08-23-2012 11:51 AM
Hello Guys,
We are having a connectivity issue on two contexts on our cisco ace 4710 (routed mode).
We arent unable to start a communication (Ping/telnet and etc) between two server in differents vlans on the same contexts... however it is possible to start a communication between servers on differents contexts.
Version A5(1.2)
Context Issue
access-list ALL line 8 extended permit ip any any
access-list routing line 8 extended permit ip any any
ip domain-name xpto
class-map type management match-any Gerenciamento
2 match protocol icmp any
3 match protocol ssh any
4 match protocol telnet any
5 match protocol snmp any
6 match protocol xml-https any
7 match protocol http any
8 match protocol https any
class-map match-all TESTE
class-map type management match-any permite_ping
2 match protocol icmp any
policy-map type management first-match Gerenciamento
class Gerenciamento
permit
policy-map type management first-match permite_ping
class permite_ping
permit
interface vlan 3
ip address 9.241.45.1 255.255.255.0
access-group input routing
access-group output routing
service-policy input permite_ping
no shutdown
interface vlan 102
description servers
ip address 9.193.46.1 255.255.255.0
access-group input routing
access-group output routing
service-policy input permite_ping
no shutdown
interface vlan 685
description Management
ip address 9.193.164.40 255.255.255.0
access-group input routing
access-group output routing
service-policy input permite_ping
no shutdown
ip route 0.0.0.0 0.0.0.0 9.194.11.17
ip route 9.193.10.0 255.255.255.0 192.168.42.82
ip route 9.193.38.0 255.255.254.0 192.168.42.82
ip route 9.193.64.0 255.255.255.0 192.168.42.82
08-23-2012 12:06 PM
Hi,
Can you please elaborate on your requirement? the vlan? src & dst ip?
You might have to consider source NAT and I have this explained in the thread below.
https://supportforums.cisco.com/thread/2163723?tstart=0
Regards,
Siva
08-23-2012 12:14 PM
We did a test with the servers on the same context with no response.:
From Server 9.193.46.250 (vlan102/Context Issue) to 9.241.45.100 (vlan 3/ Context Issue)
From Server 9.193.46.250 (Context102/Context Issue) to 9.241.45.200 (vlan 3/Context Issue)
Communication from servers on context issue to another servers on context called Test is working well.
From Server 9.193.46.250(vlan102/Context Issue) to 9.241.41.111 (VLAN 18/Context Test)
08-23-2012 12:54 PM
Can you tell me whats the default gateway for these servers? Are these servers have the gateway pointing to ACE?
For communication between the context the traffic would be sent to router and then to test context.
For traffic within the context, you would have to have the servers gateway pointing back to ACE.
Regards,
Siva
08-23-2012 01:10 PM
Siva,
As per the servers that I have mentioned:
Default gateway is the ACE.
VLAN 102 GW
9.193.46.1
VLAN 3 GW
9.241.45.1
That is so strange, communication between the context is working well... however communication on the same context is not working.
08-23-2012 01:54 PM
Hi,
For internal clients that need to access the servers behind the ACE directly, all you need is an ACL in the ingress interface of the ACE to allow that traffic. For traffic that comes into the ACE that is not destined for a VIP, the ACE will simply route the traffic to the destination according to its routing table (ie static or default routes). All you need is the ACL to permit that traffic as it enters the ACE.
Can you take a packet capture on ACE and see how the traffic is being routed?
Regards,
Siva
08-24-2012 10:39 AM
Siva,
I did the two captures on both vlan interfaces 102 and 3
"From Server 9.193.46.250 (vlan102/Context Issue) to 9.241.45.100 (vlan 3/ Context Issue)"
And cannot see any packet hitting the interfaces, with the above icmp test.
Any idea?
08-24-2012 11:26 AM
Hi,
Can you run the same capture on context test and if you see any hits? I just want to verify the capture settings are correct.
If you see any hits, run a capture on the src server and verif the packets going out are towards the ACE mac address.
Regards,
Siva
08-24-2012 12:55 PM
Siva,
From a server on vlan 102 on context Issue to a server from vlan 18 on context test, I can see the packets and that communication is OK.
Even testing the servers on the same context Test on different vlans I cannot see any packet hitting the interfaces.
Connection between servers on differents context are ok and hitting the interfaces, but from different vlans on the same context it's not ok.
08-25-2012 12:51 AM
Hi,
If the packets are not hitting interfaces then we need to find out where the packets are being sent from the server. Can you run a capture on server and see if the packet is destined to the ACE test interface?
Regards,
Siva
01-23-2013 06:08 AM
Hi,
I have a ping issue too. I am not able to ping the interface IP in a context. After reload the ACE the ping is running for a week. When updating version A5(2.1) the issue was fixed.
I suppose a bug in Version A5(1.2)
Regards
amb
01-23-2013 12:18 PM
Hi Mueller,
I am suspecting something like this :
By default, the bank of MAC addresses that the ACE uses is randomly selected at
boot time. However, if you configure two ACEs in the same Layer 2 network and
they are using shared VLANs, the ACEs may select the same address bank, which
results in the use of the same MAC addresses.
Specifically in those scenerio I have seen that client is able to reach one of the ACE but not other.
If the above scenerio appear the easier way to verify is to use the below command and check the host ID.
EHOWAL01/VPN# show np 1 interface iflookup
First burnt-in MAC: 00:1e:be:af:ba:99
Last burnt-in MAC: 00:1e:be:af:ba:9f
No of burnt-in MACs: 7
Hostid: 1
In case if the host ID is same then you know you are hitting the same issue. It is ideal to make sure that different ACE device use different Host ID.
Please refer the following link for more details.
regards,
Ajay Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide