Re: ace transaparent mode-return traffic - Page 2

followurself · ‎09-11-2008

we have fwsm running in routed mode and behind it is the ace. the ace is in bridge mode.we try to connect a sever ove http and see a connection hitting fwsm and then the ace. in ace we can see a return packet from the serverfarm host but then the return packet isnt seen on fwsm. we can ping the server directly hence no routing issues.looks like ace isnt sending the traffic back. below is the config with outputs of show conn from ace and fwsm and show policy of ace

any help will be appreciated

thanks

probe http cer_port

port 9005

interval 5

faildetect 15

passdetect interval 15

receive 2

expect status 200 200

open 2

serverfarm host SFarm3

probe cer_port

rserver ZHC1 9005

inservice

rserver ZHC2 9005

inservice

rserver ZHC3 9005

inservice

sticky http-cookie acecookie sticky-cookie-insert_9005

cookie insert

replicate sticky

serverfarm SFarm3

class-map match-all ACL

2 match access-list FW_Controlled

class-map match-all forms_listener_port_9000

2 match virtual-address 10.7.20.6 tcp eq 9000

policy-map type loadbalance f9000_policy

class class-default

sticky-serverfarm sticky-cookie-insert_9005

policy-map multi-match VIPS

class fot_9000

loadbalance vip inservice

loadbalance policy f9000_policy

loadbalance vip icmp-reply active

ace1-pri/# sh conn

total current connections : 2

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

15 2 in TCP 720 Mx:2954 10.7.20.6:9000 ESTAB

16 2 out TCP 720 10.7.20.21:9005 Mx:1037 INIT

fw-pri/prod# sh conn

TCP out Mx:2960 in 10.x.x.6:8000 idle 0:00:03 Bytes 1692 FLAGS - UBI

show service-policy

Policy-map : VIPS

Status : ACTIVE

-----------------------------------------

Interface: vlan 7xx 7x1

service-policy: VIPS

class: web_xxxxxxxx_8000

loadbalance:

L7 loadbalance policy: web_xxxxxx0_policy

VIP Route Metric : 77

VIP Route Advertise : DISABLED

VIP ICMP Reply : DISABLED

VIP State: INSERVICE

curr conns : 1 , hit count : 26

dropped conns : 23

client pkt count : 62 , client byte count: 14411

server pkt count : 0 , server byte count: 0

interface vlan 7xx

description interface facing Servers

bridge-group 1

access-group input BPDU

access-group input all

service-policy input VIPS

no shutdown

interface vlan 7xx

description interface facing FWSM

bridge-group 1

access-group input BPDU

access-group input all

service-policy input VIPS

no shutdown

followurself · ‎09-12-2008

fwsm is their gateway

followurself · ‎09-12-2008

correction in the statement

with the above design and no client NAT how can we make it work..pls help

followurself · ‎09-12-2008

correction in the statement

with the above design and no client NAT how can we make it work..pls help

followurself · ‎09-12-2008

Syed/Giles

any suggestions with this design where i dnt have to do nat.

even if put say this way

msfc-ace(bridge)-fwsm (routed and gateway)--servers

seems the prblm will be still there..pls suggest

Syed Iftekhar Ahmed · ‎09-12-2008

Which Vlans are allowed on the trunk between the HP Blade & CAT.

If the Vlan where FWSM belongs is included then servers ARP will be replied by FWSM interface directly and SErvers will bypass ACE.

You can also try hookin up a laptop to a CAT port and assign it the ACE VLAN and see if you face the same issue. If it works then somehow Servers are bypassing ACE.

Syed

followurself · ‎09-16-2008

Guys,

appreciate if you can respond

Thanks

followurself · ‎09-16-2008

guys

will appreciate if you can respond

Thanks

followurself · ‎09-16-2008

Thanks Syed for the response

since fwsm is the gateway of the servers then on the trunk back to catalyst, tht vlan is allowed or else how will they reach thier gateway?

also i am not sure the importance and traffic hitting the other vlan on ace which is part of bridge group (770 vlan)

this is what my archiectecture is

msfc-vlan 760-fwsm outside(routed mode),fwsm inside inerface (vlan720) ---ace (bridge mode) vlan 770 and 720 where 720 is facing servers. bvi interface is having the ip in vlan 720. i am not sure what kind of traffic will hit 770.because fwsm inside is 720 and is sharing the subnet with ace.

can you please suggest on why vlan 720 shouldnt be allowed on trunk interface between hp and cat

thanks

Syed Iftekhar Ahmed · ‎09-16-2008

Servers should reach the Gateway through ACE.

If the FWSM is accessible to servers directly and Servers default gateway is FWSM (which it should be as you are using bridge mode) then when Server sends ARP request for the GAteway (FWSM) ip address then FWSM will respond back directly and Servers will send the response back to FWSM directly - bypassing ACE (hence breaking the connections).

In normal setup the server's arp entry for Default gateway (FWSM IP) should show the MAc address of the ACE interface.

Could you check your servers and see what do you have listed as MAC add for Gateway IP?

Syed

followurself · ‎09-17-2008

does that mean my vlan assigment should be like below

msfc-v760-fwsm outside(client facing)

then -v770 with fwsm inside (server facing) and ace outside client facing in vlan 770

then vlan 720 ace inside server facing

with fwsm inside vlan 770 and ip address 10.7.20.1

vlan of ace 720 with ip address 10.7.20.3

and all servers in vlan 720 with ip 10.7.20.x

can you please suggest what vlans fwsm will have and facing which side and ace vlans facing which side

Syed Iftekhar Ahmed · ‎09-17-2008

You are almost there. Just one clarification, In bridge mode (ACE) you do not assign IPs on the interfaces, YOu just assign a BVI ip address which is only used by management traffic originated from ACE (for e,g Syslogs, snmp....) . Loadbalanced traffic / Traffic passing through ACE doesnt use this address. So the 10.7.20.3 ip on ACE will be the BVI ip address. It will not be assigned to vlan 720 interface.

In summary your setup will be

(VLAN 760)(IP subnet diff than 10.7.20.x)Outside-FWSM-Inside(Vlan770)(10.7.20.1)---->(VLAN 770)ClientSide-ACE(BVI IP 10.7.20.3)-ServerSide(VLAN 720)-->Servers in VLAN 720 with IP addresses in 10.7.20.x range.

If you have redundant pair of ACE/FWSM in place then have to keep few things in mind when you are configuring ACE in bridge mode.

1. Create a ethertype ACL to allow BPDUs through ACE to make sure you have a single STP instance for both VLAN 720 & 770.

2. Disable Globally configured Loopguard & BPDU guard on the CAT6K.

3. Your servers should have FWSM (10.7.20.1) as the default gateway.

HTH

Syed Iftekhar Ahmed

followurself · ‎09-17-2008

Thanks for the clarification, will need further when i shall test layer 7 policies and stickness

i will need to change the config and then test.

cisco docs confuses

followurself · ‎09-17-2008

btw i m using fwsm in routed mode --followed by ace in bridge mode

so its msfc-fwsm(routed) then --ace (bridge)--servers

followurself · ‎09-12-2008

correction in the statement

with the above design and no client NAT how can we make it work..pls help

followurself · ‎09-12-2008

correction in the statement

with the above design and no client NAT how can we make it work..pls help