FWLB question

dmcushing · ‎09-11-2009

I am a new user with the Cisco 4710 appliance and am trying to load balance Microsoft ISA servers with our 4710s. They are currently deployed in routed mode with one acting as a hot standby.

My issue is that the traffic doesn't seem to be getting to the ISA servers, although I have attempted to follow the documentation in the FWLB guidelines.

access-list EVERYONE line 10 extended permit ip any any

rserver host ISA_INSIDE_1

ip address 192.168.254.254

inservice

rserver host ISA_INSIDE_2

ip address 192.168.254.253

inservice

serverfarm host ISA_INSIDE

transparent

predictor hash address destination 255.255.255.255

rserver ISA_INSIDE_1

inservice

rserver ISA_INSIDE_2

class-map match-any INTERNAL_GATEWAY

2 match virtual-address 192.168.252.1 255.255.255.0 any

class-map match-any INTERNAL_TRAFFIC

2 match virtual-address 0.0.0.0 0.0.0.0 any

policy-map type loadbalance first-match LB_ISA_INSIDE

class class-default

serverfarm ISA_INSIDE

policy-map multi-match OUTBOUND_TRAFFIC

class INTERNAL_TRAFFIC

loadbalance vip inservice

loadbalance policy LB_ISA_INSIDE

class INTERNAL_GATEWAY

loadbalance vip inservice

loadbalance policy LB_ISA_INSIDE

interface vlan 253

ip address 192.168.252.200 255.255.255.0

access-group input EVERYONE

service-policy input OUTBOUND_TRAFFIC

no shutdown

interface vlan 254

ip address 192.168.254.251 255.255.255.0

mac-sticky enable

access-group input EVERYONE

service-policy input OUTBOUND_TRAFFIC

no shutdown

If I route traffic via the 192.168.252.1 address, I am not seeing it hit the firewall. I assume that I am missing something basic, but I cannot see it. Any help or pointers are appreciated.

jasmina27s · ‎09-13-2009

Hi,

Try using VIP address mask /32:

class-map match-any INTERNAL_GATEWAY

2 match virtual-address 192.168.252.1 255.255.255.255 any

VIP address mask should not overlap with ACE interface VLAN (vlan 253)

Regards,

Jasmina