03-09-2012 04:34 PM
I am configuring the ACE for bridged mode. However, the real server is seeing VIP IP but not Client IPs. Our business requires that the real server must see client IPs. Do you have any idea how to set that up?
I tried to turn ON/OFF normalization but it is still not working.
Thanks,
Vincent
==============================
Here is my configuration:
rserver host 192.168.71.71
ip address 192.168.71.71
inservice
serverfarm host WEB_FARM
failaction purge
probe ICMP
rserver 192.168.71.71
inservice
access-list PERMIT-BPDU ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
sticky ip-netmask 255.255.255.255 address source WEB_FARM_Sticky
timeout 180
replicate sticky
serverfarm WEB_FARM
class-map match-all WEB_FARM_VIP
2 match virtual-address 192.168.71.154 tcp eq 80
class-map type management match-any remote_access
2 match protocol xml-https any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
9 match protocol snmp any
policy-map type loadbalance first-match WEB_FARM_Policy
class class-default
sticky-serverfarm WEB_FARM_Sticky
policy-map multi-match WEB_VIPS
class WEB_FARM_VIP
loadbalance vip inservice
loadbalance policy WEB_FARM_Policy
loadbalance vip icmp-reply active
nat dynamic 6 vlan 31
nat dynamic 5 vlan 21
interface vlan 21
description Client VLAN
bridge-group 171
no normalization
mac-sticky enable
access-group input PERMIT-BPDU
access-group input ALL
service-policy input WEB_VIPS
nat-pool 5 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat
interface vlan 31
description Server VLAN
bridge-group 171
no normalization
mac-sticky enable
access-group input PERMIT-BPDU
access-group input ALL
service-policy input WEB_VIPS
nat-pool 6 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat
no shutdown
interface bvi 171
ip address 192.168.71.3 255.255.255.0
no shutdown
03-12-2012 02:01 PM
Vincent, vlan 100 in my setup is the vlan where the default gateway is (front side of ACE). All my rservers are in vlan 110 which is logically behind the ACE. Bridged mode uses one subnet and bridges the two different VLANs. Unless you are using one-arm mode both bridge mode and routed mode require the traffic to flow through the ACE.
03-12-2012 02:09 PM
Forgot to hit reply but it looks like David answered as well.
The config is bridged but depending on what vlan you server is in it makes it bridged or one armed. If your servers are in the same vlan as the gateway try changing the switch port config so the switchport access vlan command is in the vlan that is opposite of the gateway and test. If it is in the same vlan as the gateway then you are using a one armed mode topology.
Your config is definately a bridge mode config but I think your servers are just in the wrong vlan.
03-12-2012 02:26 PM
Hi David and Jim,
Please correct me! Here is my setup details:
Real server is a VMware box. ESX VM is setup with VLAN 21 for 192.168.71.x subnet.
One the ACE, I set Gig1/1;1/2;1/3 as Ether-channel and all VLAN trunk to another switch, and that switch connects to the firewall.
I have firewall ASA that includes VLAN 21 and VLAN 10. VLAN 21 is 192.168.71.x subnet and VLAN 10 is 192.168.1.x. On the ACE, I defined VLAN 10 for management VLAN and I setup a default route 0.0.0.0 0.0.0.0 192.168.1.1. Also, on the ACE, I create VLAN 21 as Client VLAN and VLAN 31 as Server VLAN, howerver, in my ASA, it doesnt have the VLAN 31.
Do I need to add VLAN 31 to the firewall and ESX VM server? Do I miss something there?
Please advice,
Vincent
03-12-2012 03:20 PM
I'm assuming that your ASA is the default gateway for vlan 21. You need to change your default gateway on the ACE to be the ASA address on that subnet. I would also change your management interface to a different context on the ACE.
Are your rservers all on VLAN 31 and your ASA on VLAN 21? If so, it sounds like you have everything setup right with the exception of sending all traffic out the management interface. You could put some static routes for specific subnets or IPs on the management VLAN, but I think the better practice is to probably move your management interface to a different context and allocate that VLAN to that context.
03-13-2012 08:58 AM
I had the same issue. This was the solution provided by TAC.
policy-map type loadbalance first-match LB_lc3q-ui#v51a
class class-default
sticky-serverfarm ST_lc3q-ui#v51a
action SSL_rewrite
insert-http x-forward header-value "%is"
Your application code will need to read the header in order to get the clients real IP.
-Clint
03-13-2012 09:10 AM
Hi Clint,
Do you have any idea for UDP application?
Thanks,
Vincent
03-13-2012 09:25 AM
From my experience you will need to remove the NAT, otherwise the packets source will be of the ACE NAT.
I know removing the NAT is probably not possible with your configuration. Unfortunately your options are slim.
I would get TAC involved for a final solution.
-Clint
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide