Using Cisco Ace server 4710 to load balance Siemens Simatic 400 PCL computer

Using a Cisco Ace server 4710 to load balance Siemens Simatic 400 PCL computer, the configuration is the following, 2 servers are configured in an Active/Passive mode and need to poll two different controllers that are monitoring the same device on a industrial network.

The Siemens Simatic 400 PCL consist of a chassis with 9 different slots, each slot can be populated with different module, in our case, the following slot were used

1-2      Power Supply

3-4      Polling module (module that communicate to actual industrial equipment)

5-6      network module (Provide ftp, www and Modbus server)

Each module is using the backplane bus to communicate with each other, this cause one of the issue, witch is the IP connection do not fail when the PCL controller (Slot 3-4) stop responding. The server still has a Modbus connection to the network module (Slot 5-6) but since no data is received from the polling module (3-4), an alert is displayed on the monitoring station and there is no transfer to the second controller since the Siemens PCL controllers are unable to share a virtual IP or exchange status.

To solve this issue, we installed a Cisco ACE 4710 load balancer to create a virtual IP of each Siemens controller pair. The monitoring server will poll the VIP and the ACE server will redirect the connection to the active controller.

Since the communication between the monitoring server and the Siemens PCL are using MODBUS protocol that is not supported by the ACE and that the TCP socket remain open after a failure of the Siemens controller, an alternate failure detection had to be found and put in place.

The Siemens PCL have a web server running and a status page that lists the status of module connected.   Using a TCL script, the Load balancer is polling the status web page of the module and is looking for a failed status code. If there is a failure, the connection is reset by the Ace server and the server establish a new one that is transfer to the backup controller

Following is the configuration on the load balancing context install in the ACE server

access-list INBOUND line 8 extended permit ip any any

! Charge le TCL script Check_status en mémoire

script file name Check_status

probe scripted test_script

port 80

interval 10

faildetect 1

passdetect interval 10

passdetect count 2

script Check_status “GET /Portal2000.htm HTTP/1.1” text 0

rserver host CTLR1

ip address 192.168.0.1

probe test_script

weight 100

inservice

rserver host CTLR2

ip address 192.168.0.3

probe test_script

weight 1

inservice

rserver host CTLR3

ip address 192.168.0.5

probe test_script

weight 100

inservice

rserver host CTLR4

ip address 192.168.0.7

probe test_script

weight 1

inservice

serverfarm host V_CTRL1

failaction purge

rserver CTLR1

inservice

rserver CTLR2

inservice

serverfarm host V_CTRL2

failaction purge

rserver CTLR3

inservice

rserver CTLR4

inservice

class-map type management match-any REMOTE-ADDRESS

description Remote access traffic

2 match protocol ssh any

3 match protocol telnet any

4 match protocol icmp any

class-map match-all VIP_CTLR1

2 match virtual-address 192.168.0.2 any

class-map match-all VIP_CTLR2

2 match virtual-address 192.168.0.6 any

policy-map type management first-match REMOTE_MGNT_ALLOW_POLICY

class REMOTE-ADDRESS

permit

policy-map type loadbalance first-match PM_CTRL1

class class-default

serverfarm V_CTRL1

policy-map type loadbalance first-match PM_CTRL2

class class-default

serverfarm V_CTRL2

policy-map multi-match PM_multi_match

class VIP_CTLR1

loadbalance vip inservice

loadbalance policy PM_CTRL1

loadbalance vip icmp-reply

class VIP_CTLR2

loadbalance vip inservice

loadbalance policy PM_CTRL2

loadbalance vip icmp-reply

interface vlan 400

description Server_side

ip address 192.168.2.1 255.255.255.0

no icmp-guard

access-group input INBOUND

service-policy input PM_multi_match

no shutdown

interface vlan 500

description controller side

ip address 192.168.0.10 255.255.255.0

no icmp-guard

access-group input INBOUND

no shutdown

The standard script HTTPCONTENT_PROBE has been modified to detect the status change for the controller installed in slot 3-4 of the Siemens chassis.  It is validating the status of the www server as well as the error code for a failed module.  The script-modified lines are in italic, the actual search field are in BOLD.

#!name = HTTPCONTENT_PROBE

########################################################################################

#

# Description :

#    Script sends a http 1.0 GET request to a webserver to test if the server return

#    page is  certain content-type. Probe success only if server returns the Content-type

#    header with a configured value.

#

# ACE version :

#   1.0+

#

# Parameters :

#   <requestHearder> <expectFileType> [debugFlag]

#     regquestHeader – HTTP request to send e.g “GET /yahoo.html HTTP/1.0”

#     expectFileType – file type expected e.g text

#     debugFlag     – default 0. Do NOT turn on while multiple probes are configured

#

# Example config :

#   probe httpProbe script

#         script HTTPCONTENT_PROBE “GET /index.html HTTP/1.0” text [0]

# OR

#   probe httpProbe script

#         script HTTPCONTENT_PROBE “GET /index.html HTTP/1.1\nConnection:Close\nHost:localhost” text 0

# Copyright (c) 2005-2006 by cisco Systems, Inc.

########################################################################################

#——————————————-

# debug procedure

# set the EXIT_MSG environment varaible to help debug

# also print the debug message when debug flag is on

#——————————————-

proc ace_debug { msg } {

global debug ip port EXIT_MSG

set EXIT_MSG $msg

if { [ info exists ip ] && [ info exists port ] } {

set EXIT_MSG “[ info script ]:$ip:$port: $EXIT_MSG ”

}

if { [ info exists debug ] && $debug } {

puts $EXIT_MSG

}

}

#——————————————-

# main

#——————————————-

# parse cmd line args and initialize variables

ace_debug “initializing varaible”

if { $argc < 2 } {

set EXIT_MSG “ERR config:  script HTTPCONTENT_PROBE <requet_header> <expectFileTyep> <debug(0|1)\texample : script HTTPCONTNET_PROBE_SCRIPT \”GET / HTTP/1.0\” html 0″

puts $EXIT_MSG

exit 30002

}

set ip $scriptprobe_env(realIP)

set port $scriptprobe_env(realPort)

# if port is zero the use well known http port 80

if { $port == 0} {

set port 80

}

set requestHeader [ lindex $argv 0 ]

set expectFileType [ lindex $argv 1 ]

set debug [ lindex $argv 2 ]

if { $debug == “” } {

set debug 0

}

# open connection

ace_debug “opening socket”

set sock [ socket $ip $port ]

fconfigure $sock

#  send http requeset to server

ace_debug “sending request : $requestHeader”

puts -nonewline $sock “$requestHeader\n\n”

flush $sock

#  read string back from server

ace_debug “receiving response”

set lines [ read $sock ]

set colorcode ” ”

#  close connection

ace_debug “closing socket”

close $sock

#  parsing http  response to decide if probe success or failed

#  all the following condition casing probe failed. should return exit 30002

if { ![ regexp -nocase “^HTTP/1\.\[0-9\] (\[0-9\]\[0-9\]\[0-9\])” $lines match statuscode ] } {

ace_debug “probe fail : can’t find status code”

exit 30002

}

if { $statuscode != “200” } {

ace_debug “probe fail : status code is $statuscode”

exit 30002

}

if { ![ regexp  -nocase  “Content-Type *:(.*)\n” $lines match foundContentType] } {

ace_debug “probe fail : does not found \’Content-Type\’ header”

exit 30002

}

if { ![ regexp “$expectFileType” $foundContentType]  } {

ace_debug “probe fail : expect content-type \’$expectFileType\’, but got \’$foundContentType\'”

exit 30002

}

if { [ regexp -nocase “<td class=\”ContentTableField\”>3 – 4</td><td class=\”ContentTableField\” bgcolor=\”#FFCC00\”” $lines colorcode ] } {

ace_debug “probe fail : find colorcode $colorcode”

exit 30002

}

#  Everything went fine. probe exit with success exit_code 30001

ace_debug “probe success”

exit 30001

About Mario

Consultant en télécommunication et CCIE #7704 depuis plus de 15 ans et totalisant plus de 30 ans d'expérience en TI. Ce blog sera un reflet de mes opinions sur les nouvelles technologies et l'impact de ces dernières sur nos vies Network consultant and CCIE #7704 for more than 15 year with over 30 years in IT, This blog will be my take on technology and the impact on our life suivez moi / Follow me on Twitter , Google Plus , Linkedin
This entry was posted in Cisco, networking, Télécommunication. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s