[ACE] Issues putting ACE4710 into running system

n.poongsawad · ‎04-17-2012

Hi Expert,

Now I'm facing some tough issue. I'm implementing and found out some issues are unresolvable on ACE4710. So, I need your help, would you be so kind.

This network have been running on a server without LB. Now the second server comes up. We choosed to implement with Routed Mode.

This network Peak @ 300Mbps.

Now on we're doing the first context which is function as content web-farm. In near future, 2nd context which takes care of indexing web-farm when they buy more server.

From following diagrams.

I browsed from internet into this service. "show service-policy" shown as '0' (counter was not running). I guessed that there is something wrong in FW configuration. So I isolated out FW.

Then I plugged-in my PC into network 30 (192.168.30.X) in front of this LB, then browsed into LB's VIP (192.168.30.1). LB "show service-policy" came up BUT there is nothing return to my PC (client). "show conn" on LB as "SYNSEEN". What's SYNSEEN?! Some meaningful.

Then I tried to figure out with a PC running 'apache' and took the place of real server. "It works!" returned from LB/Server. "show conn" became 'Establish'

Programmer guy said if I browse into web-farm (i.e. content web-farm) directly pkt will be redirected to indexing server. But they said it will be L7 redirection. Not LB/Network level. I'm afraid it will have problem with this redirection.

Would you pls recommend the solution or what to test more. Some command or some general troubleshooting steps.

Anyway I enclosed my related configure such LB running-config.

Thank you in advance.

Dan-Ciprian Cicioiu · ‎04-18-2012

Hi,

The web-server's gateway is the ACE or are you using NAT for the clients ? I thnik that you are using it without nat. Please confirm.

SYNSEEN - is very meaningfull , the ACE has seen only the seen , but no SYN ACK from the server. In my opinion the packet gets to the server but the server is replying to the client though the firewall.

Later edit : Also in your drawing regarding the VLAN30 , the ACE has .242 address , but on config is .1 , also the firewall in the drawing is .254 and in the ACE's config the default gw is .242. Could you clear this ?

Dan

n.poongsawad · ‎04-18-2012

Hi Dan, Thanks mate,

Sorry, I was attached the wrong version, the right version of LB (AUPT context config) is

interface vlan 30

description Client Side

ip address 192.168.30.242 255.255.255.0

access-group input EVERYONE

service-policy input int30

service-policy input mgmt-pm

no shutdown

interface vlan 50

description Server Side

ip address 192.168.50.242 255.255.255.0

service-policy input mgmt-pm

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.50.254

---

Yep, Im using web-server's gateway as ACE (192.168.50.242). Packet need to pass through LB before return out FW right?

In face, I do dst-NATed at FW for incoming traffic to 192.168.30.1 (VIP)

What's the point of using NAT, Do you mean of src-NAT of incoming pkt?

Nipat.p

Dan-Ciprian Cicioiu · ‎04-18-2012

Hi ,

sNAT (client nat) is not your case, because you are using ACE as a default gw for your server. If you didn't use ACE as gateway you had to make samehow as the returing traffic to be through ACE. This is the point of SNAT ( client nat ). But once again not your case.

Could you paste the routing table of the server , please

Dan

Dan-Ciprian Cicioiu · ‎04-18-2012

Please also paste you current config.

From your initial config I can see that you have 2 * ACE in HA , am I correct ?

peer hostname lopsdr471002

hostname aupt4700

shared-vlan-hostid 2

peer shared-vlan-hostid 3

Dan

n.poongsawad · ‎04-18-2012

Hi Dan,

You r correct ! This box was picked from another project to PoC in this porject before real box delivery. So, some config left. But those config are not affect.

By the way, we rolled back to the last working config i.e. FW, Server and put LB out.

I will reproduce this for you by next week and I will restore factory defualt before retrying.

Thanks for yr kindness, I will repond you soon.

Nipat