09-08-2011 03:27 PM
Dear All
We have tow Cisco ACE 4710, one (ACE-1) for load balancing OCS Frontend servers and the other (ACE-2) for load balancing OCS edge servers, after doing the following configuration we could not ping the VIPs (10.x.1.55 and 172.16.x.20).
could you please check this configuration and help me to solve this issue?!
hostname ACE-1
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
speed 1000M
duplex FULL
switchport trunk allowed vlan 100
no shutdown
interface gigabitEthernet 1/3
no shutdown
interface gigabitEthernet 1/4
switchport access vlan 500
no shutdown
access-list ALL line 8 extended permit ip any any
access-list qqq line 8 extended permit icmp any any
probe tcp FQDN-CWA-1
ip address 10.x.1.53 routed
interval 15
passdetect interval 60
open 1
probe tcp FQDN-CWA-2
ip address 10.x.1.54
interval 15
passdetect interval 60
open 1
probe tcp FQDN-OCSPool-3
ip address 10.x.1.51
interval 15
passdetect interval 60
open 1
probe tcp FQDN-OCSPool-4
ip address 10.x.1.52 routed
interval 15
passdetect interval 60
open 1
probe icmp FQDN-ocspool-1
description monitoring probe for the first FQDN-ocspool server
ip address 10.x.1.51 routed
interval 5
passdetect interval 10
passdetect count 2
receive 5
probe icmp FQDN-ocspool-2
description monitoring probe for the second FQDN-ocspool server
ip address 10.x.1.52 routed
interval 5
passdetect interval 10
passdetect count 2
receive 5
probe tcp OCE01
ip address 172.16.x.9 routed
port 443
interval 15
passdetect interval 60
open 1
probe tcp OCE02
ip address 172.16.x.10 routed
port 443
interval 15
passdetect interval 60
open 1
rserver host FQDN-CWA-1
ip address 10.x.1.53
inservice
rserver host FQDN-CWA-2
ip address 10.x.1.54
inservice
rserver host FQDN-ocspool-1
ip address 10.x.1.51
inservice
rserver host FQDN-ocspool-2
ip address 10.x.1.52
inservice
rserver host OCE01
ip address 172.16.x.9
conn-limit max 4000000 min 4000000
inservice
rserver host OCE02
ip address 172.16.x.10
conn-limit max 4000000 min 4000000
inservice
serverfarm host FQDN-CWA-servers
description this server farm load-balances between FQDN-CWA-1 and FQDN-CWA-2
rserver FQDN-CWA-1
probe FQDN-CWA-1
inservice
rserver FQDN-CWA-2
probe FQDN-CWA-2
inservice
serverfarm host FQDN-OCSPool-Servers
rserver FQDN-ocspool-1
conn-limit max 4000000 min 4000000
probe FQDN-OCSPool-3
inservice
rserver FQDN-ocspool-2
conn-limit max 4000000 min 4000000
probe FQDN-OCSPool-4
inservice
serverfarm host OCE
description This serverfarm is for OCE01&2
rserver OCE01
probe OCE01
inservice
rserver OCE02
probe OCE02
inservice
class-map match-all FQDN-CWA
2 match virtual-address 10.x.1.56 any
class-map match-all FQDN-OCSPool
2 match virtual-address 10.x.1.57 any
class-map match-all L4VIPCLASS
2 match virtual-address 10.x.1.55 any
class-map type management match-any remote_access
2 match protocol xml-https any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
class class-default
permit
policy-map type loadbalance first-match FQDN-CWA
class class-default
serverfarm FQDN-CWA-servers
policy-map type loadbalance first-match FQDN-OCSPool-l7slb
class class-default
serverfarm FQDN-OCSPool-Servers
policy-map type loadbalance first-match OCE
class class-default
serverfarm OCE
policy-map multi-match VIPs
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy OCE
loadbalance vip icmp-reply active
class FQDN-CWA
loadbalance vip inservice
loadbalance policy FQDN-CWA
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
class FQDN-OCSPool
loadbalance vip inservice
loadbalance policy FQDN-OCSPool-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
interface vlan 100
ip address 10.x.1.110 255.255.255.0
access-group input ALL
access-group output ALL
nat-pool 1 10.x.1.240 10.x.1.249 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input VIPs
no shutdown
interface vlan 500
ip address 10.x.5.1 255.255.255.0
access-group input ALL
access-group output ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 600
ip address 10.x.6.4 255.255.255.0
access-group input ALL
access-group output ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 1000
ip address 1.1.1.1 255.255.255.0
access-group input ALL
access-group output ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 10.x.5.2
ip route 10.x.2.0 255.255.255.0 10.x.5.2
ip route 78.x.x.240 255.255.255.240 10.x.5.2
Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 100
service-policy: VIPs
class: FQDN-CWA
nat:
nat dynamic 1 vlan 100
curr conns : 0 , hit count : 41
dropped conns : 0
client pkt count : 2788 , client byte count: 904455
server pkt count : 7311 , server byte count: 9541139
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
VIP Address: Protocol: Port:
10.x.1.56 any
loadbalance:
L7 loadbalance policy: FQDN-CWA
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 41
dropped conns : 0
client pkt count : 2788 , client byte count: 904455
server pkt count : 7311 , server byte count: 9541139
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : FQDN-CWA
class/match : class-default
LB action :
primary serverfarm: FQDN-CWA-servers
state: UP
backup serverfarm : -
hit count : 41
dropped conns : 0
compression : off
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 100
service-policy: VIPs
class: FQDN-OCSPool
nat:
nat dynamic 1 vlan 100
curr conns : 15 , hit count : 6757
dropped conns : 105
client pkt count : 735221 , client byte count: 207648039
server pkt count : 496785 , server byte count: 73460926
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
VIP Address: Protocol: Port:
10.x.1.57 any
loadbalance:
L7 loadbalance policy: FQDN-OCSPool-l7slb
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 15 , hit count : 7061
dropped conns : 370
client pkt count : 735618 , client byte count: 207669423
server pkt count : 496785 , server byte count: 73460926
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : FQDN-OCSPool-l7slb
class/match : class-default
LB action :
primary serverfarm: FQDN-OCSPool-Servers
state: UP
backup serverfarm : -
hit count : 6800
dropped conns : 0
compression : off
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 100
service-policy: VIPs
class: L4VIPCLASS
VIP Address: Protocol: Port:
10.x.1.55 any
loadbalance:
L7 loadbalance policy: OCE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP state: OUTOFSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 6
dropped conns : 6
client pkt count : 6 , client byte count: 839
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : OCE
class/match : class-default
LB action :
primary serverfarm: OCE
state: DOWN
backup serverfarm : -
hit count : 0
dropped conns : 0
compression : off
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
hostname ACE-2
interface gigabitEthernet 1/1
description connection to the ASA
switchport access vlan 300
no shutdown
interface gigabitEthernet 1/2
description trunk with DELL SW module A1
switchport trunk allowed vlan 200,250,600
no shutdown
interface gigabitEthernet 1/3
switchport access vlan 500
no shutdown
interface gigabitEthernet 1/4
no shutdown
context Admin
member Sticky
access-list anyone line 8 extended permit ip any any
access-list qqq line 8 extended permit ip any host 10.x.2.3
access-list qqq line 16 extended permit ip host 10.x.2.3 any
probe tcp Edge-1
ip address 78.x.x.244 routed
port 443
interval 15
passdetect interval 60
open 1
probe tcp Edge-2
ip address 78.x.x.245 routed
port 443
interval 15
passdetect interval 60
open 1
probe tcp Edge-3
ip address 78.x.x.246 routed
port 443
interval 15
passdetect interval 60
open 1
probe tcp Edge-4
ip address 78.x.x.250 routed
port 443
interval 15
passdetect interval 60
open 1
probe tcp Edge-5
ip address 78.x.x.251 routed
port 443
interval 15
passdetect interval 60
open 1
probe tcp Edge-6
ip address 78.x.x.252 routed
port 443
interval 15
passdetect interval 60
open 1
probe tcp FrontEnd-01
ip address 10.x.1.51 routed
port 5061
interval 15
passdetect interval 60
open 1
probe tcp FrontEnd-02
ip address 10.x.1.52 routed
port 5061
interval 15
passdetect interval 60
open 1
rserver host DTSHQ-1
ip address 78.x.x.244
inservice
rserver host DTSHQ-2
ip address 78.x.x.245
inservice
rserver host DTSHQ-3
ip address 78.x.x.246
inservice
rserver host DTSHQ-4
ip address 78.x.x.250
inservice
rserver host DTSHQ-5
ip address 78.x.x.251
inservice
rserver host DTSHQ-6
ip address 78.x.x.252
inservice
rserver host DTSHQ-OCE01
ip address 172.16.x.9
inservice
rserver host DTSHQ-OCE02
ip address 172.16.x.10
inservice
rserver host FrontEnd-01
ip address 10.x.1.10
conn-limit max 4000000 min 4000000
inservice
rserver host FrontEnd-02
ip address 10.x.1.52
conn-limit max 4000000 min 4000000
inservice
serverfarm host DTSHQ-servers
rserver DTSHQ-1
probe Edge-1
inservice
rserver DTSHQ-4
probe Edge-4
inservice
serverfarm host DTSHQ-servers1
rserver DTSHQ-2
probe Edge-2
inservice
rserver DTSHQ-5
probe Edge-5
inservice
serverfarm host DTSHQ-servers2
rserver DTSHQ-3
probe Edge-3
inservice
rserver DTSHQ-6
probe Edge-6
inservice
serverfarm host FrontEnd
rserver FrontEnd-01
probe FrontEnd-01
inservice
rserver FrontEnd-02
probe FrontEnd-02
inservice
sticky ip-netmask 255.255.255.240 address source Internet-Users
timeout 180
timeout activeconns
serverfarm DTSHQ-servers
sticky ip-netmask 255.255.255.240 address source Internet-Users1
timeout 180
timeout activeconns
serverfarm DTSHQ-servers1
sticky ip-netmask 255.255.255.240 address source Internet-Users2
timeout 180
timeout activeconns
serverfarm DTSHQ-servers2
class-map match-all FrontEnd
2 match virtual-address 172.16.x.20 any
class-map match-all L4VIPCLASS-1-any
2 match virtual-address 10.x.2.4 any
class-map match-all L4VIPCLASS-2-any
2 match virtual-address 10.x.2.5 any
class-map match-all L4VIPCLASS-any
2 match virtual-address 10.x.2.3 any
class-map type management match-any remote_access
2 match protocol xml-https any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
class class-default
permit
policy-map type loadbalance first-match DTSHQ-servers
class class-default
sticky-serverfarm Internet-Users
policy-map type loadbalance first-match DTSHQ-servers1
class class-default
sticky-serverfarm Internet-Users1
policy-map type loadbalance first-match DTSHQ-servers2
class class-default
sticky-serverfarm Internet-Users2
policy-map type loadbalance first-match FrontEnd
class class-default
serverfarm FrontEnd
policy-map multi-match DTSHQ-servers-LB
class L4VIPCLASS-any
loadbalance vip inservice
loadbalance policy DTSHQ-servers
loadbalance vip icmp-reply active
class L4VIPCLASS-1-any
loadbalance vip inservice
loadbalance policy DTSHQ-servers1
loadbalance vip icmp-reply active
class L4VIPCLASS-2-any
loadbalance vip inservice
loadbalance policy DTSHQ-servers2
loadbalance vip icmp-reply active
policy-map multi-match L4FrontEnd
class FrontEnd
loadbalance vip inservice
loadbalance policy FrontEnd
loadbalance vip icmp-reply active
interface vlan 200
ip address 78.x.x.243 255.255.255.240
access-group input anyone
access-group output anyone
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 250
ip address 172.16.x.98 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input remote_mgmt_allow_policy
service-policy input L4FrontEnd
no shutdown
interface vlan 300
description communication vlan with the ASA
ip address 10.x.2.2 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input remote_mgmt_allow_policy
service-policy input DTSHQ-servers-LB
no shutdown
interface vlan 500
description Connection to ACE-1
ip address 10.x.5.2 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 600
ip address 10.x.6.3 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 10.x.2.1
ip route 10.x.1.0 255.255.255.0 10.x.5.1
Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 250
service-policy: L4FrontEnd
class: FrontEnd
VIP Address: Protocol: Port:
172.16.x.20 any
loadbalance:
L7 loadbalance policy: FrontEnd
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP state: OUTOFSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 5
dropped conns : 5
client pkt count : 5 , client byte count: 610
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : FrontEnd
class/match : class-default
LB action :
primary serverfarm: FrontEnd
state: DOWN
backup serverfarm : -
hit count : 0
dropped conns : 0
compression : off
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 300
service-policy: DTSHQ-servers-LB
class: L4VIPCLASS-1-any
VIP Address: Protocol: Port:
10.x.2.4 any
loadbalance:
L7 loadbalance policy: DTSHQ-servers1
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 1461
dropped conns : 96
client pkt count : 19015 , client byte count: 3214677
server pkt count : 18643 , server byte count: 6141422
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : DTSHQ-servers1
class/match : class-default
LB action :
sticky group: Internet-Users1
primary serverfarm: DTSHQ-servers1
state: UP
backup serverfarm : -
hit count : 1441
dropped conns : 0
compression : off
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 300
service-policy: DTSHQ-servers-LB
class: L4VIPCLASS-2-any
VIP Address: Protocol: Port:
10.x.2.5 any
loadbalance:
L7 loadbalance policy: DTSHQ-servers2
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 1087
dropped conns : 67
client pkt count : 10309 , client byte count: 1285741
server pkt count : 10098 , server byte count: 1758646
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : DTSHQ-servers2
class/match : class-default
LB action :
sticky group: Internet-Users2
primary serverfarm: DTSHQ-servers2
state: UP
backup serverfarm : -
hit count : 1085
dropped conns : 0
compression : off
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 300
service-policy: DTSHQ-servers-LB
class: L4VIPCLASS-any
VIP Address: Protocol: Port:
10.x.2.3 any
loadbalance:
L7 loadbalance policy: DTSHQ-servers
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 1021
dropped conns : 71
client pkt count : 14750 , client byte count: 1636324
server pkt count : 12807 , server byte count: 5138009
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : DTSHQ-servers
class/match : class-default
LB action :
sticky group: Internet-Users
primary serverfarm: DTSHQ-servers
state: UP
backup serverfarm : -
hit count : 1021
dropped conns : 0
compression : off
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
09-12-2011 09:57 PM
You want to reach your VIPs over VLAN 500, why not put your service-policy there?
interface vlan 500
ip address 10.x.5.1 255.255.255.0
access-group input ALL
access-group output ALL
service-policy input remote_mgmt_allow_policy
service-policy input VIPs
no shutdown
09-16-2011 03:28 AM
Hi Marko
I tried it but it did not work
best regards,
09-12-2011 04:49 PM
Hi All
Do you think it's logical to connect tow load balancers together directly by cable as uplink switches or we should connect them by switche?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide