cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
659
Views
5
Helpful
3
Replies
Highlighted
Beginner

ICMP and Real Servers ACE30

Hi All,

I am encountering the following issue.

I am trying to ping from different contexts the real servers behind the ACE.

I have configured on the interface of the Real Server outbound nat.

I can see on the connection table that the icmp request is received and NAT is performed but I am getting request timed out.

I am succefully able to ping the VIP addresses. I have also tried removing icmp-guard but this didn't help.

My question is if I can somehow not use the outbound nat for icmp, or does someone have another solution to my problem.

The version being used on the ACE is 5.2.1.

Thanks in Advance.

Jack.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

TAC case was opened:

rserver1 -- ACE context 1 -- FWa - L3 device -- FWb --- ACE context 2 -- rserver2

ping from rserver 1 to rserver 2 was not working 

we noticed that the FWb is sending the request directly to the rserver2 since its subnet is directly conencted to it, and the rserver has it's default GW as ACE context 2.

we configured source NAT on FWb similar to the following and now it works fine.

access-list test extended permit icmp any host rserver2

nat (outsideIF) 123 access-list test outside
global (rserversIF) 123 interface

View solution in original post

3 REPLIES 3
Highlighted
Beginner

Hi Jack

Is this the traffic flow

Client ----- ICMP -----> ACE ----> Server

And you are trying to ping the server from the client directly ?

Can you attach the configuration ?

Thanks

Vikas Purbiya

Highlighted
Enthusiast

Question: I am trying to ping from different contexts the real servers behind the ACE.

Answer: Every context in ACE behaves as an individual load balancer. They have their own routing and swithcing decision. If you have configured servers in context ABC and are trying to ping from Context CDE this will not work.

Inter-context communication is not allowed within the ACE. Even if  both context are sharing a common VLAN traffic you need another L3 device to make them communicate. 

Highlighted
Cisco Employee

TAC case was opened:

rserver1 -- ACE context 1 -- FWa - L3 device -- FWb --- ACE context 2 -- rserver2

ping from rserver 1 to rserver 2 was not working 

we noticed that the FWb is sending the request directly to the rserver2 since its subnet is directly conencted to it, and the rserver has it's default GW as ACE context 2.

we configured source NAT on FWb similar to the following and now it works fine.

access-list test extended permit icmp any host rserver2

nat (outsideIF) 123 access-list test outside
global (rserversIF) 123 interface

View solution in original post