Ace 30 One-arm with PBR setup issues

bsherman54 · ‎10-19-2012

So I have an ACE30 set up in a one-arm config trying to replicate the configuration that we have on our production environment with the older CSM module for a 6509. I set up a test server, attached it to a port and VLAN and confirmed connectivity. I can browse to the website on that server from my laptop. If I try to hit the VIP that I have set up on the ACE, it fails. Client packets incriment but the server packets stay at zero. I can ping the server from the ace admin context and the load balancing context (that's the context attached here). The only thing I can think is I need to open up the svclc?

So, with that....any suggestions? Configs follow

-----------ACE 30--------------------

Generating configuration....

access-list INBOUND line 8 extended permit ip any any

access-list OUTBOUND line 8 extended permit ip any any

rserver host TEST_1

description Test webserver

ip address 10.10.20.30

inservice

serverfarm host TEST_WEB

predictor leastconns

rserver TEST_1

inservice

class-map match-all TEST_VS

3 match virtual-address 10.10.252.23 tcp eq www

policy-map type loadbalance first-match TEST_LB

class class-default

serverfarm TEST_WEB

policy-map multi-match PROD_WWW

class TEST_VS

loadbalance vip inservice

loadbalance policy TEST_LB

loadbalance vip icmp-reply active

loadbalance vip advertise active

interface vlan 9

ip address 10.9.5.3 255.255.0.0

alias 10.9.5.1 255.255.0.0

access-group input INBOUND

access-group output OUTBOUND

service-policy input PROD_WWW

no shutdown

ip route 0.0.0.0 0.0.0.0 10.9.1.2

------------Catalyst 6509------------------

----snip---

svclc module 9 vlan-group 1

svclc vlan-group 1 9

----snip---

ip access-list extended return-traffic-csm

permit tcp any eq www any

permit tcp any eq 443 any

permit tcp any eq ftp any

permit tcp any eq 8080 any

permit tcp any eq 81 any

permit tcp any eq 82 any

permit tcp any eq 83 any

permit tcp any eq 54320 54320 any

permit tcp any eq 389 any

permit tcp any eq 686 any

deny ip any any

---snip---

interface Vlan1

no ip address

!

interface Vlan9

ip address 10.9.1.2 255.255.0.0

!

interface Vlan10

ip address 10.10.1.2 255.255.0.0

ip flow ingress

ip policy route-map csm-traffic

!

interface Vlan20

ip address 10.20.1.2 255.255.0.0

ip flow ingress

ip policy route-map csm-traffic

---snip---

route-map csm-traffic permit 10

match ip address return-traffic-csm

set ip next-hop 10.9.5.3

ajayku2 · ‎10-22-2012

Looks like the issue is the realserver responds directly back to the client PC. Because the source address seen by the server is from client PC only & not that of the loadbalancer.

Adding Source NAT on the ACE should fix the issue.

You create a dynamic nat-pool with a pool or a single IP & have all the traffic routed via the cisco ACE.

policy-map multi-match PROD_WWW

class TEST_VS

loadbalance vip inservice

loadbalance policy TEST_LB

loadbalance vip icmp-reply active

loadbalance vip advertise active

nat dynamic 1 vlan 9

interface Vlan9

nat-pool 1 10.9.1.X netmask 255.255.255.0 pat

Hope that helps.

regards,

Ajay Kumar

bsherman54 · ‎10-22-2012

The only issue with that is that we have to have the originating IP in our web logs for security and analytics purposes. We are using PBR on our current CSM configuration to specifially avoid having to use source nat.

Anything else?

ajayku2 · ‎10-22-2012

Hi William,

I see that you are willing to use PBR. I am wondering why you have not applied PBR on VLAN 9.

ip policy route-map csm-traffic << This is missing.

I believe after fixing PBR it should work.

regards,

Ajay Kumar

bsherman54 · ‎10-22-2012

Interesting...I didn't think of it this way as our PBR does not exist on the 9 VLAN where the older CSM resides. I'll give it a shot and see what happens.