topic [ACE] Real servers and VIP in the same VLAN in Application Networking

[ACE] Real servers and VIP in the same VLAN

msantiveri — Thu, 16 Jan 2014 22:48:30 GMT

Hello.

I´m facing an issue because the real servers and the VIP address are in the same VLAN, when a request comes from an external client to the VIP (crossing an ASA firewall) , the ACK gets back using the IP of one of the real servers instead of the VIP so this traffic is blocked by our WAN firewall probably due the inspection rules.

My question is if there is some way make the VIP the address who ACK´s that requests? Creating a new VLAN would be complicated because there are other services already running on those real servers.

Thanks a lot,

Miquel

[ACE] Real servers and VIP in the same VLAN

Kanwaljeet Singh — Thu, 16 Jan 2014 23:10:45 GMT

Hi Miquel,

Please do source nat on ACE so that return traffic gets sent to ACE and not FW. Pasting an example for you.

     ==========================================================================
     One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
     ==========================================================================


login timeout 0

access-list ANYONE line 10 extended permit ip any any

rserver host SERVER_01
  ip address 192.168.1.11
  inservice
rserver host SERVER_02
  ip address 192.168.1.12
  inservice
rserver host SERVER_03
  ip address 192.168.1.13
  inservice

serverfarm host REAL_SERVERS
  rserver SERVER_01
    inservice
  rserver SERVER_02
    inservice
  rserver SERVER_03
    inservice

class-map match-all VIP-30
  2 match virtual-address 192.168.1.30 tcp eq www

class-map type management match-any REMOTE_ACCESS
  description remote-access-traffic-match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any

policy-map type management first-match REMOTE_MGT
  class REMOTE_ACCESS
    permit

policy-map type loadbalance first-match SLB_LOGIC
  class class-default
    serverfarm REAL_SERVERS

policy-map multi-match CLIENT_VIPS
  class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 451

interface vlan 451
  description Servers vlan
  ip address 192.168.1.2 255.255.255.0
  access-group input ANYONE
  service-policy input CLIENT_VIPS
  nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
  no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.1

Let me know if you have any question.

Regards,

Kanwal

[ACE] Real servers and VIP in the same VLAN

msantiveri — Fri, 17 Jan 2014 08:58:57 GMT

Thank you Kanwal for your kind feedback.

We have a NAT policy already running on the same interface, this could impact to the existing services?

policy-map multi-match NAT-POLICY

class NAT-CLASS

nat static X.X.X.X netmask 255.255.255.0 vlan 102

class SLPGMS-SSL

loadbalance vip inservice

loadbalance policy SLPGMS-SSL-l7slb

ssl-proxy server SLPGMS-Proxy

interface vlan 102

description SLHP ACE VLAN

ip address X:X:X:X 255.255.255.0

alias X:X:X:X 255.255.255.0

peer ip address X:X:X:X 255.255.255.0

no normalization

access-group input ALL

service-policy input int102

service-policy input remote_mgmt_allow_policy

service-policy input NAT-POLICY

no shutdown

Thank you one more time.

Miquel

[ACE] Real servers and VIP in the same VLAN

Kanwaljeet Singh — Fri, 17 Jan 2014 15:47:17 GMT

Hi Miquel,

No, it shouldn't. The users here will match a different class-map, different policy and a different nat-pool. It should not have impact on existing NAT services.

Regards,

Kanwal

[ACE] Real servers and VIP in the same VLAN

msantiveri — Fri, 17 Jan 2014 17:13:30 GMT

Finally, we had a bad static route on the servers, removing that route the traffic back is sent to the ACE so we solved the problem, anyway I marked your answer as valid because coud be useful for others.

Thanks a lot.

Miquel Santiveri

[ACE] Real servers and VIP in the same VLAN

Kanwaljeet Singh — Fri, 17 Jan 2014 17:16:51 GMT

Hi Miquel,

Oh i read the question again:) Since the client is external there is no need for server to send traffic to FW but ACE(if ace is the default gateway) or according to the route which in your case was not right. I read the question wrongly that client is also in same subnet. My bad.

Regards,

Kanwal