cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
751
Views
0
Helpful
5
Replies

ASN Traffic Cisco Ace10 Module

Rafael Mendes
Level 2
Level 2

Hello Everyone,

I have a problem here.

I trying configure ASN traffic loadbalance, but doesn't works.

Explanation: I have one Cisco Catalyst 6509 and onde Cisco Ace10 module, in my context "PanWEB" i have the interfaces above:

interface vlan 4(rservers interface)

  bridge-group 10

  no normalization

  no icmp-guard

  access-group input all-access

   nat-pool 1 172.17.3.254 172.17.3.254 netmask 255.255.255.255 pat(used for others aplications in this context).

  service-policy input Access

  service-policy input VIP

  no shutdown

interface vlan 82(VIP interface)

  ip address 10.96.202.4 255.255.255.0

  alias 10.96.202.5 255.255.255.0

  peer ip address 10.96.202.6 255.255.255.0

  no normalization

  no icmp-guard

  access-group input all-access

   service-policy input Access

  service-policy input VIP

  no shutdown

interface bvi 10

  ip address 172.17.2.199 255.255.0.0

  peer ip address 172.17.1.199 255.255.0.0

  no shutdown

I  trying to configure ASN traffic because my application needs original client IP, NAT is not a option in this scenario, my configuration is:

rserver host PANVCTXP308B

  ip address 172.17.2.218

  inservice

rserver host PANVCTXP308C

  ip address 172.17.2.224

serverfarm host SF-PAN-CITRIX

  transparent

  rserver PANVCTXP308B 80

    inservice

  rserver PANVCTXP308C 80

    inservice

sticky ip-netmask 255.255.255.255 address source sticky_citrix

  serverfarm SF-PAN-CITRIX

class-map match-all SLB_CITRIX

  2 match virtual-address 10.96.202.10 tcp eq www

policy-map type loadbalance first-match SLB_CITRIX

  class class-default

    sticky-serverfarm sticky_citrix

policy-map multi-match VIP

class SLB_CITRIX

    loadbalance vip inservice

    loadbalance policy SLB_CITRIX

    loadbalance vip icmp-reply active primary-inservice

If i try to establish a telnet session(telnet 10.96.202.10 80) i see the SYN packet passing through the ACE and going to the real server, but, the server do not response the SYN packet.

I done a capture in the server using wireshark and could see that the IP address of the destination is the VIP and not the rserver ip address , this is a problem? Why can not I have the SYN + ACK from the server?

Thanks a lot!

Rafael

5 Replies 5

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Rafael,

Why have you created a BVI? All you want is that NAT should not happen so you can simply not apply any NAT statement in the policy multi-match.

The configuration looks fine, just ensure that you have loopback interface configured on server with the VIP address of the ACE on which the client sends the traffic. Plus when you configure ASN, the destination IP of the packet forwarded by ACE will not translate to rserver ip address and that is perfectly fine.

Since server has to reply directly and client sent SYN to the VIP, it is very important that packet that is sent by the server has source IP address as VIP otherwise connection will fail.

Regards,

Kanwal

Hi Kanwaljeet,

BVI interface was already created before this inplementation, i only created interface vlan 82 for add a VIP address in a different subnet, i took the configuration.

The server receive the connection(SYN) with correct ip address from client(10.93.7.25) but, the destination ip adress is 10.96.202.10(VIP Address) and not rserver ip adress, server do not response the packet, to the client, and i see a timeout in the client browser, i do not see SYN ACK.

Topology example:http://3.bp.blogspot.com/_Tdhn-HYCK18/SKGWUzrw0gI/AAAAAAAAAjk/2wR4mjAOn3g/s1600/ASN-simple.gif

http://snippets101.blogspot.in/2008/08/asymmetric-server-normalization-on.html

I create loopback interface on the server, but, telnet still not established.

I log the packets in two sides(server and client) i see:

1 - Client 10.93.7.25 send SYN packet to 10.96.202.10(VIP ACE)

2 - ACE Directs SYN request to rserver 172.17.2.218

3 - Rserver response the SYN request with SYN+ACK to the client 10.93.7.25, but using the IP 172.17.2.218 and not ip address of configured loopback interface 10.96.202.10.

4 - Client does not response for SYN+ACK from ip address 172.17.2.218(becase he send SYN to ip 10.96.202.10 and not 172.17.2.218).

5 - Connection timeout/reset

Ideas for resolve this?

Tks.


Hi Rafael,

I am not sure why server is not using loopback address while replying to the SYN. There must be some setting on server which tells it to you use loopback address while replying to the SYN. Also, ACE will foward the traffic to Rserver without changing destination IP. Destination IP would still be ACE VIP since only Layer 2 forwarding happens in case of ASN and  since destination IP never changes, server should reply using loop back interface IP which is VIP of ACE.

Which server are you using ? Let me google on this a bit and if i find something i will let you know.

Regards,

Kanwal

Hi Kanwaljeet,

I agree with you.

I using Windows Server 2008 R2 Standard.

Review Cisco Networking for a $25 gift card