Thanks Pablo.

I have one more issue here on switch ACE module is there.

I have a user vlan on switch and one management vlan/ vip vlan /server vlan associated with ACE.

when VIP is access via firewall for remote users it works and when used by this user group which is sitting on same switch

it comes like connection refused.

The only thing I have seen this traffic is routed over management vlan means SVI is on switch for management vlan also one ip is configured on ACE for managemnet .

The static route is pointing to management IP on ACE for VIP subnet from switch.

Just wanted to confirm if routing over management vlan does work .

Using same routing i can telnet on servers successfully not sure if we can use the same routing for VIPs as well.

Thanks

Ajay

Hi Pablo,

Here is the config-

ON LB

interface vlan 1100
  description to ASA
  ip address 10.222.133.250 255.255.255.248
  alias 10.222.133.249 255.255.255.248
  peer ip address 10.222.133.251 255.255.255.248
  ip address 10.222.159.1 255.255.255.0 secondary
  peer ip address 10.222.159.2 255.255.255.0 secondary
  mac-address autogenerate
  access-group input TRAFFIC
  service-policy input vip
  no shutdown

interface vlan 1205
  description SERVERS
  ip address 10.222.163.4 255.255.255.0
  ip dhcp relay server 10.222.163.57
  ip dhcp relay enable
  alias 10.222.163.1 255.255.255.0
  peer ip address 10.222.163.5 255.255.255.0
  mac-address autogenerate
  access-group input TRAFFIC
  access-group output TRAFFIC
  nat-pool 4 10.222.163.253 10.222.163.253 netmask 255.255.255.0 pat
  service-policy input vip
  no shutdown

interface vlan 1105
  description to MG
  ip address 10.222.129.18 255.255.255.0
  alias 10.222.129.21 255.255.255.0
  peer ip address 10.222.129.19 255.255.255.0
  mac-address autogenerate
  access-group input TRAFFIC
  no shutdown

ip route 10.222.128.0 255.255.128.0 10.224.129.1  < .1 is SVI on switch.

On switch

ip route 10.222.159.0 255.255.255.0 10.222.129.21

Hi Ajay,

Can you tell me the IP address of the client(s) that is getting connection refused? I think it is within the same server subnet 10.222.163.0/24 but I want to make sure.

__ __

Pablo

Hi Pablo,

I have multiple VLANs in range of 10.222.128.0 255.255.128.0 on switch and no success from any of the vlan for exmple

10.222.203.0/24.

Thanks

Ajay

Oh in that case can you attach the ful show run of your ACE?

__ __

Pablo

Hi Pablo,

I am just wondering if the problem is to get into LB from management interface which has not got any service policy applied

on it.

Creating another SVI on switch and giving a IP address from VIP range can that solve my issue?

Thanks

Ajay

Hi Ajay,

That's the problem at this point I don't know to which SVI your VIP belongs to; I see the service policy applied under both "traffic" interfaces; I guess it is on VLAN 1100 as it is working for remote users but that's what I wanted to confirm with the show run.

Does VLAN 1100 has a SVI created on the switch?

Thanks

__ __

Pablo

Applying VIP policy on Management interface resolved the issue.