Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1066
Views
0
Helpful
4
Replies

Mgt Access to servers Behind ACE & Default Gateway

dphillips
Level 1
Level 1

‎08-18-2011 04:33 PM

Hello, I just received a pair of ACE 4710 to replace a single CSS.

I have the ACE working in Bridge mode. However, I have an issue. I can access the http & https vips. I am not using source NAT as we need to see the "real" ip address of the end system. I have changed the default gateway on the RS to be the BVI interface. NO I am unable to ping or SSH to the servers.

I am attempting to figure out a way to allow both access to the VIP and mgt access to the servers. I have thought about using multiple routes on the RS, but then I would not be able to get to the vips from the internal network. (Replies would go the the default gateway, and back through the ACE.

How are others getting this to work. There has to be something I am missing.

Thanks

Labels:
0 Helpful
4 Replies 4

ohynderi
Level 1
Level 1

‎08-19-2011 04:00 AM

Hello!

You said "I can access the http & https vips". I guess you meant "I can not access the http & https vips".

You should have a topology similar to this:

Clients -- … -- Router -- ACE -- Servers.

The server gateway should be the router and not the ACE BVI ip. Can you confirm where are located the clients?

Can you show the relevant part of your router and ACE config?

Thanks,

Olivier

0 Helpful

dphillips
Level 1
Level 1

‎08-19-2011 08:45 AM

Not quite.  The topology you have is correct.  Yes, the vips are working correctly for http & https.  However, I need to be able to access the servers directly from our internal network via ssh, scp, & Ping.

If I set the server gateway to the router, then the vips stop working as the tcp replys come back directly from the servers real IP, not the VIP.   I can not run source nat at the web application needs the end users IP.

Not sure that the issue is on the ACE, could be server config.  But this config works ok with a CSS.

Thanks for any help you can offer.

David

0 Helpful

ohynderi
Level 1
Level 1
In response to dphillips

‎08-22-2011 01:39 AM

In bridge mode, the server gateway should be the router on the client vlan and not the ACE IP.

You said that when the server gateway is set to the router, server packets reach the client with the server IP and not the VIP. It looks we have asymmetric routing. What is the status of the connections is "sh conn detail" when accessing the VIP? ESTAB/ESTAB or SYN/INIT? You should confirm the router mac address on the server and check then on the switch if packet from server to router goes via the ACE.

Thanks,

Olivier

0 Helpful

dphillips
Level 1
Level 1

‎08-31-2011 09:58 AM

I got it working.  I found that I can not use 1 arm mode without source NAT.  Since I can not use src nat.  I had to use full bridged mode.  The issue was that I had the Client-side vlan and the Server-side vlan were the same vlan on the switch.  This caused a spt loop.  I had to create a Server-side Vlan and the only access to the Server Vlan is thourgh the ACE.   Setting the default gateway to the router works just fine in this mode.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card