01-29-2010 05:13 AM
I have four servers in my network. Users access two web servers 192.168.200.161, 192.168.200.162 on Port 80.
These two servers communicate with back end servers APP1, APP2 192.168.200.165, 192.168.200.165 on port 3005.
I want whenever port 80 on Web server 1 or port 3005 on Application Server 1 goes down. Traffic redirect to Web server 2 and Application Server 2.
probe tcp ITSMWeb_PROBE_80
port 80
interval 15
passdetect interval 60
open 1
probe tcp ITSMAPP_PROBE_3005
port 3005
interval 15
passdetect interval 60
open 1
rserver host ITSMWeb_1
description ITSMWeb-1
ip address 192.168.200.161
inservice
rserver host ITSMWeb_2
description ITSMWeb-2
probe tcp ITSMWeb_PROBE_80
ip address 192.168.200.162
inservice
rserver host ITSMMAPP_1
description ITSMMAPP_1
probe tcp ITSMAPP_PROBE_3005
ip address 192.168.200.165
inservice
rserver host ITSMMAPP_2
description ITSMMAPP_2
ip address 192.168.200.166
inservice
serverfarm host SF_ITSM_Web_Server
rserver ITSMWeb_1
inservice
rserver ITSMWeb_2
inservice
serverfarm host SF_ITSM_MAPP_Server
rserver ITSMMAPP_1
inservice
rserver ITSMMAPP_2
inservice
class-map match-any ITSM_Web_Server
2 match virtual-address 172.23.15.163 any
class-map match-all clas-default
class-map match-any ITSM_MAPP_Server
2 match virtual-address 172.23.15.167 any
class-map match-all clas-default
policy-map type loadbalance first-match PM_LB_ITSM_Web_Server
class class-default
serverfarm SF_ITSM_Web_Server
policy-map type loadbalance first-match PM_LB_ITSM_MAPP_Server
class class-default
serverfarm SF_ITSM_MAPP_Server
policy-map multi-match PM_ITSM_Web_Server
class ITSM_Web_Server
loadbalance vip inservice
loadbalance policy PM_LB_ITSM_Web_Server
loadbalance vip icmp-reply active
interface vlan 200
service-policy input PM_ITSM_Web_Server
interface vlan 200
service-policy input PM_ITSM_MAPP_Server
interface vlan 300
service-policy input PM_ITSM_Web_Server
nat-pool 3 172.23.16.3 172.23.16.3 netmask 255.255.255.255 pat
interface vlan 300
service-policy input PM_ITSM_MAPP_Server
nat-pool 4 172.23.16.4 172.23.16.4 netmask 255.255.255.255 pat
Please let me know will that configuration will able to give me my goal. this is my production time and I will not have enough time to troubleshoot. This ACE is my core where all traffic is terminated. So this activity is critical for me. Please help me out. IF i am missing something.
Solved! Go to Solution.
02-02-2010 02:30 AM
The ACE does not select the best match but intstead the first rule that will match the traffic.
So as mentioned by another user; your bypass rule is before the vip rule, so the traffic is intercepted and redirected to the proxy.
You need to move your redirect rule after the vip rule.
Gilles.
01-31-2010 03:04 AM
OK, just add the defined probes to the serverfarm:
serverfarm host SF_ITSM_Web_Server
probe ITSMWeb_PROBE_80
rserver ITSMWeb_1
inservice
rserver ITSMWeb_2
inservice
serverfarm host SF_ITSM_MAPP_Server
probe ITSMAPP_PROBE_3005
rserver ITSMMAPP_1
inservice
rserver ITSMMAPP_2
inservice
You need to combine the stuff in another way:
policy-map multi-match PM_ITSM
class ITSM_Web_Server
loadbalance vip inservice
loadbalance policy PM_LB_ITSM_Web_Server
loadbalance vip icmp-reply active
nat dynamic 3 vlan 300
class ITSM_MApp_Server
loadbalance vip inservice
loadbalance policy PM_LB_ITSM_MApp_Server
loadbalance vip icmp-reply active
nat dynamic 4 vlan 300
interface vlan 200
service-policy input PM_ITSM
interface vlan 300
service-policy input PM_ITSM
nat-pool 3 172.23.16.3 172.23.16.3 netmask 255.255.255.255 pat
nat-pool 4 172.23.16.4 172.23.16.4 netmask 255.255.255.255 pat
You may need to change the VLAN numbers in the nat commands, I'm not sure about the NAT directions you wish.
01-31-2010 07:21 AM
thanks for the reply, i have configured the Load balancer as mention below. I can ping the vitrual IP addresses from inside and outside the network and remote desktop is also working on the virutal Ip addreses but when I am trying to telent on the por 80 virtual Ip addresses It is not working.
Real IP address 192.168.200.161 and 162 (I can open the web page in browser and telnet on port 80 also working).
Virtaul IP address: 172.23.15.163 (Only remote desktop and ping is working nothing else is working).
Real IP address 192.168.200.165 and 166 (I can open the web page in browser and telnet on port 80 also working).
Virtaul IP address: 172.23.15.167 (Only remote desktop and ping is working and port 30005).
though these are the web serververs and these working fine. Why I am not able to telnet them on port 80. I can open the web pages on real IP addresses not on virtual Ip address.
this is my least configuration.
probe tcp ITSMAPP_PROBE_30005
port 30005
interval 15
passdetect interval 60
open 1
probe tcp ITSMWeb_PROBE_80
port 80
interval 15
passdetect interval 60
open 1
rserver host ITSMMAPP_2
description ITSMMAPP_2
ip address 192.168.200.166
inservice
rserver host ITSMWeb_1
description ITSMWeb-1
ip address 192.168.200.161
inservice
rserver host ITSMWeb_2
description ITSMWeb-2
ip address 192.168.200.162
inservice
serverfarm host SF_ITSM_MAPP_Server
probe ITSMAPP_PROBE_30005
rserver ITSMMAPP_1
inservice
rserver ITSMMAPP_2
inservice
serverfarm host SF_ITSM_Web_Server
probe ITSMWeb_PROBE_80
rserver ITSMWeb_1
inservice
rserver ITSMWeb_2
inservice
class-map match-any ITSM_MAPP_Server
2 match virtual-address 172.23.15.167 any
class-map match-any ITSM_Web_Server
2 match virtual-address 172.23.15.163 any
class-map match-any RT_FAX
2 match virtual-address 172.23.15.65 any
class-map match-all clas-default
policy-map type loadbalance first-match PM_LB_ITSM_MAPP_Server
class class-default
serverfarm SF_ITSM_MAPP_Server
policy-map type loadbalance first-match PM_LB_ITSM_Web_Server
class class-default
serverfarm SF_ITSM_Web_Server
policy-map multi-match PM_ITSM_MAPP_Server
class ITSM_MAPP_Server
loadbalance vip inservice
loadbalance policy PM_LB_ITSM_MAPP_Server
loadbalance vip icmp-reply active
nat dynamic 4 vlan 300
policy-map multi-match PM_ITSM_Web_Server
class ITSM_Web_Server
loadbalance vip inservice
loadbalance policy PM_LB_ITSM_Web_Server
loadbalance vip icmp-reply active
nat dynamic 3 vlan 300
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
service-policy input PM_ITSM_Web_Server
service-policy input PM_ITSM_MAPP_Server
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
nat-pool 1 172.23.16.2 172.23.16.2 netmask 255.255.255.255 pat
nat-pool 3 172.23.16.3 172.23.16.3 netmask 255.255.255.255 pat
nat-pool 4 172.23.16.4 172.23.16.4 netmask 255.255.255.255 pat
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
service-policy input PM_ITSM_Web_Server
service-policy input PM_ITSM_MAPP_Server
Please let me know what I am missing and how to solve this problem.
01-31-2010 11:08 AM
Can anybody help me out. Why I am not able to open the Virtual IP via HTTP. Real IP is working fine via port 80 but via VIP i m not able to open the web portal
02-01-2010 12:48 AM
I can hardly believe you have 5 or 6 service-policies of the same type under int vlan 300 and 200. Please copy and paste your config again. I have already pointed out that you need a single multi-match policy-map for each interface.
02-01-2010 03:43 AM
access-list acl-in remark ACCESS LIST FOR ACE-INSIDE
access-list acl-in line 1 extended permit ip any any
access-list acl-out remark ACCESS LIST FOR ACE-OUTSIDE
access-list acl-out line 1 extended permit ip any any
access-list acl-proxy remark ACCESS LIST FOR PROXY SEGMENT
access-list acl-proxy line 1 extended permit ip any any
access-list acl-wan remark ACCESS LIST FOR WAN SEGMENT
access-list acl-wan line 1 extended permit ip any any
access-list fax line 8 extended permit ip any host 192.168.200.65
access-list fax line 16 extended permit ip any host 192.168.200.66
access-list fax line 24 extended permit ip any host 192.168.200.67
probe tcp ITSMAPP_PROBE_30005
port 30005
interval 15
passdetect interval 60
open 1
probe tcp ITSMWeb_PROBE_80
port 80
interval 15
passdetect interval 60
open 1
probe tcp PROBE_5050
port 5050
interval 15
passdetect interval 60
open 1
probe tcp PROBE_5101
port 5101
interval 15
passdetect interval 60
open 1
probe tcp PROBE_TCP
port 80
interval 15
passdetect interval 60
open 1
parameter-map type http PARAMAP_CASE
case-insensitive
no persistence-rebalance
rserver host ITSMMAPP_1
description ITSMMAPP_1
ip address 192.168.200.165
inservice
rserver host ITSMMAPP_2
description ITSMMAPP_2
ip address 192.168.200.166
inservice
rserver host ITSMWeb_1
description ITSMWeb-1
ip address 192.168.200.161
inservice
rserver host ITSMWeb_2
description ITSMWeb-2
ip address 192.168.200.162
inservice
rserver host RS_BCPR01
ip address 192.168.0.103
inservice
rserver host RS_BCPR02
ip address 192.168.0.104
inservice
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
inservice
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
inservice
serverfarm host SF_BCPR
transparent
probe PROBE_5050
probe PROBE_5101
probe PROBE_TCP
rserver RS_BCPR01
inservice
rserver RS_BCPR02
inservice
serverfarm host SF_ITSM_MAPP_Server
probe ITSMAPP_PROBE_30005
rserver ITSMMAPP_1
inservice
rserver ITSMMAPP_2
inservice
serverfarm host SF_ITSM_Web_Server
probe ITSMWeb_PROBE_80
rserver ITSMWeb_1
inservice
rserver ITSMWeb_2
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
inservice
rserver RT_fax2
inservice
sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE
replicate sticky
serverfarm SF_BCPR
class-map type management match-any CM_ALL
2 match protocol snmp any
3 match protocol http any
4 match protocol https any
5 match protocol icmp any
6 match protocol telnet any
class-map match-any CM_BYPASS_FOR_LAN
3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www
8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
11 match virtual-address 172.20.0.0 255.255.0.0 tcp eq www
12 match virtual-address 172.23.15.0 255.255.255.0 tcp eq www
class-map match-any CM_BYPASS_SUBNET
9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www
13 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
16 match virtual-address 172.20.0.0 255.255.0.0 tcp eq www
17 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
18 match virtual-address 172.23.15.0 255.255.255.0 tcp eq www
class-map match-any CM_IM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050
3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080
4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101
class-map match-all CM_SF_BCPR
255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
class-map match-any ITSM_MAPP_Server
2 match virtual-address 172.23.15.167 any
class-map match-any ITSM_Web_Server
2 match virtual-address 172.23.15.163 any
class-map match-any RT_FAX
2 match virtual-address 172.23.15.65 any
class-map match-all clas-default
policy-map type management first-match PM_ALL
class CM_ALL
permit
policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP
class class-default
forward
policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP
class class-default
forward
policy-map type loadbalance first-match PM_LB_ITSM_MAPP_Server
class class-default
serverfarm SF_ITSM_MAPP_Server
policy-map type loadbalance first-match PM_LB_ITSM_Web_Server
class class-default
serverfarm SF_ITSM_Web_Server
policy-map type loadbalance first-match PM_LB_RT_FAX
class class-default
serverfarm SF_RT_fax
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
class class-default
sticky-serverfarm STICKY-SOURCE
policy-map multi-match PM_BYPASS_FOR_LAN_HTTP
class CM_BYPASS_FOR_LAN
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP
policy-map multi-match PM_BYPASS_HTTP
class CM_BYPASS_SUBNET
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_HTTP
policy-map multi-match PM_ITSM_MAPP_Server
class ITSM_MAPP_Server
loadbalance vip inservice
loadbalance policy PM_LB_ITSM_MAPP_Server
loadbalance vip icmp-reply active
nat dynamic 4 vlan 300
policy-map multi-match PM_ITSM_Web_Server
class ITSM_Web_Server
loadbalance vip inservice
loadbalance policy PM_LB_ITSM_Web_Server
loadbalance vip icmp-reply active
nat dynamic 3 vlan 300
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
class CM_IM
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
loadbalance vip icmp-reply active
nat dynamic 1 vlan 300
service-policy input PM_ALL
interface vlan 100
description FW-INSIDE CONTEXT RACK1
ip address 192.168.0.5 255.255.255.224
alias 192.168.0.11 255.255.255.224
peer ip address 192.168.0.6 255.255.255.224
mac-address autogenerate
no icmp-guard
access-group input acl-out
no shutdown
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
service-policy input PM_ITSM_Web_Server
service-policy input PM_ITSM_MAPP_Server
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
nat-pool 1 172.23.16.2 172.23.16.2 netmask 255.255.255.255 pat
nat-pool 3 172.23.16.3 172.23.16.3 netmask 255.255.255.255 pat
nat-pool 4 172.23.16.4 172.23.16.4 netmask 255.255.255.255 pat
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
service-policy input PM_ITSM_Web_Server
service-policy input PM_ITSM_MAPP_Server
no shutdown
interface vlan 301
description BC-VLAN CONTEXT RACK1
ip address 192.168.0.97 255.255.255.224
alias 192.168.0.107 255.255.255.224
peer ip address 192.168.0.98 255.255.255.224
mac-address autogenerate
access-group input acl-proxy
no shutdown
ft track interface TRACKING_FOR_FT_VLAN
track-interface vlan 300
peer track-interface vlan 300
priority 255
peer priority 255
My ACE is redirecting the port 80 traffic to my proxy server. But I have exclude teh VIP and real IP from this port 80 redirection towards. proxy server
Everything is fine except the port 80. I can do the RDP, ping, telnet on 30005. Please let me know what I am missing.
02-01-2010 07:54 AM
One thing to add, currently real servers are being load balance by windows load balancer. I have even given the windows load balancer IP address in the ACE serverform but still it is not working.
02-01-2010 08:11 AM
Hello,
Since your successful RDP connection to the VIP is using the same exact class-maps and rservers as your unsuccessful HTTP connection, I would suspect that the issue is not with your ACE config.
match virtual-address 172.23.15.167 any
If it were your ACE config causing the problem, then RDP wouldn't work either.
I would recommend that you start getting network captures. Start with getting them on the client side and/or server side of the ACE. You'll need to find out more precisely why the connection breaks. For example:
You may want to open a service request with Cisco TAC if you need assistance in the troubleshooting process.
Regards,
Sean
02-01-2010 02:53 PM
There is some overlapping in the config. This may interfere with the VIP/80 port you want.
class-map match-any CM_BYPASS_SUBNET
18 match virtual-address 172.23.15.0 255.255.255.0 tcp eq www
'service-policy input PM_BYPASS_HTTP' precedes your new policies.
Please integrate all your classes into a single policy per interface as I'd recommended and do not let this bypass class (which I can't understand anyway) with 172.23.15.0 before PM_ITSM_Web_Server.
02-01-2010 09:14 PM
thanks for the reply,
I have proxy server in my network. ACE is redirecting any port 80 traffic to this Proxy server. For this reason we have created this bypass class map so that my internal servers and servers located on remote WAN Locations can be accessible for the users directly instead of redirecting users traffic on port 80 towards proxy servers.
That is reason I mention VIP IP address in the bypass list so that when request comes on VIP for port 80 ACE will not send it to proxy server, that is why my first policy is bypassing the VIP and other servers IP address against the port 80.
02-02-2010 02:30 AM
The ACE does not select the best match but intstead the first rule that will match the traffic.
So as mentioned by another user; your bypass rule is before the vip rule, so the traffic is intercepted and redirected to the proxy.
You need to move your redirect rule after the vip rule.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide