10-19-2007 05:18 AM
Hi to all, i'm trying to configure, with no luck, two ace to make stealth firewall load balancing
this is my layout:
WEout (cat 6513 + ace) ---- 3 fortinet firewall in stealth mode --- WEin ( another chassis cat 6513 + ace )
In attach you can find a detailed layout and configuration from WEout (supervisor and ace) and WEin (supervisor and ace)
As you can see i used the configuration example from cisco configuration guide, you can find it here :
config from ace is very simple, you can find it in attach to the post
As you can see, i'm trying to reach network 100 (match virtual-address 100.0.0.0 255.0.0.0 any) from WEin and network 200 (match virtual-address 200.0.0.0 255.0.0.0 any) from WEout, but it's not working, i also tried to announce from both ACE to match all (change configuration from match virtual-address 100.0.0.0 255.0.0.0 any and match virtual-address 200.0.0.0 255.0.0.0 any to match virtual-address 0.0.0.0 0.0.0.0 any) but also this is not working. On interface connected to firewall it not working.
I make some show on ACE module (the WEin ACE module), and tried to generate some traffic for the other chassis, i found that policy-map is matched, as you can see from the
ACE-IN-CUB/Admin# sh service-policy POL_SEC
Status : ACTIVE
-----------------------------------------
Interface: vlan 200
service-policy: POL_SEC
class: FW_SEC_VIP
loadbalance:
L7 loadbalance policy: LB_FW_SEC
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
curr conns : 0 , hit count : 16
dropped conns : 16
client pkt count : 0 , client byte count: 1544
server pkt count : 0 , server byte count: 0
and i found also the ace module had balanced to the firewall, as you can see from
ACE-IN-CUB/Admin# sh serverfarm SF_SEC detail
serverfarm : SF_SEC, type: HOST
total rservers : 3
description : -
predictor : HASH-ADDRDEST
ip mask : 255.255.255.255
failaction : -
total conn-dropcount : 16
---------------------------------
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
rserver: FW_SEC_1
101.0.101.100:0 8 OPERATIONAL 0 0
total conn-failures : 5
rserver: FW_SEC_2
101.0.102.100:0 8 OPERATIONAL 0 0
total conn-failures : 2
rserver: FW_SEC_3
101.0.103.100:0 8 OPERATIONAL 0 0
total conn-failures : 9
ACE-IN-CUB/Admin# sh rserver FW_SEC_3 detail
rserver : FW_SEC_3, type: HOST
state : OPERATIONAL
description : -
weight : 8
---------------------------------
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: SF_SEC
101.0.103.100:0 8 OPERATIONAL 0 0
total conn-failures : 9
but all connection are failed and dropped...
On firewall we see no traffic going through, ACE seems not able to forward traffic to the vlan connected to firewall.
this is the configuration related to ACE for cat 6513 :
svclc module 1 vlan-group 10
svclc vlan-group 10 111,200,249,253
interface GigabitEthernet10/44
switchport
switchport access vlan 253
switchport mode access
no ip address
Anyone has an idea, why it's not working ?
many thanks
Max
10-19-2007 05:21 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide