Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1900
Views
0
Helpful
8
Replies

ACE VIP not Responding to Ping and cant Connect

Go to solution
ayojosh2k
Level 1
Level 1

‎10-11-2011 12:16 PM

Hello All,

I recently deployed an ACE 4710 Appliance. Configs seems right but clients cant Ping the VIP and acnt also connect to the VIP. Also VIP Dosent show in 'sh arp'.

Pls HELP!!!

See the configs!!

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.10.11 10:48:14 =~=~=~=~=~=~=~=~=~=~=~=

sh runGenerating configuration....

boot system image:c4710ace-mz.A4_2_0.bin

hostname STERLING-ACE

interface gigabitEthernet 1/1

  channel-group 1

  no shutdown

interface gigabitEthernet 1/2

  channel-group 1

  no shutdown

interface gigabitEthernet 1/3

  channel-group 1

  no shutdown

interface gigabitEthernet 1/4

  channel-group 1

  no shutdown

interface port-channel 1

  switchport trunk allowed vlan 10,200,205,210,215

  no shutdown

--More--

access-list INBOUND line 10 extended permit ip any any

access-list INBOUND line 16 extended permit icmp any any

access-list INBOUND line 24 extended permit icmp any any echo

probe http BANK-APP

  interval 2

  faildetect 2

  passdetect interval 2

  expect status 200 200

  open 1

probe icmp PING

  description ***simple ping monitor***

  interval 10

  passdetect interval 60

  passdetect count 2

  receive 1

probe tcp TCP80

  interval 10

  passdetect interval 10

  passdetect count 2

--More--

  receive 1

  open 5

rserver host BANK-APP-SERVER1

  description ***GUI SERVER 1***

  ip address 172.20.1.50

  probe PING

  inservice

rserver host BANK-APP-SERVER2

  description ***GUI SERVER 2***

  ip address 172.20.1.51

  probe PING

  inservice

rserver host BANK-APP-SERVER3

  description ***GUI SERVER 3***

  ip address 172.20.1.52

  probe PING

  inservice

rserver host BANK-APP-SERVER4

  description ***GUI SERVER 4***

  ip address 172.20.1.53

  probe PING

--More--

  inservice

rserver host THIN-CLIENT1

  description ***CLI SERVER 1***

  ip address 172.20.1.34

  probe PING

  inservice

rserver host THIN-CLIENT2

  description ***CLI SERVER 2***

  ip address 172.20.1.35

  probe PING

  inservice

rserver host THIN-CLIENT3

  description ***CLI SERVER 3***

  ip address 172.20.1.36

  probe PING

  inservice

rserver host THIN-CLIENT4

  description ***CLI SERVER 4***

  ip address 172.20.1.37

  probe PING

  inservice

--More--

serverfarm host CLI-GROUP

  predictor leastconns

  probe TCP80

  rserver THIN-CLIENT1

    inservice

  rserver THIN-CLIENT2

    inservice

  rserver THIN-CLIENT3

    inservice

  rserver THIN-CLIENT4

    inservice

serverfarm host GUI-GROUP

  predictor leastconns

  probe TCP80

  rserver BANK-APP-SERVER1

    inservice

  rserver BANK-APP-SERVER2

    inservice

  rserver BANK-APP-SERVER3

    inservice

  rserver BANK-APP-SERVER4

    inservice

--More--

parameter-map type connection TCP-PARAM-MAP

  set timeout inactivity 360000

class-map type management match-any REMOTEACCESS

  description remote access traffic match

  2 match protocol ssh any

  3 match protocol icmp any

  4 match protocol telnet any

  5 match protocol xml-https any

  6 match protocol http any

  7 match protocol https any

class-map match-all TCP-CLASS

  description TCP CONNECTION TIMER

  2 match any

class-map match-all VS_WEB1

  2 match virtual-address 10.0.0.115 any

class-map match-all VS_WEB2

  2 match virtual-address 10.0.0.113 any

policy-map type management first-match REMOTEPOLICY

--More--

  class REMOTEACCESS

    permit

policy-map type loadbalance first-match HTTP_LB1

  class class-default

    serverfarm CLI-GROUP

policy-map type loadbalance first-match HTTP_LB2

  class class-default

    serverfarm GUI-GROUP

policy-map multi-match HTTP_MULTI_MATCH1

  class VS_WEB1

    loadbalance vip inservice

    loadbalance policy HTTP_LB1

    loadbalance vip icmp-reply

policy-map multi-match HTTP_MULTI_MATCH2

  class VS_WEB2

    loadbalance vip inservice

    loadbalance policy HTTP_LB2

    loadbalance vip icmp-reply

policy-map multi-match TCPIP-POLICY

  class TCP-CLASS

connection advanced-options TCP-PARAM-MAP

service-policy input REMOTEPOLICY

service-policy input TCPIP-POLICY

interface vlan 10

  description ***LAN LEG***

  ip address 10.0.0.66 255.255.255.0

  no icmp-guard

  access-group input INBOUND

  no shutdown

interface vlan 200

  description ***THIN CLIENT VLAN****

  ip address 172.20.1.33 255.255.255.240

  no icmp-guard

  access-group input INBOUND

  service-policy input HTTP_MULTI_MATCH1

  no shutdown

interface vlan 210

  description ***BANK APP SERVER VLAN****

  ip address 172.20.1.49 255.255.255.240

  no icmp-guard

--More--

  access-group input INBOUND

  service-policy input HTTP_MULTI_MATCH2

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.0.0.200

username admin password 5 $1$ouG5.Okh$jwBoWkMiWstoTPwb9K9ku1  role Admin domain

default-domain

username www password 5 $1$M31zwdiF$iY8Y5e9nV2sMM2HxwrQI7/  role Admin domain de

fault-domain

STERLING-ACE/Admin#

Thanks!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajayku2
Cisco Employee
Cisco Employee
In response to ayojosh2k

‎10-12-2011 01:00 AM

Hi Joshua,

class-map match-all VS_WEB1

  2 match virtual-address 10.0.0.115 any

class-map match-all VS_WEB2

  2 match virtual-address 10.0.0.113 any

You have  applied

"service-policy input HTTP_MULTI_MATCH1"  in VLAN 200 and 210 but as per the config I believe it should be applied to VLAN10.

interface vlan 10

  description ***LAN LEG***

  ip address 10.0.0.66 255.255.255.0

  no icmp-guard

  access-group input INBOUND

  no shutdown

Can you apply the service policy in VLAN 10 and let me know the result.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
ajayku2
Cisco Employee
Cisco Employee

‎10-11-2011 02:19 PM

First check if the packets are reaching ACE VIP or not.

You can start with the packet capture on ACE itself

To start the packet capture function for CAPTURE1, enter: 

host1/Admin# capture CAPTURE1 interface vlan50 access-list ACL1


host1/Admin# capture CAPTURE1 start

host1/Admin# capture CAPTURE1 stop

host1/Admin# show capture capture1
0 Helpful

Go to solution
ayojosh2k
Level 1
Level 1
In response to ajayku2

‎10-11-2011 09:36 PM

Hello Ajay

Thanks for the response, but it is established that traffic can reach the ACE cos i can ping the real IPs of the servers behind the ACE from the client's side, Also VIP status is 'inservice', VIP icmp-reply is activated, Server farm is Operational...

But i cant still ping the VIP from the client's side and i cant connect to the VIP

Oping for your response....

0 Helpful

Go to solution
ajayku2
Cisco Employee
Cisco Employee
In response to ayojosh2k

‎10-12-2011 01:00 AM

Hi Joshua,

class-map match-all VS_WEB1

  2 match virtual-address 10.0.0.115 any

class-map match-all VS_WEB2

  2 match virtual-address 10.0.0.113 any

You have  applied

"service-policy input HTTP_MULTI_MATCH1"  in VLAN 200 and 210 but as per the config I believe it should be applied to VLAN10.

interface vlan 10

  description ***LAN LEG***

  ip address 10.0.0.66 255.255.255.0

  no icmp-guard

  access-group input INBOUND

  no shutdown

Can you apply the service policy in VLAN 10 and let me know the result.

0 Helpful

Go to solution
ayojosh2k
Level 1
Level 1
In response to ajayku2

‎10-12-2011 04:15 AM

Hello Ajay

Thanks for your response, i did this and it worked fine.

But i still have one more concern. The serverfarm on vlan 210 needs to acces a database server on vlan 10, but connection is truncated. Do i need to use NAT here?

Thanking you...

0 Helpful

Go to solution
ajayku2
Cisco Employee
Cisco Employee
In response to ayojosh2k

‎10-12-2011 12:59 PM

Hi joshua,

If you point the default gateway on all the server to their respective VLAN interface IP. They should ideally be reachable without any further configuration.

Only in case if you are not pointing the default gateway to ACE the issue may arise. Also make sure access list to allow the traffic is applied on all the VLAN.

0 Helpful

Go to solution
ayojosh2k
Level 1
Level 1
In response to ajayku2

‎10-12-2011 02:00 PM

Hello Ajay

Thanks for the support soo far. Everything is working fine now, but there is now a strange requirement:

The loadbalanced servers are actually Application servers that connects to A database server for it to function. But in a case where one of the application servers cannot connect to the DB server, ACE still forwards connction request to that server since the TCP probe to port 23 is still responding.

My Question: is it possible to set a probe to inactivate an application server as soon as it cannot connect to the DB server?

Thanks for the anticipated response!!!!!

0 Helpful

Go to solution
ajayku2
Cisco Employee
Cisco Employee
In response to ayojosh2k

‎10-12-2011 02:16 PM

Hi Joshua,

Simple solution would be to probe the database server instead of application server But that will not detect failure of application server.

The best design recommendation would be to create another VIP loadbalancing database servers.

That way all the application server will point the database server as the "databaseVIP". In case of failure of one of the database server the request will go to another DATABASE server.

I believe this is usually what design suggest.

0 Helpful

Go to solution
sivaksiv
Cisco Employee
Cisco Employee
In response to ayojosh2k

‎10-12-2011 01:15 AM

Hi Joshua,

It is recommended that you apply the service-policy on an interface where your client traffic is hitting. I guess that's what is missing.

_

Siva

0 Helpful
Customers Also Viewed These Support Documents