虚拟服务TCP策略",
"ssl_server_profiles": [],
"qos_profile": "QoS流量控制",
"connection_limits_type": "SINGLE-SOURCE-IP",
"connection_limits": [],
"ipros": [],
"icon": "ICON17",
"source_port": "PRESERVE",
"session_sync": "GLOBAL",
"autolasthop": "GLOBAL",
"notify_status_to_vip": "ENABLE",
"inbound_links": [
"ALL"
]
}
————————————————————————————————————————————————————————————
"/slb/pool": [
{
"name": "LAN-EZProxy",
"description": "EZproxy",
"method": "ROUND-ROBIN",
"priority_level_available_node": 0,
"persist": "sourceip", //会话保持设置
"alternate_persist": "NONE",
"service_monitors": [
"http-***.***",
"https-***.***"
],
"available_requirement": 1,
"node_up_delay": 0,
"slow_ramp_time": 0,
"recover_by_manual": "DISABLE",
"recover_by_timer": "DISABLE",
"busy_process_policy": "IGNORE-BUSY",
"connection_statistic": "COMPLETED",
"schedule_by_connect": "DISABLE",
"nodes": [
{
"name": "172.16.11.230_0",
"description": "",
"address": "172.16.11.230",
"port": 0,
"state": "OFFLINE",
"weight": 10,
"priority_level": 1,
"connection_limit": 0,
"connection_rate_limit": 0,
"request_rate_limit": 0,
"COOKIE": 81574472,
"node_variable": "",
"inherit_pool_monitor": "ENABLE",
"service_monitors": [],
"available_requirement": 0,
"associated_domain": "",
"type": "ADDRESS",
"recover_by_manual": "DISABLE"
},
{
"name": "172.16.11.231_1",
"description": "",
"address": "172.16.11.231",
"port": 0,
"state": "ENABLE",
"weight": 10,
"priority_level": 1,
"connection_limit": 0,
"connection_rate_limit": 0,
"request_rate_limit": 0,
"COOKIE": 52896716,
"node_variable": "",
"inherit_pool_monitor": "ENABLE",
"service_monitors": [],
"available_requirement": 0,
"associated_domain": "",
"type": "ADDRESS",
"recover_by_manual": "DISABLE"
},
{
"name": "172.16.11.232_2",
"description": "",
"address": "172.16.11.232",
"port": 0,
"state": "ENABLE",
"weight": 10,
"priority_level": 1,
"connection_limit": 0,
"connection_rate_limit": 0,
"request_rate_limit": 0,
"COOKIE": 42016505,
"node_variable": "",
"inherit_pool_monitor": "ENABLE",
"service_monitors": [],
"available_requirement": 0,
"associated_domain": "",
"type": "ADDRESS",
"recover_by_manual": "DISABLE"
},
{
"name": "172.16.11.233_3",
"description": "",
"address": "172.16.11.233",
"port": 0,
"state": "ENABLE",
"weight": 10,
"priority_level": 1,
"connection_limit": 0,
"connection_rate_limit": 0,
"request_rate_limit": 0,
"COOKIE": 49033824,
"node_variable": "",
"inherit_pool_monitor": "ENABLE",
"service_monitors": [],
"available_requirement": 0,
"associated_domain": "",
"type": "ADDRESS",
"recover_by_manual": "DISABLE"
},
{
"name": "172.16.11.234_4",
"description": "",
"address": "172.16.11.234",
"port": 0,
"state": "ENABLE",
"weight": 10,
"priority_level": 1,
"connection_limit": 0,
"connection_rate_limit": 0,
"request_rate_limit": 0,
"COOKIE": 49881958,
"node_variable": "",
"inherit_pool_monitor": "ENABLE",
"service_monitors": [],
"available_requirement": 0,
"associated_domain": "",
"type": "ADDRESS",
"recover_by_manual": "DISABLE"
},
{
"name": "172.16.11.235_5",
"description": "",
"address": "172.16.11.235",
"port": 0,
"state": "ENABLE",
"weight": 10,
"priority_level": 1,
"connection_limit": 0,
"connection_rate_limit": 0,
"request_rate_limit": 0,
"COOKIE": 93516441,
"node_variable": "",
"inherit_pool_monitor": "ENABLE",
"service_monitors": [],
"available_requirement": 0,
"associated_domain": "",
"type": "ADDRESS",
"recover_by_manual": "DISABLE"
},
{
"name": "172.16.11.236_6",
"description": "",
"address": "172.16.11.236",
"port": 0,
"state": "ENABLE",
"weight": 10,
"priority_level": 1,
"connection_limit": 0,
"connection_rate_limit": 0,
"request_rate_limit": 0,
"COOKIE": 42560422,
"node_variable": "",
"inherit_pool_monitor": "ENABLE",
"service_monitors": [],
"available_requirement": 0,
"associated_domain": "",
"type": "ADDRESS",
"recover_by_manual": "DISABLE"
},
{
"name": "172.16.11.237_7",
"description": "",
"address": "172.16.11.237",
"port": 0,
"state": "ENABLE",
"weight": 10,
"priority_level": 1,
"connection_limit": 0,
"connection_rate_limit": 0,
"request_rate_limit": 0,
"COOKIE": 38681486,
"node_variable": "",
"inherit_pool_monitor": "ENABLE",
"service_monitors": [],
"available_requirement": 0,
"associated_domain": "",
"type": "ADDRESS",
"recover_by_manual": "DISABLE"
},
{
"name": "172.16.11.238_8",
"description": "",
"address": "172.16.11.238",
"port": 0,
"state": "ENABLE",
"weight": 10,
"priority_level": 1,
"connection_limit": 0,
"connection_rate_limit": 0,
"request_rate_limit": 0,
"COOKIE": 81202878,
"node_variable": "",
"inherit_pool_monitor": "ENABLE",
"service_monitors": [],
"available_requirement": 0,
"associated_domain": "",
"type": "ADDRESS",
"recover_by_manual": "DISABLE"
},
{
"name": "172.16.11.239_9",
"description": "",
"address": "172.16.11.239",
"port": 0,
"state": "ENABLE",
"weight": 10,
"priority_level": 1,
"connection_limit": 0,
"connection_rate_limit": 0,
"request_rate_limit": 0,
"COOKIE": 77539816,
"node_variable": "",
"inherit_pool_monitor": "ENABLE",
"service_monitors": [],
"available_requirement": 0,
"associated_domain": "",
"type": "ADDRESS",
"recover_by_manual": "DISABLE"
},
{
"name": "172.16.11.240_10",
"description": "",
"address": "172.16.11.240",
"port": 0,
"state": "ENABLE",
"weight": 10,
"priority_level": 1,
"connection_limit": 0,
"connection_rate_limit": 0,
"request_rate_limit": 0,
"COOKIE": 24571952,
"node_variable": "",
"inherit_pool_monitor": "ENABLE",
"service_monitors": [],
"available_requirement": 0,
"associated_domain": "",
"type": "ADDRESS",
"recover_by_manual": "DISABLE"
}
]
}
——————————————————————————————————————————————————
"/slb/pool": [
{
"name": "BlankNode",
"description": "空节点",
"method": "ROUND-ROBIN",
"priority_level_available_node": 0,
"persist": "NONE",
"alternate_persist": "NONE",
"service_monitors": [],
"available_requirement": 0,
"node_up_delay": 0,
"slow_ramp_time": 0,
"recover_by_manual": "DISABLE",
"recover_by_timer": "DISABLE",
"busy_process_policy": "RETURN-FAILED",
"connection_statistic": "COMPLETED",
"schedule_by_connect": "DISABLE",
"nodes": [
{
"name": "127.0.0.0",
"description": "",
"address": "127.0.0.0",
"port": 0,
"state": "ENABLE",
"weight": 1,
"priority_level": 1,
"connection_limit": 0,
"connection_rate_limit": 0,
"request_rate_limit": 0,
"COOKIE": 38220429,
"node_variable": "",
"inherit_pool_monitor": "ENABLE",
"service_monitors": [],
"available_requirement": 1,
"associated_domain": "",
"type": "ADDRESS",
"recover_by_manual": "DISABLE"
}
]
—————————————————————————————————————————————————————
"/slb/pre-rule/tcp-proxy": [
{
"name": "http-https-***.***",
"description": "",
"service": "TCP-PROXY",
"source_address": {
"type": "ALL"
},
"tcp_stream_rule": {
"mode": "NONE",
"case_sensitive": "DISABLE"
},
"action": "SCHED-POOL",
"sched_pool": "LAN-EZProxy",
"sched_failure": "NEXT-RULE"
},
————————————————————————————————————————————————————
"/slb/tcp-profile/l7-proxy": [
{
"name": "七层虚拟服务TCP策略",
"description": "",
"type": "L7-PROXY",
"idle_timeout": 600,
"timewait_timeout_ms": 10000,
"syn_timeout": 75,
"maximum_segment_size": 1460,
"time_stamp": "DISABLE",
"service_unavailable_refuse_connection": "NONE",
"close_node_connection_with_rst": "ENABLE",
"close_client_connection_with_rst": "ENABLE",
"node_fault_close_connection": "DISABLE",
"timewait_recycle": "ENABLE",
"delay_ack": "ENABLE",
"sack_support": "ENABLE",
"dsack_support": "DISABLE",
"maximum_syn_retransmission_times": 8,
"maximum_seg_retransmission_times": 8,
"maximum_fin_retransmission_times": 8,
"receive_window_scale": 0,
"initial_receive_window_size": 65535,
"min_retran_time": 250,
"tcp_options": [],
"fast_tcp": "DISABLE",
"connection_pool": {
"state": "DISABLE"
},
"reset_invalid_connection": "ENABLE",
"lastack_close_timeout_ms": 0,
"default": "READONLY",
"keep_alive_interval": 60,
"zero_window_timeout": 20
}
]
我司对应配置(对应深信服AD的上述配置):
sticky-group sourceip_ipv4_tcp type address-port
override-limit enable
match-across-virtual-server enable
ip source
timeout 86400
#
server-farm lan-ezproxy
description EZProxy
probe tcp-443
probe tcp-80
success-criteria at-least 1
real-server 172.16.11.230 port 0
weight 10
success-criteria at-least 1
real-server 172.16.11.231 port 0
weight 10
success-criteria at-least 1
real-server 172.16.11.232 port 0
weight 10
success-criteria at-least 1
real-server 172.16.11.233 port 0
weight 10
success-criteria at-least 1
real-server 172.16.11.234 port 0
weight 10
success-criteria at-least 1
real-server 172.16.11.235 port 0
weight 10
success-criteria at-least 1
real-server 172.16.11.236 port 0
weight 10
success-criteria at-least 1
real-server 172.16.11.237 port 0
weight 10
success-criteria at-least 1
real-server 172.16.11.238 port 0
weight 10
success-criteria at-least 1
real-server 172.16.11.239 port 0
weight 10
success-criteria at-least 1
real-server 172.16.11.240 port 0
weight 10
success-criteria at-least 1
#
virtual-server http-https-ezproxy type tcp
port 80 443
virtual ip address 60.190.224.202
default server-farm lan-ezproxy sticky sourceip_ipv4_tcp
rate-limit bandwidth inbound 204800 kbps
rate-limit bandwidth outbound 204800 kbps
connection-sync enable
sticky-sync enable global
vrrp vrid 4 interface Ten-GigabitEthernet1/3/3
application-mode enable
service enable
#
virtual-server http-https-ezproxy1 type tcp
port 80 443
virtual ip address 60.190.224.201
default server-farm lan-ezproxy sticky sourceip_ipv4_tcp
rate-limit bandwidth inbound 204800 kbps
rate-limit bandwidth outbound 204800 kbps
connection-sync enable
sticky-sync enable global
vrrp vrid 4 interface Ten-GigabitEthernet1/3/3
application-mode enable
service enable
#
virtual-server http-https-ezproxy3 type tcp
port 80 443
virtual ip address 210.33.7.201
default server-farm lan-ezproxy sticky sourceip_ipv4_tcp
rate-limit bandwidth inbound 204800 kbps
rate-limit bandwidth outbound 204800 kbps
connection-sync enable
sticky-sync enable global
vrrp vrid 3 interface Ten-GigabitEthernet1/3/2
application-mode enable
service enable
#
virtual-server http-https-ezproxy4 type tcp
port 80 443
virtual ip address 210.33.7.202
default server-farm lan-ezproxy sticky sourceip_ipv4_tcp
rate-limit bandwidth inbound 204800 kbps
rate-limit bandwidth outbound 204800 kbps
connection-sync enable
sticky-sync enable global
vrrp vrid 3 interface Ten-GigabitEthernet1/3/2
application-mode enable
service enable
#
该案例暂时没有网友评论
编辑评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作