Hi,

We have two webserver WS001(10.*.*.5) and WS002 (10.*.*.6) and we want to access those webserver through one public ip from outside world. For that we have mapped the public ip with the 10.*.*.30 in our fortigate firewall and done the mentioned configuration on our Cisco SLB.

Now we want to access our webservers through public IP and it should give us the initial IIS 7 page whenever we hit the public IP through browser. But instead of that we got the login prompt for Cisco SLB.

We have also performed the test by mapping public IP with any of our Web servers IP on our FW and we got the initial IIS 7 page. But through CISCO SLB it is not working.

I am using this Cisco SLB for the first time. So, could you please help me out in this regard.

Regards,

TB

Hi Tuhin,

Thank you for the clarifications. Looking in more detail I can now see where the issue is.

You are using the same IP address (10.*.*.30) for both the alias in vlan 1001 and the WebSLB class-map. The alias IP in a vlan should only be used for routing purposes, so, you cannot use it also for load-balancing. Changing the IP address in the class-map to something different should solve the problem.

I also spotted another misconfiguration. In the "1" serverfarm, you added the servers for both port 80 and port 443. With that configuration, new requests will be load-balanced between both ports regardless of the original port used by the client. I assume that what you are trying to do is sending connections from the client on port 80 to the server on port 80 and the same for port 443. To achieve this, you have 2 options:

• Use one single serverfarm without defining ports on the servers. In that case, the backend connection will use the same port as the frontend one
• Define two different serverfarms, each for a different port.

I hope the explanations make sense. Just let me know if you need more help

Daniel

Hi Daniel,

Sorry for the late reply. I was not well for last couple of day.

As per your suggestion we have made the changes on the class-map virtual ip with 10.*.*.25 and we keep the alias ip 10.*.*.30 as it is of ACE.

Also we have mapped our public IP with the 10.*.*.25. But the problem is still persisting.

Please find below the modified configuration for your reference.Also attaching the diagram of physical connectivity.

Generating configuration....

boot system image:c4710ace-mz.A3_2_0.bin

hostname SLB-PRI
interface gigabitEthernet 1/1
  description #### LB ####
  switchport access vlan 1001
  no shutdown
interface gigabitEthernet 1/2
  description #### FT-VLAN-HA ####
  switchport access vlan 200
  no shutdown
interface gigabitEthernet 1/3
  no shutdown
interface gigabitEthernet 1/4
  description #### Mgmt-VLAN ####
  switchport access vlan 1000
  no shutdown

clock timezone standard GMT
ntp server 164.*.*.1
access-list ALL line 8 extended permit ip any any

rserver host WS001
  ip address 10.*.*.5
  conn-limit max 4000000 min 4000000
  inservice
rserver host WS002
  ip address 10.*.*.6
  conn-limit max 4000000 min 4000000
  inservice
rserver host WS003
  ip address 10.*.*.8
  conn-limit max 4000000 min 4000000
  inservice
rserver host WS004
  ip address 10.*.*.9
  conn-limit max 4000000 min 4000000
  inservice

[7m--More-- [m

[K
serverfarm host 1
  rserver WS001 80
    conn-limit max 4000000 min 4000000
    inservice
  rserver WS001 443
    conn-limit max 4000000 min 4000000
    inservice
  rserver WS002 80
    conn-limit max 4000000 min 4000000
    inservice
  rserver WS002 443
    conn-limit max 4000000 min 4000000
    inservice
serverfarm host 2
  rserver WS003 80
    conn-limit max 4000000 min 4000000
    inservice
  rserver WS003 443
    conn-limit max 4000000 min 4000000
    inservice
  rserver WS004 80
[7m--More-- [m
    conn-limit max 4000000 min 4000000
    inservice
  rserver WS004 443
    conn-limit max 4000000 min 4000000
    inservice

class-map match-all WebSLB
  2 match virtual-address 10.*.*.25 tcp eq www
class-map match-all WebSLB-1
  2 match virtual-address 10.*.*.25 tcp eq https

class-map type management match-any remote_access
  2 match protocol xml-https any
  3 match protocol icmp any
  4 match protocol telnet any
  5 match protocol ssh any
  6 match protocol http any
  7 match protocol https any
  8 match protocol snmp any
[7m--More-- [m

[K
policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit

policy-map type loadbalance first-match Web-linux-2-l7slb
  class class-default
    serverfarm 2
policy-map type loadbalance first-match Web-linux-l7slb
  class class-default
    serverfarm 2
policy-map type loadbalance first-match WebSLB-1-l7slb
  class class-default
    serverfarm 1
policy-map type loadbalance first-match WebSLB-l7slb
  class class-default
    serverfarm 1

policy-map multi-match global
  class Web-linux
    loadbalance vip inservice
    loadbalance policy Web-linux-l7slb
[7m--More-- [m
    loadbalance vip icmp-reply active
  class Web-linux-2
    loadbalance vip inservice
    loadbalance policy Web-linux-2-l7slb
policy-map multi-match int1001
  class WebSLB
    loadbalance vip inservice
    loadbalance policy WebSLB-l7slb
  class WebSLB-1
    loadbalance vip inservice
    loadbalance policy WebSLB-1-l7slb

service-policy input global

interface vlan 1000
  peer ip address 192.168.1.2 255.255.255.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  no shutdown
interface vlan 1001
  description TSDCPPWS001
  ip address 10.*.*.28 255.255.255.224
[7m--More-- [m
  alias 10.*.*.30 255.255.255.224
  peer ip address 10.*.*.29 255.255.255.224
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  no shutdown

ft interface vlan 200
  ip address 2.2.2.1 255.255.255.0
  peer ip address 2.2.2.2 255.255.255.0
  no shutdown

ft peer 1
  heartbeat interval 300
  heartbeat count 10
  ft-interface vlan 200
ft group 1
  peer 1
  peer priority 200
  associate-context Admin
  inservice
 
ft track interface TRACK_VLAN1001
[7m--More-- [m
  peer track-interface vlan 1001
  priority 50
  peer priority 5

ip route 10.*.*.0 255.255.0.0 10.*.*.1

fault-domain

domain default-domain
ssh key rsa 1024 force

-----------------------------------------------------------------------------

Kindly revert to me if i need to provide further clarification.

Regards,

TB

Hi Tuhin,

The configuration on the ACE seems to be correct, so, to troubleshoot further we will probably have to get traffic captures and things like that.

I think it would be a good time to open a TAC service request to have this checked in more depth.

If you have any issues opening the case, just let me know and I will try to help with it.

Regards

Daniel

Dear Daniel,

Thanks for your guidance.

I will be really grateful to you if you can open a TAC on behalf of myself. Looking forward to you.

With Regards,

TB

Dear Daniel,

Please find attached the Network architecture for your reference for further clarity.

Regards,

TB

Hi Daniel,

Is there any good news for me ?

Regards,

TB

Hi Tuhin,

I'm sorry, I didn't log into the communities these last days, so I didn't see you asked me to open the service request for you.

This will probably be easier if you try to do it yourself through the cisco.com webpage, but, if you have any problems, I don't mind trying to open it for you. I would just need to get the following information:

• Serial number of the ACE
• Contract number covering it
• Your cisco.com user id
• Your phone number
• Your email address

Daniel

Hi Daniel,

Nice to hear you back.

I have my cisco id : CSCO11398934

The ACE (4710) Serial No. : QCF14070155

But we have got the device from vendor, so right now i do not have the contract number for that.

My Ph No : +91 9856061465

My Email :  b.tuhin@hotmail.com / tuhin.bhowmick@sifycorp.com.

Regards,

Tuhin

Hi Daniel,

Waiting for your response.

One thing, I have to convey you that, the virtual IP that we have configured as per your suggestion 10.*.*.25 (mapped with Public IP on the Firewall), seems to me returns nothing, though not sure.

We have tried to ping that Virtual IP 10.*.*.25 but got the "request timed out" message.

Regards,

TB

Hi,

Thanks for your guidance.

We are able to resolve the problem successfully.

We are basically missing one nat-pool comand with Free IP address.

Thanks,

TB