06-24-2012 05:02 AM
Guys,
I am facing some problems with my ACE design and would like or thoughts and feedback on this:
Here is what we are facing:
The load balancing is working correctly when traffic is coming from any other subnet other than the server farm.
In other words Loadbalancing is not working with VIP IP for servers that reside in the server farm since there is a serverfarm interface on the ACE.
Does anyone have a clue.
Regards,
Hesham
06-24-2012 05:20 AM
Hi Hesham,
The solution is quite easy apply multimatch policy for the VIP in the serverfarm VLAN interface.
This will fix the issue.
When traffic hit the interface it match the class map and use the policy applied on that interface for loadbalancing.
Since you have not applied any policy on the server vlan interface it is not going to do any load balancing.
Hope it helps.
regards,
Ajay Kumar
06-24-2012 05:43 AM
You mean under the Server Farm VLAN ?? and what is the exact syntax that should be used?
Regards,
Hesham
06-24-2012 05:51 AM
Here is the configuration:
class-map match-all Test-C1
2 match virtual-address 172.X.X.X any
class-map type management match-any REMOTE-MGMT
description ---------Enable remote access---------
10 match protocol ssh any
20 match protocol icmp any
30 match protocol https any
policy-map type management first-match REMOTE-ACCESS
class REMOTE-MGMT
permit
policy-map type loadbalance first-match Test-POLICY
class class-default
sticky-serverfarm Test-Stickiness
policy-map multi-match SF-POLICY
class Test
loadbalance vip inservice
loadbalance policy Test-POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 800
interface vlan 100
description ---------SERVER SIDE INTERFACE--------
ip address 172.X,X,X, 255.255.255.0
alias 172.X,X,X, 255.255.252.0
peer ip address 172.X,X,X, 255.255.252.0
no normalization
mac-sticky enable
no icmp-guard
access-group input ACL-IN
nat-pool 1 172.X,X,X,X, 172.X,X,X,X netmask 255.255.252.0 pat
service-policy input REMOTE-ACCESS
no shutdown
interface vlan 200 description ---------CLIENT SIDE INTERFACE---------
ip address 172.Y.Y Y. Y.255.255.255.0
alias 172.Y.Y.Y.y 255.255.255.0
peer ip address Y.Y.yYU 255.255.255.0
no normalization
no icmp-guard
access-group input ACL-IN
service-policy input Test-POLICY
service-policy input REMOTE-ACCESS
no shutdown
06-24-2012 06:02 AM
I am not sure why you have applied only
service-policy input Test-POLICY <<< You should have applied mutimatch policy SF-POLICY >>
Something like this:
service-policy input SF-POLICY
So the solution is to apply:
interface vlan 100
service-policy input SF-POLICY
Check and let me know if it helps.
regards,
Ajay Kumar
06-24-2012 05:54 AM
Hi,
It is same as you have used in client VLAN interface.
Something like this
Admin(config-if)# service-policy input vippolicy
In case if you still have confusion attach the running config and let me know the VIP IP.
regards,
Ajay Kumar
06-24-2012 08:39 AM
could you send me your private email so I can send you the config file
06-24-2012 09:28 AM
I have seen your config in the above. I am trying to say that you should apply this line in following interface.
interface vlan 100
description ---------SERVER SIDE INTERFACE--------
ip address 172.X,X,X, 255.255.255.0
alias 172.X,X,X, 255.255.252.0
peer ip address 172.X,X,X, 255.255.252.0
no normalization
mac-sticky enable
no icmp-guard
access-group input ACL-IN
nat-pool 1 172.X,X,X,X, 172.X,X,X,X netmask 255.255.252.0 pat
service-policy input REMOTE-ACCESS
service-policy input SF-POLICY <<<<<< Type this line by going to interface 100 >>>>>>>
no shutdown
Do the testing and let me know if it works for you.
06-24-2012 10:32 PM
I did so and didn't work.
Regards,
06-24-2012 11:55 PM
Two things to check:
1) Default gateway should point to ACE for this to work.
2) The return traffic from real server may be going to the server directly. Adding a NAT should fix this issue.
You can check the symptoms as shown below:
show conn | in ip address of server ( Acting as client)
See if connection is going to ACE or not.
See if the connection is getting load balanced or not.
If it is load balancing then the issue is real server is responding directly to server ( Client) and hence the connection is getting dropped. So add a NAT to fix the issue.
06-25-2012 12:45 PM
Hi Hesham,
You probably need a nat-pool to make it work, please send me the running config or showtech of the Context where you have this setup
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: