Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2344
Views
17
Helpful
19
Replies

ACE in Direct Server Return mode not working as expected

Sebastian Helmer
Level 5
Level 5

‎05-08-2013 09:36 AM

Dear all,

I configured my ACE as I found it here:

https://supportforums.cisco.com/docs/DOC-22555

the VIP is working, that means I can ping it, routing is working etc.

I created a loopback on the win2012 Server with the IP of the VIP. When I try now to test the LB with telnet on port 25 e.g. it is not working. direclty on the server it works, also in my last deployment where I use SNAT/PAT. But we want the real client IPs visible on the Exchange Server.

Where is my problem ? Any ideas would be great..

rserver host YY

  description AServer-1

  ip address 10.1.x.2

  inservice

rserver host XX

  description AServer-2

  ip address 10.1.x.3

   inservice

serverfarm host Mail

  description Mail

  transparent

  predictor leastconns

  rserver AServer-1

    inservice

  rserver AServer-2

sticky ip-netmask 255.255.255.255 address both Mail

  timeout 5

  replicate sticky

  serverfarm Mail

class-map match-all Exchange_ALL

  2 match virtual-address 192.168.1.1 any

class-map type management match-any remote_access

  2 match protocol xml-https source-address 10.a.b.0 255.255.255.0

  3 match protocol icmp source-address 10.a.b.0 255.255.255.0

  5 match protocol ssh source-address 10.a.b.0 255.255.255.0

  7 match protocol https source-address 10.a.b.0 255.255.255.0

  8 match protocol snmp source-address 10.a.b.0 255.255.255.0

  9 match protocol xml-https source-address 10.d.e.1 255.255.255.255

  10 match protocol icmp source-address 10.d.e.1 255.255.255.255

  11 match protocol ssh source-address 10.d.e.1 255.255.255.255

  12 match protocol https source-address 10.d.e.1 255.255.255.255

  13 match protocol snmp source-address 10.d.e.1 255.255.255.255

policy-map type management first-match remote_mgmt_allow_policy

  class remote_access

    permit

policy-map type loadbalance first-match mail

  class class-default

    sticky-serverfarm Mail

policy-map multi-match VLAN20

  class Exchange_ALL

    loadbalance vip inservice

    loadbalance policy mail

    loadbalance vip icmp-reply

interface vlan 2

  ip address 10.a.b.2 255.255.255.0

  access-group input ALL

  service-policy input remote_mgmt_allow_policy

  no shutdown

interface vlan 20

  description Server

  ip address 10.1.x.20 255.255.255.0

  peer ip address 10.1.x.30 255.255.255.0

  no normalization

  access-group input ALL

  service-policy input VLAN20

  no shutdown

ft interface vlan 4

  ip address 10.f.g.2 255.255.255.252

  peer ip address 10.f.g.1 255.255.255.252

  no shutdown

ft peer 1

  heartbeat interval 300

  heartbeat count 10

  ft-interface vlan 4

ft group 1

  peer 1

  associate-context Admin

  inservice

ip route 10.d.e.0 255.255.255.255 10.1.x.1

ip route 0.0.0.0 0.0.0.0 10.a.b.1

Labels:
0 Helpful
19 Replies 19

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Sebastian Helmer

‎05-12-2013 03:31 AM

Hello, this is interesting.

What do you see on netstat when you establish a successful connection? The TCP handshake goes like this - im sure you know it already:

  1. client sends SYN to server
  2. server receives the SYN
  3. server sends SYN-ACK to client
  4. client receives SYN-ACK
  5. client sends ACK to server
  6. Server receives ACK
  7. Connection gets established

From the State:SYN_RECEIVED it seems as though we are stuck on number 2. This is on the server side. Seems as though the server is not responding back if its just stuck in this state.

Did you manage to have a look at my previoius post about the nic settings on the server - maybe its something your server team can look at?

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Sebastian Helmer
Level 5
Level 5

‎05-12-2013 05:51 AM

Yes as I mentioned, I did the change without success.

I have no idea at the moment but now access to the server. Maybe tomorrow I got a new idea. It's a hard nut in the moment.

It do u have another setup which makes sure the server will see the native client IP?

Sent from Cisco Technical Support iPhone App

0 Helpful

Sebastian Helmer
Level 5
Level 5
In response to Sebastian Helmer

‎05-13-2013 03:46 AM

OK, I stopped wasting my time on that Design and found another, this seems to work.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6ef5.shtml

As soon as I finished all my tests I will reply to u. This is just to stop for thinik about a enviroment what has changed ..

Sebastian Helmer
Level 5
Level 5
In response to Sebastian Helmer

‎05-13-2013 08:15 AM

Yeha it works this way..thanks againg for your great help..Cu

0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Sebastian Helmer

‎05-13-2013 08:21 AM

Hey that's great news! Glad you found the solution. :-)

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card