topic Thanks kanwalsi!I was getting in Application Networking

ACE 4710 Non-LB traffic from real server

SysEng1999 — Fri, 22 Aug 2014 06:42:49 GMT

Hello,

We are migrating from CSS to ACE and kind of hit a strange issue.

On CSS when the real server (with internal address like 10.x.x.x) initiates its own connection to Internet for example check for Windows Updates the traffic goes to CSS (as it is set as a default gateway on real server) and then reaches the destination but translated as an VIP address (public IP) from CSS.

Now with ACE setup it does not work that way at all.

The load balancing traffic from Internet goes to ACE normally and reaches a real server and then goes back to ACE and out to Internet.

The ACE is in routed mode and the real server default gateway is set to server farm VLAN IP on ACE.

However nothing gets out from real server if it tries to initiate its own traffic like opening a google page in a browser.

Here is more if I add another network interface to real server and change a default gateway from ACE to the other gateway on the second network card the real server obviously reaches Internet happily but somehow load-balancing traffic goes back to ACE as well.

Any idea how to keep the real server with one adapter and send its own traffic through ACE like CSS?

Any ideas will be very much appreaciated!

Hi,Ensure that you have

Kanwaljeet Singh — Fri, 22 Aug 2014 12:20:23 GMT

Hi,

Ensure that you have proper ACL's in place (access group on server side vlan interface) and for server initiated traffic to be NATTED with VIP or any other you need to have configuration in place. Below are posts discussing similar configurations.

https://supportforums.cisco.com/discussion/10744631/ace-module-source-nat-server-initiated-connections-vip-address

https://supportforums.cisco.com/discussion/10282466/ace-initiate-connections-server-vlan-client

https://supportforums.cisco.com/discussion/10482821/ace-source-nat-server-initiated-connections

Let me know if you have any questions.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Thanks kanwalsi!I was getting

SysEng1999 — Fri, 22 Aug 2014 19:08:13 GMT

Thanks kanwalsi!

I was getting to the NAT configuration after I ran a CSS to ACE conversion tool I noticed that there was a NAT statement in the converted configuration.

I did some search and run into several threads on this topic but I noticed one important thing.

The nat pool has to point to VIP address (I suspect you can even create a special VIP for NATed traffic only). I mean if you have a VIP on one IP and the nat pool on the different IP the traffic from real server will not go through.

So it was important to keep that in mind.

The first link in your reply gives the most correct configuration for NATing the traffic from real server through ACE.

Here is the working solution to let real server NON-LB traffic to get through ACE using existing VIP address.

Public address is used as an example

access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any

rserver host RS005
ip address 10.100.0.15
inservice

serverfarm host PD_farm
rserver RS005
inservice

class-map match-any RS_ALL
2 match source-address 10.100.0.0 255.255.255.0
class-map type management match-any MGMT-CLASS
30 match protocol icmp any
class-map match-all PD_web
2 match virtual-address 217.14.140.200 tcp eq www

policy-map type management first-match MGMT-POLICY
class MGMT-CLASS
permit

policy-map type loadbalance first-match PD_web_pm
class class-default
serverfarm PD_farm

policy-map multi-match RS_NAT
class RS_ALL
nat dynamic 410 vlan 400

policy-map multi-match int400
class PD_web
    loadbalance vip inservice
    loadbalance policy PD_web_pm
    loadbalance vip icmp-reply active

interface vlan 400
description VIP Client side - FrontEnd
ip address 217.14.140.194 255.255.255.0
access-group input INBOUND
access-group output INBOUND
nat-pool 410 217.14.140.200 217.14.140.200 netmask 255.255.255.255 pat
service-policy input MGMT-POLICY
service-policy input int400
no shutdown
interface vlan 500
description Real Server side - Backend
ip address 10.100.0.2 255.255.255.0
access-group input INBOUND
access-group output INBOUND
service-policy input MGMT-POLICY
service-policy input RS_NAT
no shutdown

ip route 0.0.0.0 0.0.0.0 217.14.140.142