Hi,
I have an HA ACE deployment and all seemed to be working well until I tried to access the ACE via the management VLAN in the one non-system context, no go.
The ACE is in one-armed mode with an Admin/System context and one user context (named Messaging). Source NAT has been set up in the user context. All VLANs are in a port channel back to the core switches.
I can access the ACE via the Management VLAN in the system context, all OK. I can access the load-balanced servers via the VIP in the user/Messaging context, all OK. I CANNOT acccess the managment VLAN other than ping it (resonds to ping, but telnet, ssh, https, etc. fails).
The system/Admin context has a default route to the Management VLAN on the core. The User/Messaging context has a default route to the core switches on VLAN 5, which is the VLAN where the VIP resides.
If I change the default route in the User/Messaging context to the Management interface on the core switches then I can access both contexts for management, but then the load-balancing falls over and I cannot access the serverfarm (via the VIP). Traces on the rservers show that NAT is being hit on the ACE and the requests are coming from the real IP of the clients. Put the default route back to the User/Messaging VLAN on the core and NAT is back to what it would be expected to be, and then remote/management access to the ACE is gone.
Configs are posted below, any help would be greatly appreciated.
ACE02/Admin# sh run
Generating configuration....
logging enable
logging standby
logging timestamp
logging buffered 4
logging device-id context-name
telnet maxsessions 5
ssh maxsessions 5
resource-class RC_Messaging
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-t1k9-mz.A5_1_1.bin
login timeout 20
peer hostname ACE01
line vty
session-limit 5
hostname ACE02
shared-vlan-hostid 2
peer shared-vlan-hostid 1
interface gigabitEthernet 1/1
speed 1000M
duplex FULL
channel-group 31
no shutdown
interface gigabitEthernet 1/2
speed 1000M
duplex FULL
channel-group 31
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
interface port-channel 31
ft-port vlan 512
switchport trunk allowed vlan 5,16
port-channel load-balance src-dst-ip
no shutdown
clock timezone AEST 10 0
clock summer-time AEDT 1 sunday oct 02:00 1 sunday apr 03:00 60
ntp server 10.16.0.100 prefer
ntp server 10.16.0.101
probe icmp PING
interval 5
passdetect interval 5
receive 4
class-map type management match-any MANAGEMENT
description Device Management
2 match protocol ssh any
5 match protocol telnet any
8 match protocol icmp any
11 match protocol https any
14 match protocol snmp any
policy-map type management first-match MANAGEMENT
class MANAGEMENT
permit
interface vlan 16
description Management
ip address 10.16.6.121 255.255.0.0
alias 10.16.6.122 255.255.0.0
peer ip address 10.16.6.120 255.255.0.0
service-policy input MANAGEMENT
no shutdown
ft interface vlan 512
ip address 192.168.0.3 255.255.255.0
peer ip address 192.168.0.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 512
ft group 1
peer 1
no preempt
priority 50
associate-context Admin
inservice
ft track host GATEWAY
track-host 10.16.0.101
peer track-host 10.16.0.100
peer probe PING
probe PING
ip route 0.0.0.0 0.0.0.0 10.16.0.1
context Messaging
allocate-interface vlan 5
allocate-interface vlan 16
member RC_Messaging
snmp-server community public group Network-Monitor
snmp-server enable traps snmp coldstart
snmp-server enable traps license
snmp-server enable traps snmp authentication
snmp-server enable traps snmp linkup
snmp-server enable traps snmp linkdown
ft group 2
peer 1
no preempt
priority 50
associate-context Messaging
inservice
username admin password ******** role Admin domain default-domain
username www password ******** role Admin domain default-domain
ssh key rsa 1024 force
ACE02/Admin# changeto Messaging
ACE02/Messaging# wr t
Generating configuration....
logging enable
logging buffered 4
logging device-id context-name
login timeout 20
access-list CLIENT-SERVER-INBOUND line 8 extended permit ip any any
probe icmp PING
interval 5
passdetect interval 5
receive 4
rserver host TEST1
ip address 10.10.5.4
inservice
rserver host TEST2
ip address 10.10.5.8
inservice
serverfarm host FARM
failaction purge
probe PING
rserver TEST1
inservice
rserver TEST2
inservice
sticky ip-netmask 255.255.255.255 address source FARM-STICKY
timeout 120
replicate sticky
serverfarm FARM
class-map match-any SLB-VIP
2 match virtual-address 10.5.1.205 tcp any
5 match virtual-address 10.5.1.205 udp any
class-map type management match-any MANAGEMENT
description Device Management
2 match protocol ssh any
5 match protocol telnet any
8 match protocol icmp any
11 match protocol https any
14 match protocol snmp any
policy-map type management first-match MANAGEMENT
class MANAGEMENT
permit
policy-map type loadbalance first-match SLB
class class-default
sticky-serverfarm FARM-STICKY
policy-map multi-match CLIENT-VIPS
class SLB-VIP
loadbalance vip inservice
loadbalance policy SLB
loadbalance vip icmp-reply active
nat dynamic 1 vlan 5
interface vlan 5
description Client-Server Acess
ip address 10.5.1.11 255.255.0.0
alias 10.5.1.12 255.255.0.0
peer ip address 10.5.1.10 255.255.0.0
no normalization
no icmp-guard
access-group input CLIENT-SERVER-INBOUND
nat-pool 1 10.5.2.30 10.5.2.49 netmask 255.255.0.0 pat
service-policy input CLIENT-VIPS
no shutdown
interface vlan 16
description Management
ip address 10.16.6.111 255.255.0.0
alias 10.16.6.112 255.255.0.0
peer ip address 10.16.6.110 255.255.0.0
service-policy input MANAGEMENT
no shutdown
ip route 0.0.0.0 0.0.0.0 10.5.0.1
username admin password ******** role Admin domain default-domain
username www password ******** role Admin domain default-domain
snmp-server community public group Network-Monitor
snmp-server enable traps snmp authentication
snmp-server enable traps snmp linkup
snmp-server enable traps snmp linkdown
ACE02/Messaging#
