Solved: Can't Ping the VIP address in from other Vlan Server ?

Hidayat Khan · ‎07-11-2012

Hi expert,

I can't ping the VIP address from other vlan servers. Though VIP is showing inservice and no ACL is blocking any traffic.

access-list INSIDE remark ACL to open access for L-3 routing of non-LB flows

access-list INSIDE line 10 extended permit ip any any

access-list OUTSIDE line 70 extended permit ip any any

The above ACL's are applied to all VLan's interface i.e input/output

===========================================================================================

class: L3_PROD

loadbalance:

L7 loadbalance policy: L7_PROD

VIP Route Metric : 77

VIP Route Advertise : DISABLED

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 0 , hit count : 5068

dropped conns : 0

client pkt count : 37950 , client byte count: 5716391

server pkt count : 56085 , server byte count: 60949756

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

=============================================

Your help will be much appreciated.

Regards

sesoerensen · ‎07-19-2012

Hidayat,

You are using output access-lists, but you are trying to match the VIP which is in the "input" direction of an interface.

do something like:

access-list SEC_VLAN302_IN ext deny icmp any host 10.203.202.200

access-list SEC_VLAN302_IN ext deny ip any host 10.203.202.200

access-list SEC_VLAN303_IN permit icmp any any

access-list SEC_VLAN303_IN permit ip any any

int vlan 302

access-group input SEC_VLAN302_IN

access-list SEC_VLAN303_IN ext perm icmp 10.203.194.128 255.255.255.128 host 10.203.202.200

access-list SEC_VLAN303_IN ext perm ip 10.203.194.128 255.255.255.128 host 10.203.202.200

access-list SEC_VLAN303_IN ext deny icmp any host 10.203.202.200

access-list SEC_VLAN303_IN ext deny ip any host 10.203.202.200

access-list SEC_VLAN303_IN permit icmp any any

access-list SEC_VLAN303_IN permit ip any any

int vlan 303

access-group input SEC_VLAN303_IN

Cheers mate,

Søren Elleby Sørensen

View solution in original post

answanso · ‎07-12-2012

Hi Hidayat,

Can I see configuration of the multi-match policy where the VIP is put in service? Do you have the loadbalance vip icmp-reply active command configured?

Anthony

Hidayat Khan · ‎07-12-2012

Hi answanso,

I have omitted some of irrelevant config to make it more specific, see below. What I want is to ping the VIP address (shown in this config in bold) be pingable from other Vlan 302/303 shown below, but I can't, though I can ping/telnet the real IP address of the Serversi.e ping/telnet to 10.203.193.120/121 from 10.203.194.164/165, but the requirment is to ping/telnet the VIP address?

access-list INSMU remark ACL to open access for L-3 routing of non-LB flows

access-list INSMU line 10 extended permit ip any any

access-list PRODACL line 20 extended permit ip any any

rserver host APROD1

ip address 10.203.193.120

probe GETPROBE1

probe PINGPROBE1

inservice

rserver host APROD2

ip address 10.203.193.121

probe GETPROBE1

probe PINGPROBE1

inservice

serverfarm host APROD

description AWD Services PROD Server Farm

rserver APROD1

inservice

rserver APROD2

inservice

class-map type management match-any HTTP

10 match protocol http source-address 10.203.114.0 255.255.255.0

20 match protocol http source-address 10.203.115.0 255.255.255.0

class-map type management match-any ICMP

10 match protocol icmp source-address 10.203.114.0 255.255.255.0

20 match protocol icmp source-address 10.203.115.0 255.255.255.0

30 match protocol icmp source-address 10.203.204.65 255.255.255.255

class-map match-any L3_APROD

10 match virtual-address 10.203.202.200 tcp eq www

class-map type management match-any SERVERICMP

description Permitted ICMP traffic for server VLANs

10 match protocol icmp source-address 10.203.193.0 255.255.255.128

20 match protocol icmp source-address 10.203.194.0 255.255.255.128

30 match protocol icmp source-address 10.203.193.128 255.255.255.128

40 match protocol icmp source-address 10.203.194.128 255.255.255.128

policy-map type management first-match SMUREMOTEMGMT

description Remote management Access Policy

class TELNET

permit

class SSH

permit

class HTTP

permit

class ICMP

permit

policy-map type management first-match SMUSVRPINGT

description Allowed Server Ping Traffic

class SERVERICMP

permit

policy-map type loadbalance first-match L7_APROD

description Layer-7 Policy Map defining AWD Production Load Balancing Destination

class class-default

serverfarm APROD

policy-map multi-match L3_BIZPROD

description Load Balancing Policy For Production BizTalk Originated traffic to WebServices & WAS to BizTalk

class TCP-CITRIX

connection advanced-options TCP-TTLCITRIXAWD10

class L3_APROD

loadbalance vip inservice

loadbalance policy L7_APROD

loadbalance vip icmp-reply active

interface vlan 300

description SMU WebServices Production VLAN

ip address 10.203.193.2 255.255.255.128

alias 10.203.193.1 255.255.255.128

peer ip address 10.203.193.3 255.255.255.128

access-group input INSMU

access-group output PRODACL

service-policy input SMUSVRPINGT

service-policy input L3_WEBSVCSBAL

no shutdown

interface vlan 301

description SMU Business Logic Production VLAN

ip address 10.203.193.130 255.255.255.128

alias 10.203.193.129 255.255.255.128

peer ip address 10.203.193.131 255.255.255.128

access-group input INSMU

access-group output PRODACL

nat-pool 2 10.203.193.150 10.203.193.159 netmask 255.255.255.128

service-policy input SMUSVRPINGT

service-policy input L3_BIZPROD

no shutdown

interface vlan 302

description SMU WebServices UAT VLAN

ip address 10.203.194.2 255.255.255.128

alias 10.203.194.1 255.255.255.128

peer ip address 10.203.194.3 255.255.255.128

access-group input INSMU

service-policy input SMUSVRPINGT

service-policy input L3_WEBSVCSBAL

no shutdown

interface vlan 303

description SMU Business Logic UAT VLAN

ip address 10.203.194.130 255.255.255.128

alias 10.203.194.129 255.255.255.128

peer ip address 10.203.194.131 255.255.255.128

access-group input INSMU

nat-pool 1 10.203.194.150 10.203.194.159 netmask 255.255.255.128

service-policy input SMUSVRPINGT

service-policy input L3_BIZUAT

no shutdown

Hope the above config is clear to you.

Cheers

answanso · ‎07-16-2012

Hi Hidayat,

What is the default gateway of your servers, is it pointing toward the alias on the VLAN interface?

Thanks,

Anthony

Hidayat Khan · ‎07-16-2012

Yes the default gateway is towards the alias on the Vlan Interface, thats correct.

Rgds

Hidayat

sesoerensen · ‎07-16-2012

Hidayat,

Its a really annoying security 'gotcha' feature:

two or more contexts cannot communicate using a shared vlan on the ACE platform.

Easist ways out:

Assign two different vlans to the "client-side" of the ACE, if you're VIP's are attached to that interface.

One VLAN per context.

OR

Creating an additional vlan interface on each context (example: 201, and 202) and assign SVI's within a VRF,

attach your service-policies to those interfaces as well. You may also need NAT to ensure traffic is routed correctly.

From the "Routing and Bridging" configuration Guide:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/vlansif.html

The ACE also supports shared VLANs, which are multiple interfaces in different contexts on the same VLAN within the same subnet. Only routed interfaces can share VLANs. Note that there is no routing across contexts even when shared VLANs are configured.

Cheers mate,

Søren Elleby Sørensen

Hidayat Khan · ‎07-17-2012

Hi Søren Elleby Sørensen,

Thanks for your reply. In my case, the Vlan's are in the same context. I am not trying to ping from other context! I can ping the real server ip address between two vlan's, but when I ping the vip address then it can't!

Rgds

Hidayat

Cesar Roque · ‎07-17-2012

Hi,

This sounds expected based on this:

''For security reasons, the ACE does not allow pings from an interface on a VLAN on one side of the ACE through the module to an interface on a different VLAN on the other side of the module. For example, a host can ping the ACE address that is on the IP subnet using the same VLAN as the host, but cannot ping IP addresses configured on other VLANs on the ACE. ''

Cesar R

--------------------- Cesar R ANS Team

Hidayat Khan · ‎07-18-2012

Hi Cesar,

Thanks for your reply. In the above config, the servers in Vlan 300 can ping the real IP's in Vlan 303 or vice versa, but the requirment is to ping/telnet the VIP of 303, which is 10.203.202.200 from vlan 300 or 301.

Regds

Hidayat

sesoerensen · ‎07-18-2012

Hidayat,

Pardon. It seems I misunderstood your question.

To summarize:

You cannot ping the VIP specified in:

class-map match-any L3_APROD

10 match virtual-address 10.203.202.200 tcp eq www

From real servers in VLAN 302 and VLAN 303.

Your VIP specificed in class-map L3_APROD, is attached to the service-policy named "L3_BIZPROD"

but the service-policy is not assigned to either of those vlans, which is required.

The ACE does not treat VIP's like the CSS, so VIP's are only reachable via a specific interface.

Unless, you apply the service-policy globally, which may require additional configuration as source-nat may be required.

Hidayat Khan · ‎07-18-2012

Hi Sesoerensen,

Thanks for your reply, I can give it a try and apply the service-policy to Vlan 302 and 303. i.e

Int vlan 302

service-policy input L3_BIZPROD

&

Int vlan 303

service-policy input L3_BIZPROD

I will let you know of the above changes and results.

Regds

Hidayat

Hidayat Khan · ‎07-19-2012

Hi Sesoerensen,

I applied the service policy on vlan 302 & 303, which worked fine both ping/telnet. I wanted to allow few servers in from Vlan 303 to be able to ping/telnet to vip 10.203.202.200, and applied the acl's,

e.g

access-list PRODACL line 40 extended permit ip 10.203.194.128 255.255.255.128 host 10.203.202.200

access-list PRODACL line 50 extended deny ip 10.203.194.0 255.255.255.128 host 10.203.202.200

access-list PRODACL line 60 extended permit ip any any

Int vlan 300

access-group output PRODACL

Int vlan 301

access-group output PRODACL

But the above acl did not work, all server's from 10.203.194.0 and 195.0 subnet were able to ping/telnet the VIP address.

Reverted back.

Rgds

Hid

sesoerensen · ‎07-19-2012

Hidayat,

You are using output access-lists, but you are trying to match the VIP which is in the "input" direction of an interface.

do something like:

access-list SEC_VLAN302_IN ext deny icmp any host 10.203.202.200

access-list SEC_VLAN302_IN ext deny ip any host 10.203.202.200

access-list SEC_VLAN303_IN permit icmp any any

access-list SEC_VLAN303_IN permit ip any any

int vlan 302

access-group input SEC_VLAN302_IN

access-list SEC_VLAN303_IN ext perm icmp 10.203.194.128 255.255.255.128 host 10.203.202.200

access-list SEC_VLAN303_IN ext perm ip 10.203.194.128 255.255.255.128 host 10.203.202.200

access-list SEC_VLAN303_IN ext deny icmp any host 10.203.202.200

access-list SEC_VLAN303_IN ext deny ip any host 10.203.202.200

access-list SEC_VLAN303_IN permit icmp any any

access-list SEC_VLAN303_IN permit ip any any

int vlan 303

access-group input SEC_VLAN303_IN

Cheers mate,

Søren Elleby Sørensen

Hidayat Khan · ‎07-19-2012

Yes, I have an acl applied on the vlan 302/303 input. see the orignal config, but I will give it a try again and will let you know. Thanks for your great help.

access-list INSMU remark ACL to open access for L-3 routing of non-LB flows

access-list INSMU line 10 extended permit ip any any

Rgds

Hid

answanso · ‎07-19-2012

Hi Hidayat,

Lets try and source NAT the server traffic to the VIP IP address and see if that allows you to ping the VIP:

class-map match-any NAT_TEST

2 match source-address 10.203.194.164 255.255.255.255

4 match source-address 10.203.194.165 255.255.255.255

policy-map multi-match SOURCE_NAT

class NAT_TEST

nat dynamic 2 vlan 303

interface vlan 303

nat-pool 2 10.203.202.200 10.203.202.200 netmask 255.255.255.255 pat

service-policy input NAT_TEST

Thanks

Anthony