ACE 4710 Connectivity help?

bwreed001 · ‎03-31-2011

I'm using an ACE 4710 in a new datacenter, with the following setup:

2/4 physical ethernet interfaces port channeled into port-channel 1

2/4 physical ethernet interfaces port channeled into port-channel 2

I have the following vlans defined:

1001 - admin - interface ip: 10.53.136.70

400 - client side - interface ip: 10.53.136.100

500 - server side - interface ip: 192.168.128.1

999 - fault tolerance - interface ip: 192.168.11.2

My problem is I am trying to nat ssh and web server traffic from the client side, to the server side, but it's never getting to the server. For example, if I ssh to 10.53.136.102, it times out. (10.53.136.102 should get nat'd to 192.168.128.2)

Also, I can connect to the ACE 4710 via telnet using 10.53.136.70, but cannot connect to 10.53.136.100.

I'm thinking there is either something wrong with the port-channels, or the access lists. On the other hand there could be something wrong with the nat'ing, but I had it working before switching over to the port-channels.

Any thoughts?

Thanks,

Brent

pablo.nxh · ‎03-31-2011

Hi Brent,

Would be better if you can post a sanitized copy of your admin context and other context (if any) so we can have a bigger of picture

of what you're dealing with.

The fact that you can't telnet to 10.53.136.100 may be related to the mgmt policy missing under VLAN 400 or ACL config.

You said that NAT and LB was working before moving to Port-Channel config; have you checked if the ACE updated correctly all the ARP entries

after this change? Can you ping the rservers in question?

Is HA designed on active/passive scenario? If so have you checked if each box took the correct role after the interface re-configuration?

HTH

__ __

Pablo

bwreed001 · ‎04-01-2011

I've attached the two contexts which we are using. The admin context is new_lb_config.txt and the second context where the loadbalancing occurs is in the new_lb_config_VC_WBPX.txt file.

From the load balancer, I am able to ping the real server ips in the 192.168. ip range. The 4710 recognizes that they are in service.

I believe the ACL for the VLAN 400 is set to permit all traffic, but I don't know if the service policies are preventing something from happening.

Right now, I have disconnected the two 4710s and I am only working on one of them to see if I can get the basic connectivity going. Once I accomplish that, I will work on high availability. I'll have to check whether it thinks it is in passive mode...not entirely sure how to do that, but I will check it out.

Thanks,

Brent

pablo.nxh · ‎04-04-2011

Hi Brent,

Couple of things I was able to see from the config you posted.

1- Telnet/SSH is not available on VLAN 400 SVI because there's no class-map type management configured on context VC_WBPX,

if you want to access remotely the context just mirror the same mgmt class is configured on the Admin context and apply it under vlan 400.

2- You mentioned that you want requests from clients on vlan 400 to be NAT'd using an IP address of vlan 500 however the 2 policies configured

to do NAT are applied under VLAN 500 so only traffic initiated from that VLAN will be NAT'd.

You need multi-match policy "SNAT_POLICY" applied on VLAN 500.

HTH

__ __

Pablo