Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
0
Helpful
3
Replies

ACE 4700 load balancing Issue

Hossain Ahmed Ashfaque
Level 3
Level 3

‎07-18-2011 04:59 AM

Hi,

I am new in ACE 4700. I have configured ACE 4700 for load balancing the FAX servers. Probe, ServerFarm, Real server, Virtual server, VIP state every thing is up and in service. But I am not able to access the real server using VIP IP address.

Below is the running configuration. Please help me to troubleshot the problem.

HOB-ACE-1/Admin# sh run

Generating configuration....

no ft auto-sync startup-config

boot system image:c4710ace-mz.A3_2_0.bin

hostname HOB-ACE-1
interface gigabitEthernet 1/1
  description Man_HOB_1
  switchport access vlan 1000
  no shutdown
interface gigabitEthernet 1/2
  description VIP_HOB_1
  switchport access vlan 24
  no shutdown
interface gigabitEthernet 1/3
  description HA_HOB_1
  switchport access vlan 180
  no shutdown
interface gigabitEthernet 1/4
  shutdown


[7m--More-- [m
access-list ALL line 8 extended permit ip any any

probe icmp ICMP_PROBE1
  interval 15
  faildetect 4
  passdetect interval 60
  passdetect count 5
  receive 5

rserver host MFREFSAS497
  description MAAFAXSERVER
  ip address 10.16.12.148
  conn-limit max 4000000 min 4000000
  inservice
rserver host MSHOFCFS489
  description HOBFAXSERVER
  ip address 10.26.12.130
  conn-limit max 4000000 min 4000000
  inservice

[7m--More-- [m

[K
serverfarm host SFHOBACE-1
  description SFHOBACE-1
  predictor hash header Accept
  probe ICMP_PROBE1
  rserver MFREFSAS497 80
    conn-limit max 4000000 min 4000000
    inservice
  rserver MSHOFCFS489 80
    conn-limit max 4000000 min 4000000
    inservice

class-map match-all VSHOBACE-1
  2 match virtual-address 10.26.24.242 any
class-map type management match-any remote_access
  201 match protocol xml-https any
  202 match protocol icmp any
  203 match protocol telnet any
  204 match protocol ssh any
  205 match protocol http any
  206 match protocol https any
  207 match protocol snmp any
[7m--More-- [m

[K
policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit

policy-map type loadbalance first-match VSHOBACE-1-l7slb
  class class-default
    serverfarm SFHOBACE-1

policy-map multi-match global
  class VSHOBACE-1
    loadbalance vip inservice
    loadbalance policy VSHOBACE-1-l7slb
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 24
    nat dynamic 1 vlan 1000

service-policy input global

interface vlan 24
  description "Client VLAN"
  ip address 10.26.24.243 255.255.255.0
[7m--More-- [m
  access-group input ALL
  no shutdown
interface vlan 1000
  ip address 10.26.12.132 255.255.255.0
  peer ip address 10.26.12.133 255.255.255.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  no shutdown

ft interface vlan 180
  ip address 192.168.180.2 255.255.255.248
  peer ip address 192.168.180.3 255.255.255.248
  no shutdown

ft peer 1
  heartbeat interval 300
  heartbeat count 10
  ft-interface vlan 180
ft group 1
  peer 1
  priority 140
  associate-context Admin
[7m--More-- [m
  inservice

ip route 0.0.0.0 0.0.0.0 10.26.12.1

snmp-server contact "HOB_ACE"
snmp-server location "HOB"
snmp-server community FAXSERVER group Network-Monitor

snmp-server user administrator Network-Monitor

snmp-server trap-source vlan 1000

 
username admin password 5 $1$GtO1e504$eGuyxxDcXck7SkxqBfRkI.  role Admin domain
default-domain
username www password 5 $1$N5ClX7jy$kDhGgN.uukWQKvQMd3pY.1  role Admin domain de
fault-domain
ssh key rsa 1024 force

Thanks and Regards,

Ashfaque

Labels:
0 Helpful
3 Replies 3

Ahmad Basel Jaber
Level 1
Level 1

‎07-18-2011 05:40 AM

Hi Ashfaque,

I am not sure if the output of show run is missed up, but I can not see the policy-map applied to any of your interfaces. If it is applied and the output is missed up, please explain which VLANs are the server and client VLANs, and get the output of show service-policy global detail before and after trying to connect to the VIP.

Best regards,

Ahmad

0 Helpful

pablo.nxh
Level 3
Level 3

‎07-18-2011 11:16 AM

Hello Hossain,

Applying the policy globally on the box is commonly not the prefered way to go, you can use instead a single multi-match policy per SVI for easier managent; this will also also help to narrow down problems to a specific policy and VIP while T-Shooting.

Use the

ACE/Admin(config)# no service-policy input global

ACE/Admin(config)# interface vlan 24

ACE/Admin(config-if)# service-policy input global

Also you want to remove the NAT from the multi-match policy, you're running in routed mode so NAT should not be required; if it was required then you don't have any natpool configured or as Ahmad mentioned it was truncated from the configuration.

Something that caught up my attention is that your default route is pointing to the server VLAN that happens to be also your management VLAN, I'll have to lab it up but my first impression is that either the traffic coming to the VIP on vlan 24 should be always NAT'd to an IP of 10.26.24.X/24 before it gets to the ACE or else there will be a routing loop that will not allow the flow to complete correctly.

Do you happen to have a quick logical diagram of this piece of the network?

Thnx

__ __

Pablo

0 Helpful

pablo.nxh
Level 3
Level 3

‎07-18-2011 11:50 AM

Something that you may need to add due to the design is the mac-sticky feature, that will override the recursive routing lookup and intruct the ACE to send the return traffic to the same upstream device through which the connection setup from the original client was received.

Use that command under VLAN 24

ACE/Admin(config-if)# mac-sticky enable

HTH
__ __ 
Pablo

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card