topic ACE Issue. in Application Networking

ACE Issue.

ajay chauhan — Fri, 05 Aug 2011 15:49:25 GMT

Hi,

I would like to know about this config why its required and how it will work. if I remove class SOURCE_NAT how it will impact.

does that mean source-nat will only check class source-nat frist then next ?

policy-map multi-match SOURCE_NAT_POLICY

class SOURCE_NAT

nat dynamic 3 vlan 1201

policy-map multi-match vip-policy

class prod-ad

loadbalance vip inservice

loadbalance policy prod-ad-policy

loadbalance vip icmp-reply active primary-inservice

nat dynamic 3 vlan 1201

Thanks

Ajay

ACE Issue.

pablo.nxh — Fri, 05 Aug 2011 18:40:44 GMT

Hi Ajay,

It depends where the SOURCE_NAT_POLICY is being applied, you can get really granular with ACE NAT options, it could be for server to VIP traffic, server to outside initiated conns etc. It's all about what's being matched with the class SOURCE_NAT and where the multi-match policy is implemented.

HTH

__ __

Pablo

ACE Issue.

ajay chauhan — Fri, 05 Aug 2011 19:18:52 GMT

Thanks Pablo.

I have one more issue here on switch ACE module is there.

I have a user vlan on switch and one management vlan/ vip vlan /server vlan associated with ACE.

when VIP is access via firewall for remote users it works and when used by this user group which is sitting on same switch

it comes like connection refused.

The only thing I have seen this traffic is routed over management vlan means SVI is on switch for management vlan also one ip is configured on ACE for managemnet .

The static route is pointing to management IP on ACE for VIP subnet from switch.

Just wanted to confirm if routing over management vlan does work .

Using same routing i can telnet on servers successfully not sure if we can use the same routing for VIPs as well.

Thanks

Ajay

ACE Issue.

pablo.nxh — Fri, 05 Aug 2011 19:40:08 GMT

Hello Ajay,

Sounds to me you're running into an asymmetric routing issue... Can you share a sanited copy of your configuration so I can take a quick look?

HTH

__ __

Pablo

ACE Issue.

ajay chauhan — Fri, 05 Aug 2011 20:26:06 GMT

Hi Pablo,

Here is the config-

ON LB

interface vlan 1100
description to ASA
ip address 10.222.133.250 255.255.255.248
alias 10.222.133.249 255.255.255.248
peer ip address 10.222.133.251 255.255.255.248
ip address 10.222.159.1 255.255.255.0 secondary
peer ip address 10.222.159.2 255.255.255.0 secondary
mac-address autogenerate
access-group input TRAFFIC
service-policy input vip
no shutdown

interface vlan 1205
description SERVERS
ip address 10.222.163.4 255.255.255.0
ip dhcp relay server 10.222.163.57
ip dhcp relay enable
alias 10.222.163.1 255.255.255.0
peer ip address 10.222.163.5 255.255.255.0
mac-address autogenerate
access-group input TRAFFIC
access-group output TRAFFIC
nat-pool 4 10.222.163.253 10.222.163.253 netmask 255.255.255.0 pat
service-policy input vip
no shutdown

interface vlan 1105
description to MG
ip address 10.222.129.18 255.255.255.0
alias 10.222.129.21 255.255.255.0
peer ip address 10.222.129.19 255.255.255.0
mac-address autogenerate
access-group input TRAFFIC
no shutdown

ip route 10.222.128.0 255.255.128.0 10.224.129.1 < .1 is SVI on switch.

On switch

ip route 10.222.159.0 255.255.255.0 10.222.129.21

ACE Issue.

pablo.nxh — Fri, 05 Aug 2011 20:56:14 GMT

Hi Ajay,

Can you tell me the IP address of the client(s) that is getting connection refused? I think it is within the same server subnet 10.222.163.0/24 but I want to make sure.

__ __

Pablo

ACE Issue.

ajay chauhan — Fri, 05 Aug 2011 20:59:50 GMT

Hi Pablo,

I have multiple VLANs in range of 10.222.128.0 255.255.128.0 on switch and no success from any of the vlan for exmple

10.222.203.0/24.

Thanks

Ajay

ACE Issue.

pablo.nxh — Fri, 05 Aug 2011 21:09:11 GMT

Oh in that case can you attach the ful show run of your ACE?

__ __

Pablo

ACE Issue.

ajay chauhan — Fri, 05 Aug 2011 21:40:43 GMT

Hi Pablo,

I am just wondering if the problem is to get into LB from management interface which has not got any service policy applied

on it.

Creating another SVI on switch and giving a IP address from VIP range can that solve my issue?

Thanks

Ajay

ACE Issue.

pablo.nxh — Fri, 05 Aug 2011 21:54:41 GMT

Hi Ajay,

That's the problem at this point I don't know to which SVI your VIP belongs to; I see the service policy applied under both "traffic" interfaces; I guess it is on VLAN 1100 as it is working for remote users but that's what I wanted to confirm with the show run.

Does VLAN 1100 has a SVI created on the switch?

Thanks

__ __

Pablo

ACE Issue.

ajay chauhan — Wed, 10 Aug 2011 11:12:51 GMT

Applying VIP policy on Management interface resolved the issue.