07-11-2012 12:08 PM
Hi expert,
I can't ping the VIP address from other vlan servers. Though VIP is showing inservice and no ACL is blocking any traffic.
access-list INSIDE remark ACL to open access for L-3 routing of non-LB flows
access-list INSIDE line 10 extended permit ip any any
access-list OUTSIDE line 70 extended permit ip any any
The above ACL's are applied to all VLan's interface i.e input/output
===========================================================================================
class: L3_PROD
loadbalance:
L7 loadbalance policy: L7_PROD
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 5068
dropped conns : 0
client pkt count : 37950 , client byte count: 5716391
server pkt count : 56085 , server byte count: 60949756
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
=============================================
Your help will be much appreciated.
Regards
Solved! Go to Solution.
07-19-2012 05:40 AM
Hidayat,
You are using output access-lists, but you are trying to match the VIP which is in the "input" direction of an interface.
do something like:
access-list SEC_VLAN302_IN ext deny icmp any host 10.203.202.200
access-list SEC_VLAN302_IN ext deny ip any host 10.203.202.200
access-list SEC_VLAN303_IN permit icmp any any
access-list SEC_VLAN303_IN permit ip any any
int vlan 302
access-group input SEC_VLAN302_IN
access-list SEC_VLAN303_IN ext perm icmp 10.203.194.128 255.255.255.128 host 10.203.202.200
access-list SEC_VLAN303_IN ext perm ip 10.203.194.128 255.255.255.128 host 10.203.202.200
access-list SEC_VLAN303_IN ext deny icmp any host 10.203.202.200
access-list SEC_VLAN303_IN ext deny ip any host 10.203.202.200
access-list SEC_VLAN303_IN permit icmp any any
access-list SEC_VLAN303_IN permit ip any any
int vlan 303
access-group input SEC_VLAN303_IN
Cheers mate,
Søren Elleby Sørensen
07-12-2012 04:14 AM
Hi Hidayat,
Can I see configuration of the multi-match policy where the VIP is put in service? Do you have the loadbalance vip icmp-reply active command configured?
Anthony
07-12-2012 04:56 AM
Hi answanso,
I have omitted some of irrelevant config to make it more specific, see below. What I want is to ping the VIP address (shown in this config in bold) be pingable from other Vlan 302/303 shown below, but I can't, though I can ping/telnet the real IP address of the Serversi.e ping/telnet to 10.203.193.120/121 from 10.203.194.164/165, but the requirment is to ping/telnet the VIP address?
access-list INSMU remark ACL to open access for L-3 routing of non-LB flows
access-list INSMU line 10 extended permit ip any any
access-list PRODACL line 20 extended permit ip any any
rserver host APROD1
ip address 10.203.193.120
probe GETPROBE1
probe PINGPROBE1
inservice
rserver host APROD2
ip address 10.203.193.121
probe GETPROBE1
probe PINGPROBE1
inservice
serverfarm host APROD
description AWD Services PROD Server Farm
rserver APROD1
inservice
rserver APROD2
inservice
class-map type management match-any HTTP
10 match protocol http source-address 10.203.114.0 255.255.255.0
20 match protocol http source-address 10.203.115.0 255.255.255.0
class-map type management match-any ICMP
10 match protocol icmp source-address 10.203.114.0 255.255.255.0
20 match protocol icmp source-address 10.203.115.0 255.255.255.0
30 match protocol icmp source-address 10.203.204.65 255.255.255.255
class-map match-any L3_APROD
10 match virtual-address 10.203.202.200 tcp eq www
class-map type management match-any SERVERICMP
description Permitted ICMP traffic for server VLANs
10 match protocol icmp source-address 10.203.193.0 255.255.255.128
20 match protocol icmp source-address 10.203.194.0 255.255.255.128
30 match protocol icmp source-address 10.203.193.128 255.255.255.128
40 match protocol icmp source-address 10.203.194.128 255.255.255.128
policy-map type management first-match SMUREMOTEMGMT
description Remote management Access Policy
class TELNET
permit
class SSH
permit
class HTTP
permit
class ICMP
permit
policy-map type management first-match SMUSVRPINGT
description Allowed Server Ping Traffic
class SERVERICMP
permit
policy-map type loadbalance first-match L7_APROD
description Layer-7 Policy Map defining AWD Production Load Balancing Destination
class class-default
serverfarm APROD
policy-map multi-match L3_BIZPROD
description Load Balancing Policy For Production BizTalk Originated traffic to WebServices & WAS to BizTalk
class TCP-CITRIX
connection advanced-options TCP-TTLCITRIXAWD10
class L3_APROD
loadbalance vip inservice
loadbalance policy L7_APROD
loadbalance vip icmp-reply active
interface vlan 300
description SMU WebServices Production VLAN
ip address 10.203.193.2 255.255.255.128
alias 10.203.193.1 255.255.255.128
peer ip address 10.203.193.3 255.255.255.128
access-group input INSMU
access-group output PRODACL
service-policy input SMUSVRPINGT
service-policy input L3_WEBSVCSBAL
no shutdown
interface vlan 301
description SMU Business Logic Production VLAN
ip address 10.203.193.130 255.255.255.128
alias 10.203.193.129 255.255.255.128
peer ip address 10.203.193.131 255.255.255.128
access-group input INSMU
access-group output PRODACL
nat-pool 2 10.203.193.150 10.203.193.159 netmask 255.255.255.128
service-policy input SMUSVRPINGT
service-policy input L3_BIZPROD
no shutdown
interface vlan 302
description SMU WebServices UAT VLAN
ip address 10.203.194.2 255.255.255.128
alias 10.203.194.1 255.255.255.128
peer ip address 10.203.194.3 255.255.255.128
access-group input INSMU
service-policy input SMUSVRPINGT
service-policy input L3_WEBSVCSBAL
no shutdown
interface vlan 303
description SMU Business Logic UAT VLAN
ip address 10.203.194.130 255.255.255.128
alias 10.203.194.129 255.255.255.128
peer ip address 10.203.194.131 255.255.255.128
access-group input INSMU
nat-pool 1 10.203.194.150 10.203.194.159 netmask 255.255.255.128
service-policy input SMUSVRPINGT
service-policy input L3_BIZUAT
no shutdown
Hope the above config is clear to you.
Cheers
07-16-2012 03:35 AM
Hi Hidayat,
What is the default gateway of your servers, is it pointing toward the alias on the VLAN interface?
Thanks,
Anthony
07-16-2012 04:27 AM
Yes the default gateway is towards the alias on the Vlan Interface, thats correct.
Rgds
Hidayat
07-16-2012 05:21 PM
Hidayat,
Its a really annoying security 'gotcha' feature:
two or more contexts cannot communicate using a shared vlan on the ACE platform.
Easist ways out:
Assign two different vlans to the "client-side" of the ACE, if you're VIP's are attached to that interface.
One VLAN per context.
OR
Creating an additional vlan interface on each context (example: 201, and 202) and assign SVI's within a VRF,
attach your service-policies to those interfaces as well. You may also need NAT to ensure traffic is routed correctly.
From the "Routing and Bridging" configuration Guide:
The ACE also supports shared VLANs, which are multiple interfaces in different contexts on the same VLAN within the same subnet. Only routed interfaces can share VLANs. Note that there is no routing across contexts even when shared VLANs are configured.
Cheers mate,
Søren Elleby Sørensen
07-17-2012 02:11 AM
Hi Søren Elleby Sørensen,
Thanks for your reply. In my case, the Vlan's are in the same context. I am not trying to ping from other context! I can ping the real server ip address between two vlan's, but when I ping the vip address then it can't!
Rgds
Hidayat
07-17-2012 01:23 PM
Hi,
This sounds expected based on this:
''For security reasons, the ACE does not allow pings from an interface on a VLAN on one side of the ACE through the module to an interface on a different VLAN on the other side of the module. For example, a host can ping the ACE address that is on the IP subnet using the same VLAN as the host, but cannot ping IP addresses configured on other VLANs on the ACE. ''
Cesar R
07-18-2012 02:23 AM
Hi Cesar,
Thanks for your reply. In the above config, the servers in Vlan 300 can ping the real IP's in Vlan 303 or vice versa, but the requirment is to ping/telnet the VIP of 303, which is 10.203.202.200 from vlan 300 or 301.
Regds
Hidayat
07-18-2012 05:06 AM
Hidayat,
Pardon. It seems I misunderstood your question.
To summarize:
You cannot ping the VIP specified in:
class-map match-any L3_APROD
10 match virtual-address 10.203.202.200 tcp eq www
From real servers in VLAN 302 and VLAN 303.
Your VIP specificed in class-map L3_APROD, is attached to the service-policy named "L3_BIZPROD"
but the service-policy is not assigned to either of those vlans, which is required.
The ACE does not treat VIP's like the CSS, so VIP's are only reachable via a specific interface.
Unless, you apply the service-policy globally, which may require additional configuration as source-nat may be required.
07-18-2012 06:01 AM
Hi Sesoerensen,
Thanks for your reply, I can give it a try and apply the service-policy to Vlan 302 and 303. i.e
Int vlan 302
service-policy input L3_BIZPROD
&
Int vlan 303
service-policy input L3_BIZPROD
I will let you know of the above changes and results.
Regds
Hidayat
07-19-2012 05:03 AM
Hi Sesoerensen,
I applied the service policy on vlan 302 & 303, which worked fine both ping/telnet. I wanted to allow few servers in from Vlan 303 to be able to ping/telnet to vip 10.203.202.200, and applied the acl's,
e.g
access-list PRODACL line 40 extended permit ip 10.203.194.128 255.255.255.128 host 10.203.202.200
access-list PRODACL line 50 extended deny ip 10.203.194.0 255.255.255.128 host 10.203.202.200
access-list PRODACL line 60 extended permit ip any any
Int vlan 300
access-group output PRODACL
Int vlan 301
access-group output PRODACL
But the above acl did not work, all server's from 10.203.194.0 and 195.0 subnet were able to ping/telnet the VIP address.
Reverted back.
Rgds
Hid
07-19-2012 05:40 AM
Hidayat,
You are using output access-lists, but you are trying to match the VIP which is in the "input" direction of an interface.
do something like:
access-list SEC_VLAN302_IN ext deny icmp any host 10.203.202.200
access-list SEC_VLAN302_IN ext deny ip any host 10.203.202.200
access-list SEC_VLAN303_IN permit icmp any any
access-list SEC_VLAN303_IN permit ip any any
int vlan 302
access-group input SEC_VLAN302_IN
access-list SEC_VLAN303_IN ext perm icmp 10.203.194.128 255.255.255.128 host 10.203.202.200
access-list SEC_VLAN303_IN ext perm ip 10.203.194.128 255.255.255.128 host 10.203.202.200
access-list SEC_VLAN303_IN ext deny icmp any host 10.203.202.200
access-list SEC_VLAN303_IN ext deny ip any host 10.203.202.200
access-list SEC_VLAN303_IN permit icmp any any
access-list SEC_VLAN303_IN permit ip any any
int vlan 303
access-group input SEC_VLAN303_IN
Cheers mate,
Søren Elleby Sørensen
07-19-2012 06:55 AM
Yes, I have an acl applied on the vlan 302/303 input. see the orignal config, but I will give it a try again and will let you know. Thanks for your great help.
access-list INSMU remark ACL to open access for L-3 routing of non-LB flows
access-list INSMU line 10 extended permit ip any any
Rgds
Hid
07-19-2012 07:51 AM
Hi Hidayat,
Lets try and source NAT the server traffic to the VIP IP address and see if that allows you to ping the VIP:
class-map match-any NAT_TEST
2 match source-address 10.203.194.164 255.255.255.255
4 match source-address 10.203.194.165 255.255.255.255
policy-map multi-match SOURCE_NAT
class NAT_TEST
nat dynamic 2 vlan 303
interface vlan 303
nat-pool 2 10.203.202.200 10.203.202.200 netmask 255.255.255.255 pat
service-policy input NAT_TEST
Thanks
Anthony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide