cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

832
Views
0
Helpful
3
Replies
chuck.kaezykiii
Beginner

I cannot ping any VIP from within the ACE or from rservers

I cannot ping any VIP from within the ACE or from rservers.  Is this expected?  I have rservers in other serverfarms that need to be able to communicate with the VIP of other serverfarms.  Any help is greatly appreciated.

3 REPLIES 3
gaursin2
Beginner

Hi Chuck,

Pinging a VIP from the ACE itself is not allowed, but you can ping it from rserver. Rserver accessing VIP's is normal setup and work. pls can you share config of desired contexts where this is not working

Thanks for you reply.  here is the config.  I removed other rserver and serverfarm config that does not have to do with this issue.

logging enable

logging fastpath

logging standby

logging console 4

logging timestamp

logging trap 4

logging history 4

logging buffered 4

logging persistent 4

logging monitor 4

logging device-id hostname

logging host 172.26.254.185 udp/514

logging host 172.26.221.25 udp/514

access-list INBOUND line 8 extended permit ip any any

access-list INBOUND line 16 extended permit icmp any any

access-list INBOUND line 24 extended permit tcp any any

access-list INBOUND line 32 extended permit udp any any

access-list ORADB line 8 extended permit tcp any any

probe http CITRIX

  interval 30

  passdetect interval 15

  passdetect count 6

  open 1

probe tcp HYPERION

  port 19000

  interval 2

  faildetect 2

  passdetect interval 2

  passdetect count 2

  receive 2

  open 1

probe icmp PROBE_SERVICE_ICMP

  interval 5

  passdetect interval 5

probe tcp W15SPSWFET001_PROBE

  interval 5

  passdetect interval 5

  connection term forced

  open 1

parameter-map type connection TIMEOUT

  set timeout inactivity 43200

parameter-map type http test

  persistence-rebalance

  set header-maxparse-length 2006

rserver host w0bairwatch003

  description MDM-SEG

  ip address 172.20.60.73

  inservice

rserver host w0bairwatch004

  description MDM-SEG

  ip address 172.20.60.74

  inservice

rserver host w0bairwatch005

  description MDM-DEVICE

  ip address 172.20.60.75

  inservice

rserver host w0bairwatch006

  description MDM-DEVICE

  ip address 172.20.60.76

  inservice

rserver host w0bhamobile001

  description Lotus Notes Traveler Server

  ip address 172.20.60.57

  inservice

rserver host w0bhamobile002

  description Lotus Notes Traveler Server

  ip address 172.20.60.58

  inservice

serverfarm host MDMDEVICE

  predictor leastconns

  probe PROBE_SERVICE_ICMP

  rserver w0bairwatch005

    inservice

  rserver w0bairwatch006

serverfarm host MDMSEG

  predictor leastconns

  probe PROBE_SERVICE_ICMP

  rserver w0bairwatch003

    inservice

  rserver w0bairwatch004

    inservice

serverfarm host TRAVLR

  predictor leastconns

  probe PROBE_SERVICE_ICMP

  rserver w0bhamobile001

    inservice

  rserver w0bhamobile002

    inservice

class-map match-all MDMDEVICE-VIP

  2 match virtual-address 172.20.48.35 any

class-map match-all MDMSEG-VIP

  2 match virtual-address 172.20.48.33 any

class-map type management match-any REMOTE_ACCESS

  description Remote access traffic match

  201 match protocol ssh any

  202 match protocol telnet any

  203 match protocol icmp any

  204 match protocol https any

  205 match protocol http any

  206 match protocol xml-https any

  207 match protocol snmp any

class-map match-all TRAVLR-VIP

  2 match virtual-address 172.20.48.34 any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

  class REMOTE_ACCESS

    permit

policy-map type loadbalance first-match MDMDEVICE

  class class-default

    serverfarm MDMDEVICE

policy-map type loadbalance first-match MDMSEG

  class class-default

    serverfarm MDMSEG

policy-map type loadbalance first-match TRAVLR

  class class-default

    serverfarm TRAVLR

policy-map multi-match CLIENTS-VIPS

  class MDMDEVICE-VIP

    loadbalance vip inservice

    loadbalance policy MDMDEVICE

    loadbalance vip icmp-reply active

  class MDMSEG-VIP

    loadbalance vip inservice

    loadbalance policy MDMSEG

    loadbalance vip icmp-reply active

  class TRAVLR-VIP

    loadbalance vip inservice

    loadbalance policy TRAVLR

    loadbalance vip icmp-reply active

interface vlan 48

  ip address 172.20.48.10 255.255.255.0

  access-group input INBOUND

  access-group output INBOUND

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  service-policy input CLIENTS-VIPS

  no shutdown

interface vlan 60

  ip address 172.20.60.10 255.255.255.0

  access-group input INBOUND

  access-group output INBOUND

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  no shutdown

ip route 0.0.0.0 0.0.0.0 172.20.48.1

Hi Chuck,

This is actually expected.  Check this link:

"For security reasons, the ACE does not allow pings  from an interface on a VLAN on one side of the ACE through the ACE to  an interface on a different VLAN on the other side of the ACE. For  example, a host can ping the ACE address that is on the IP subnet using  the same VLAN as the host, but cannot ping IP addresses configured on  other VLANs on the ACE. "

http://www.cisco.com/en/US/customer/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/rtg_brdg/guide/vlansif.html#wp1062951

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team