Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
0
Helpful
1
Replies

ACE load-balancing stealth firewall not working

Massimiliano Tognon
Level 1
Level 1

‎10-19-2007 05:18 AM

Hi to all, i'm trying to configure, with no luck, two ace to make stealth firewall load balancing

this is my layout:

WEout (cat 6513 + ace) ---- 3 fortinet firewall in stealth mode --- WEin ( another chassis cat 6513 + ace )

In attach you can find a detailed layout and configuration from WEout (supervisor and ace) and WEin (supervisor and ace)

As you can see i used the configuration example from cisco configuration guide, you can find it here :

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/ace/ace_301/slbgd/fwldbal.htm#wp1036666

config from ace is very simple, you can find it in attach to the post

As you can see, i'm trying to reach network 100 (match virtual-address 100.0.0.0 255.0.0.0 any) from WEin and network 200 (match virtual-address 200.0.0.0 255.0.0.0 any) from WEout, but it's not working, i also tried to announce from both ACE to match all (change configuration from match virtual-address 100.0.0.0 255.0.0.0 any and match virtual-address 200.0.0.0 255.0.0.0 any to match virtual-address 0.0.0.0 0.0.0.0 any) but also this is not working. On interface connected to firewall it not working.

I make some show on ACE module (the WEin ACE module), and tried to generate some traffic for the other chassis, i found that policy-map is matched, as you can see from the

ACE-IN-CUB/Admin# sh service-policy POL_SEC

Status : ACTIVE

-----------------------------------------

Interface: vlan 200

service-policy: POL_SEC

class: FW_SEC_VIP

loadbalance:

L7 loadbalance policy: LB_FW_SEC

VIP Route Metric : 77

VIP Route Advertise : DISABLED

VIP ICMP Reply : DISABLED

VIP State: INSERVICE

curr conns : 0 , hit count : 16

dropped conns : 16

client pkt count : 0 , client byte count: 1544

server pkt count : 0 , server byte count: 0

and i found also the ace module had balanced to the firewall, as you can see from

ACE-IN-CUB/Admin# sh serverfarm SF_SEC detail

serverfarm : SF_SEC, type: HOST

total rservers : 3

description : -

predictor : HASH-ADDRDEST

ip mask : 255.255.255.255

failaction : -

total conn-dropcount : 16

---------------------------------

----------connections-----------

real weight state current total

---+---------------------+------+------------+----------+--------------------

rserver: FW_SEC_1

101.0.101.100:0 8 OPERATIONAL 0 0

total conn-failures : 5

rserver: FW_SEC_2

101.0.102.100:0 8 OPERATIONAL 0 0

total conn-failures : 2

rserver: FW_SEC_3

101.0.103.100:0 8 OPERATIONAL 0 0

total conn-failures : 9

ACE-IN-CUB/Admin# sh rserver FW_SEC_3 detail

rserver : FW_SEC_3, type: HOST

state : OPERATIONAL

description : -

weight : 8

---------------------------------

----------connections-----------

real weight state current total

---+---------------------+------+------------+----------+--------------------

serverfarm: SF_SEC

101.0.103.100:0 8 OPERATIONAL 0 0

total conn-failures : 9

but all connection are failed and dropped...

On firewall we see no traffic going through, ACE seems not able to forward traffic to the vlan connected to firewall.

this is the configuration related to ACE for cat 6513 :

svclc module 1 vlan-group 10

svclc vlan-group 10 111,200,249,253

interface GigabitEthernet10/44

switchport

switchport access vlan 253

switchport mode access

no ip address

Anyone has an idea, why it's not working ?

many thanks

Max

Labels:
Preview file
3 KB
Preview file
35 KB
Preview file
3 KB
0 Helpful
1 Reply 1

Massimiliano Tognon
Level 1
Level 1

‎10-19-2007 05:21 AM

Here in attach you can find full configuration from Cat6513 switch both WEin and WEout.

many thanks

Max

Preview file
7 KB
0 Helpful
Customers Also Viewed These Support Documents