Hi Olivier,

Only connections initiated from server in vlan 2122 to vip  (172.22.22.130) failing. No problem with connection from Outside. Moreover, I see hits in show service-policy when connection are failing.

Thanx,

Abdelaziz

My guess is, that you have a direct-server-return in your VLAN 2122.

Very likely you have asymetric routing (ie traffic from server to client bypassing the ACE). If this is indeed the case, you should see the client pkt counter increasing but not the server pkt counter in show service-policy. To workaround this you should source nat traffic from server in that vlan to vip.

Thanks,

Olivier

Hi Olivier,

This below the full config, and my need is to make a server in the inside VLAN 2112 (172.22.22.121) to open HTTPS connexion on the VIP (172.22.22.130 for rserver .131 & .132). Trafic from the outside is working well.

Thanx,

Abdealziz

--------------------------

Generating configuration....

access-list BPDU-Allow ethertype permit bpdu

probe tcp HTTPS
  port 443
  interval 15
  passdetect interval 15
  passdetect count 1
probe icmp PING
  interval 5

rserver host CASHUB131
  ip address 172.22.22.131
  inservice

rserver host CASHUB132
  ip address 172.22.22.132
  inservice

serverfarm host SFARM-EXCAS130
  probe HTTPS
  rserver CASHUB131
    inservice
  rserver CASHUB132
    inservice

parameter-map type connection TCP_IDLE_30min
  set timeout inactivity 1800

class-map match-all CLASS-L4-VIP-EXCAS130
  2 match virtual-address 172.22.22.130 any

class-map type management match-any REMOTE-ACCESS
  description management ACE
  10 match protocol telnet any
  20 match protocol ssh any
  30 match protocol icmp any
  31 match protocol https any
  32 match protocol snmp any

policy-map type management first-match REMOTE-MGT
  class REMOTE-ACCESS
    permit

policy-map type loadbalance first-match POLICY-L7-VIP-EXCAS130
  class class-default
    serverfarm SFARM-EXCAS130

policy-map multi-match POLICY-LB-HMC-2112
  class CLASS-L4-VIP-EXCAS130
    loadbalance vip inservice
    loadbalance policy POLICY-L7-VIP-EXCAS130
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min

interface vlan 2112
  bridge-group 1
  access-group input BPDU-Allow
  service-policy input POLICY-LB-HMC-2112
  no shutdown
interface vlan 2122
  bridge-group 1
  access-group input BPDU-Allow
  service-policy input POLICY-LB-HMC-2112
  no shutdown

interface bvi 1
  ip address 172.22.22.250 255.255.255.0
  peer ip address 172.22.22.251 255.255.255.0
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.22.22.254

Abdealziz,

Did you check this?

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6ef5.shtml

Olivier

Hi Olivier,

I checked this document and it's talking about routed mode where the problem can be easily solved with SNAT. In my cas, i need to iniate traffic from machine 172.22.12.141 to the VIP following this diagram:

I can ping the VIP from .141 but i can't initiate HTTP session. Moreover, I think it's impossible for me to use SNAT with Bridged Mode and I can't change to routed mode. So is there any solution for this issue?

Regards,

Abdelaziz

Abdelaziz,

I understand that the example i gave to you is in routed mode, but, if not mistaken, you should still be able to configure the nat pool (and so the source nat) under vlan 2012.

Thanks

Olivier

Olivier,

I configure the nat pool and apply the SNAT policy under vlan 2012 and it's working. This is the config to be added to the standard configuration in bridged mode:

-------------------------

class-map match-any SNAT
  2 match source-address 172.22.12.0 255.255.255.0

policy-map multi-match POLICY-NAT
  class SNAT
    nat dynamic 1 vlan 2012

interface vlan 2012
  nat-pool 1 172.22.12.200 172.22.12.200 netmask 255.255.255.255 pat
  service-policy input POLICY-NAT

----------------------------

It's working.

Thanks,

Abdelaziz