09-11-2008 07:45 AM
we have fwsm running in routed mode and behind it is the ace. the ace is in bridge mode.we try to connect a sever ove http and see a connection hitting fwsm and then the ace. in ace we can see a return packet from the serverfarm host but then the return packet isnt seen on fwsm. we can ping the server directly hence no routing issues.looks like ace isnt sending the traffic back. below is the config with outputs of show conn from ace and fwsm and show policy of ace
any help will be appreciated
thanks
probe http cer_port
port 9005
interval 5
faildetect 15
passdetect interval 15
receive 2
expect status 200 200
open 2
serverfarm host SFarm3
probe cer_port
rserver ZHC1 9005
inservice
rserver ZHC2 9005
inservice
rserver ZHC3 9005
inservice
sticky http-cookie acecookie sticky-cookie-insert_9005
cookie insert
replicate sticky
serverfarm SFarm3
class-map match-all ACL
2 match access-list FW_Controlled
class-map match-all forms_listener_port_9000
2 match virtual-address 10.7.20.6 tcp eq 9000
policy-map type loadbalance f9000_policy
class class-default
sticky-serverfarm sticky-cookie-insert_9005
policy-map multi-match VIPS
class fot_9000
loadbalance vip inservice
loadbalance policy f9000_policy
loadbalance vip icmp-reply active
ace1-pri/# sh conn
total current connections : 2
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
15 2 in TCP 720 Mx:2954 10.7.20.6:9000 ESTAB
16 2 out TCP 720 10.7.20.21:9005 Mx:1037 INIT
fw-pri/prod# sh conn
TCP out Mx:2960 in 10.x.x.6:8000 idle 0:00:03 Bytes 1692 FLAGS - UBI
show service-policy
Policy-map : VIPS
Status : ACTIVE
-----------------------------------------
Interface: vlan 7xx 7x1
service-policy: VIPS
class: web_xxxxxxxx_8000
loadbalance:
L7 loadbalance policy: web_xxxxxx0_policy
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
curr conns : 1 , hit count : 26
dropped conns : 23
client pkt count : 62 , client byte count: 14411
server pkt count : 0 , server byte count: 0
interface vlan 7xx
description interface facing Servers
bridge-group 1
access-group input BPDU
access-group input all
service-policy input VIPS
no shutdown
interface vlan 7xx
description interface facing FWSM
bridge-group 1
access-group input BPDU
access-group input all
service-policy input VIPS
no shutdown
09-12-2008 06:59 AM
fwsm is their gateway
09-12-2008 07:03 AM
correction in the statement
with the above design and no client NAT how can we make it work..pls help
09-12-2008 07:03 AM
correction in the statement
with the above design and no client NAT how can we make it work..pls help
09-12-2008 08:34 AM
Syed/Giles
any suggestions with this design where i dnt have to do nat.
even if put say this way
msfc-ace(bridge)-fwsm (routed and gateway)--servers
seems the prblm will be still there..pls suggest
09-12-2008 10:52 AM
Which Vlans are allowed on the trunk between the HP Blade & CAT.
If the Vlan where FWSM belongs is included then servers ARP will be replied by FWSM interface directly and SErvers will bypass ACE.
You can also try hookin up a laptop to a CAT port and assign it the ACE VLAN and see if you face the same issue. If it works then somehow Servers are bypassing ACE.
Syed
Syed
09-16-2008 02:20 AM
Guys,
appreciate if you can respond
Thanks
09-16-2008 03:15 AM
guys
will appreciate if you can respond
Thanks
09-16-2008 09:21 AM
Thanks Syed for the response
since fwsm is the gateway of the servers then on the trunk back to catalyst, tht vlan is allowed or else how will they reach thier gateway?
also i am not sure the importance and traffic hitting the other vlan on ace which is part of bridge group (770 vlan)
this is what my archiectecture is
msfc-vlan 760-fwsm outside(routed mode),fwsm inside inerface (vlan720) ---ace (bridge mode) vlan 770 and 720 where 720 is facing servers. bvi interface is having the ip in vlan 720. i am not sure what kind of traffic will hit 770.because fwsm inside is 720 and is sharing the subnet with ace.
can you please suggest on why vlan 720 shouldnt be allowed on trunk interface between hp and cat
thanks
09-16-2008 10:54 AM
Servers should reach the Gateway through ACE.
If the FWSM is accessible to servers directly and Servers default gateway is FWSM (which it should be as you are using bridge mode) then when Server sends ARP request for the GAteway (FWSM) ip address then FWSM will respond back directly and Servers will send the response back to FWSM directly - bypassing ACE (hence breaking the connections).
In normal setup the server's arp entry for Default gateway (FWSM IP) should show the MAc address of the ACE interface.
Could you check your servers and see what do you have listed as MAC add for Gateway IP?
Syed
09-17-2008 02:25 AM
does that mean my vlan assigment should be like below
msfc-v760-fwsm outside(client facing)
then -v770 with fwsm inside (server facing) and ace outside client facing in vlan 770
then vlan 720 ace inside server facing
with fwsm inside vlan 770 and ip address 10.7.20.1
vlan of ace 720 with ip address 10.7.20.3
and all servers in vlan 720 with ip 10.7.20.x
can you please suggest what vlans fwsm will have and facing which side and ace vlans facing which side
09-17-2008 04:39 AM
You are almost there. Just one clarification, In bridge mode (ACE) you do not assign IPs on the interfaces, YOu just assign a BVI ip address which is only used by management traffic originated from ACE (for e,g Syslogs, snmp....) . Loadbalanced traffic / Traffic passing through ACE doesnt use this address. So the 10.7.20.3 ip on ACE will be the BVI ip address. It will not be assigned to vlan 720 interface.
In summary your setup will be
(VLAN 760)(IP subnet diff than 10.7.20.x)Outside-FWSM-Inside(Vlan770)(10.7.20.1)---->(VLAN 770)ClientSide-ACE(BVI IP 10.7.20.3)-ServerSide(VLAN 720)-->Servers in VLAN 720 with IP addresses in 10.7.20.x range.
If you have redundant pair of ACE/FWSM in place then have to keep few things in mind when you are configuring ACE in bridge mode.
1. Create a ethertype ACL to allow BPDUs through ACE to make sure you have a single STP instance for both VLAN 720 & 770.
2. Disable Globally configured Loopguard & BPDU guard on the CAT6K.
3. Your servers should have FWSM (10.7.20.1) as the default gateway.
HTH
Syed Iftekhar Ahmed
09-17-2008 05:30 AM
Thanks for the clarification, will need further when i shall test layer 7 policies and stickness
i will need to change the config and then test.
cisco docs confuses
09-17-2008 02:27 AM
btw i m using fwsm in routed mode --followed by ace in bridge mode
so its msfc-fwsm(routed) then --ace (bridge)--servers
09-12-2008 07:03 AM
correction in the statement
with the above design and no client NAT how can we make it work..pls help
09-12-2008 07:03 AM
correction in the statement
with the above design and no client NAT how can we make it work..pls help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide