topic Re: Rserver/Vip same network in Application Networking

Rserver/Vip same network

Don Brack — Thu, 20 Oct 2011 19:11:55 GMT

This may sound like a silly question but can I configure the rservers and the vip address on the same network? If so does anyone have a example config?

NAT, policy, etc

Rserver/Vip same network

Don Brack — Thu, 20 Oct 2011 19:13:20 GMT

Sorry this is for a ACE 4710.

Rserver/Vip same network

asharmav — Thu, 20 Oct 2011 19:30:28 GMT

Hi Don,

Yes you should be able to configure this, this setup is called Direct server return, since the client will be directly reachable from the server, only incoming connections comes through the vip and the return connection is directly established from the server to the client bypassing the ace.

you can find further information on this configuration (Asymmetric Server Normalization) here :

http://snippets101.blogspot.com/2008/08/asymmetric-server-normalization-on.html

Regards

Abijith

Re: Rserver/Vip same network

Surya ARBY — Thu, 20 Oct 2011 22:02:18 GMT

If you need don't need to keep the source ip address for log purposes, use source NAT

If you need to keep the source ip address for log purposes :

- for HTTP insert the source IP into the header and use source nat

- otherwise use DSR.

Source NAT config


policy-map multi-match DOMINO-WEB-PM
  class DOMINO-WEB-VIP
    nat dynamic 1 vlan 3
    loadbalance vip inservice
    loadbalance policy DOMINO-WEB-CLASSIFY
    loadbalance vip icmp-reply
    appl-parameter http advanced-options http_parameter_map
  exit
exit
interface vlan 3
  ip address 10.123.3.X 255.255.255.0
  alias 10.123.3.X+1 255.255.255.0
  peer ip address 10.123.3.X+2 255.255.255.0
  access-group input PERMIT-ALL
  nat-pool 1 10.123.3.245 10.123.3.245 netmask 255.255.255.0 pat
  no shutdown

and apply the service policy

Rserver/Vip same network

Don Brack — Fri, 21 Oct 2011 13:57:06 GMT

Thanks for quick response....

I have many services configured with the VIP on a different network then the Rservers, and having no issues.

Now I'm having issues because the VIP and Rserver is on same network. Here is my config.

I cannot ping or access the VIP..

Thanks Again for all help..

probe icmp icmp
ip address 10.201.13.61
interval 5
passdetect interval 60

probe tcp episfdasp-80-probe
port 80
interval 5
passdetect interval 5
connection term forced
open 1

rserver host w8v-episfdasp1
ip address 10.201.13.10
conn-limit max 4000000 min 4000000
inservice
rserver host w8v-episfdasp2
ip address 10.201.13.11
conn-limit max 4000000 min 4000000
inservice

serverfarm host episfdasp-443
transparent
predictor leastconns
probe episfdasp-443-probe
probe icmp
rserver w8v-episfdasp1
inservice
rserver w8v-episfdasp2
inservice

sticky ip-netmask 255.255.255.255 address source episfdasp-443-sticky
replicate sticky
serverfarm episfdasp-443

class-map match-all episfdasp-443
2 match virtual-address 10.201.13.61 tcp eq https

policy-map type loadbalance first-match episfdasp-443-policy
class class-default
sticky-serverfarm episfdasp-443-sticky
nat dynamic 1 vlan 15 serverfarm primary

policy-map multi-match client-vips
class episfdasp-443
    loadbalance vip inservice
    loadbalance policy episfdasp-443-policy
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 15

interface vlan 15
description dmz network
ip address 10.201.13.8 255.255.255.0
no normalization
mac-sticky enable
no icmp-guard
access-group input inbound
nat-pool 1 10.201.13.240 10.201.13.245 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
no shutdown

ip route 0.0.0.0 0.0.0.0 10.201.13.1

Re: Rserver/Vip same network

Surya ARBY — Fri, 21 Oct 2011 14:02:09 GMT

Why do you use the "transparent" keyword ?

Rserver/Vip same network

Don Brack — Fri, 21 Oct 2011 14:14:55 GMT

Probably bcause I'm reading to much info on a simple problem.

This is what I read:

The transparent command prevents the ACE to make a destination NAT, sending the packet as to the real server.

Re: Rserver/Vip same network

Surya ARBY — Fri, 21 Oct 2011 14:57:37 GMT

Using the transparent option on the serverfarm is a non standard design which should be only used when using IDS / FW load balancing.

Remove the transparent keyword (eventually issue a shut / no shut on the interface or reboot the appliance to be sure to flush the whole memory and reinit all the processes)

Then put a PC in the VLAN15 or try to access the VIP from a server located into that VLAN.

At least the VIP should reply to a ping.

Re: Rserver/Vip same network

Surya ARBY — Fri, 21 Oct 2011 17:06:04 GMT

Just let me know if you need further assistance.

Re: Rserver/Vip same network

Don Brack — Mon, 24 Oct 2011 16:54:13 GMT

To resolve this I had to remove and add:

interface vlan 15
description dmz network
ip address 10.201.13.8 255.255.255.0
no normalization
mac-sticky enable
no icmp-guard
access-group input inbound
nat-pool 1 10.201.13.240 10.201.13.245 netmask 255.255.255.0 pat
-----service-policy input remote_mgmt_allow_policy----removed

-------service-policy input clients-vips---added
no shutdown