ACE4710 work in bridge mode. Interface Vlan 501 and 1501 are members of bridge group 1.

Hi,

Can you confirm that:

Your servers are in VLAN 501 and your upstream router is in VLAN 1501?

Your default gw of your server is the upstream router in VLAN 1501?

You allocated a resource class for your context (it is needed to explicitly specify a resource class due to the stickiness)

Could you try to only match on the VIP address (remove the "tcp eq rdp").

Are you capable of doing an RDP session directly on the server, through the ACE but on the IP of the server?

Thanks for keeping us updated.

Br,

Dario

Servers in VLAN 501, Upstream router in VLAN1501. Default GW (172.17.7.1) in VLAN1501. ARP table:

Context terminalservers
================================================================================
IP ADDRESS      MAC-ADDRESS        Interface  Type      Encap  NextArp(s) Status
================================================================================
172.17.7.11     00.1c.c4.be.20.a8  vlan501   RSERVER    21     26 sec       up
172.17.7.12     00.1c.c4.a8.0b.5e  vlan501   RSERVER    20     26 sec       up
172.17.7.1      00.1f.9d.03.e0.00  vlan1501  GATEWAY    19     26 sec       up
172.17.7.10     00.16.36.fc.ae.12  vlan1501  VSERVER    LOCAL     _         up
172.17.7.4      00.12.43.dc.a3.02  bvi1      INTERFACE  LOCAL     _         up
================================================================================
Total arp entries 5
switch/terminalservers#

Yes I'm try with math ip address rule, but also unsuccessfull

No I can't connect directly to server thru ACE (RDP and other protocols)

Can you post your Admin config?

If you look in your routers ARP table, do you see the servers IP addresses + VIP address (try doing a ping to generate traffic).

Can you ping your server from the ACE?

Can you telnet port 3389 on your server from the ACE?

config

switch/Admin# sh run
Generating configuration....

logging enable
logging console 7
logging buffered 7
logging monitor 7

resource-class rc1
  limit-resource all minimum 0.00 maximum unlimited
  limit-resource sticky minimum 0.20 maximum unlimited

boot system image:c4710ace-mz.A3_2_4.bin

interface gigabitEthernet 1/1
  switchport access vlan 1000
  no shutdown
interface gigabitEthernet 1/2
  switchport trunk allowed vlan 501,1501
  no shutdown
interface gigabitEthernet 1/3
  shutdown
interface gigabitEthernet 1/4
  shutdown

ntp server 172.17.44.4 prefer

ntp server 172.17.45.4

access-list ALL line 8 extended permit ip any any

class-map type management match-any remote_access
  2 match protocol xml-https any
  3 match protocol icmp any
  4 match protocol telnet any
  5 match protocol ssh any
  6 match protocol http any
  7 match protocol https any
  8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit

interface vlan 1000
  ip address 172.17.46.164 255.255.255.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.17.46.1

context terminalservers
  allocate-interface vlan 501
  allocate-interface vlan 1501
  member rc1

snmp-server contact "IT"
snmp-server location "Alfa Bank"
snmp-server community public group Network-Monitor

 
username admin password 5 $1$Lx0coeEJ$FurupifAcXl4k.rsb71lu1  role Admin domain default-domain
username www password 5 $1$OX.Wdxlk$k7NZOq0yWNnQmjJa4nN8H0  role Admin domain default-domain

ssh key rsa 1024 force

sh ver

switch/Admin# sh ver
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2009 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
  loader:    Version 0.95
  system:    Version A3(2.4) [build 3.0(0)A3(2.4) adbuild_11:46:02-2009/09/27_/auto/adbu-rel2/rel_a3_2_3_throttle/REL_3_0_0_A3_2_4]
  system image file: (hd0,1)/c4710ace-mz.A3_2_4.bin
  Device Manager version 1.2 (0) 20090925:1550

Software

  installed license: no feature license is installed

Hardware
  cpu info:
    Motherboard:
        number of cpu(s): 2
    Daughtercard:
        number of cpu(s): 16
  memory info:
    total: 6226388 kB, free: 4574524 kB
    shared: 0 kB, buffers: 19004 kB, cached 0 kB
  cf info:
    filesystem: /dev/hdb2
    total: 861668 kB, used: 728664 kB, available: 89232 kB

last boot reason:  reload command by admin
configuration register:  0x1
switch kernel uptime is 0 days 23 hours 44 minute(s) 7 second(s)

fsrv6509-1#sh arp | inc Vlan1501
Internet  172.17.7.10            28   0016.36fc.ae12  ARPA   Vlan1501
Internet  172.17.7.11             2   001c.c4be.20a8  ARPA   Vlan1501
Internet  172.17.7.12             7   001c.c4a8.0b5e  ARPA   Vlan1501
Internet  172.17.7.1              -   001f.9d03.e000  ARPA   Vlan1501
Internet  172.17.7.4              2   0012.43dc.a302  ARPA   Vlan1501
fsrv6509-1#

Yes I can ping servers from ACE

Yes I can telnet to 3389 port on servers from ACE

Could you try:

policy-map type loadbalance first-match slb-corterm-vip
  class class-default
    sticky-serverfarm SG1

instead of:

policy-map type loadbalance rdp first-match slb-corterm-vip
  class class-default
    sticky-serverfarm SG1

keep us posted.

I'm try with policy-map type loadbalance first-match slb-corterm-vip but this also dosn't work. As I correctly understood ACE should pass traffic in bridge mode between interfaces w/o any problem?

Does your server has more than 1 interface?

Can you try sniffing on the server side to see if traffic arrives on the server?

Can you post a "show service-policy detail" output?

Servers have one Teaming Interface (two NIC connected to two cisco blade swithes, blade switches connected to 65 Catalyst, ACE4710 also connected to 65 Catalyst)

Traffic arrives on server side (but only SYN). Some of TCP packets with incorrect cheksum.

switch/terminalservers# sh service-policy detail

Policy-map : client-vips
Status     : ACTIVE
Description: -----------------------------------------
Interface: vlan 1 1501
  service-policy: client-vips
    class: slb-corterm-vip
     VIP Address:    Protocol:  Port:
     172.17.7.10     any
      loadbalance:
        L7 loadbalance policy: slb-corterm-vip
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: DISABLED
        curr conns       : 0         , hit count        : 7        
        dropped conns    : 7        
        client pkt count : 12        , client byte count: 579                
        server pkt count : 0         , server byte count: 0                  
        conn-rate-limit      : 0         , drop-count : 0        
        bandwidth-rate-limit : 0         , drop-count : 0        
        L7 Loadbalance policy : slb-corterm-vip
          class/match : class-default
            LB action: :
               sticky group: SG1
                  primary serverfarm: CORTERM
                  primary serverfarm: CORTERM
                    state:UP
                  backup serverfarm : -
            hit count        : 6        
            dropped conns    : 0        
            compression      : off
      compression:
        bytes_in  : 0                  
        bytes_out : 0                  
        Compression ratio : 0.00%

switch/terminalservers#

Hi,

It seems somewhere a problem exists because all your connections to the VIP are being dropped:

loadbalance:
        L7 loadbalance policy: slb-corterm-vip
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: DISABLED
        curr conns       : 0         , hit count        : 7        
        dropped conns    : 7        

We are sure that nothing assymetric exists?

We have:

Router ------ VLAN 1501 ------ ACE -------- VLAN 501 -------- Servers

VLAN 1501 and VLAN 501 have the same IP subnet + mask?

I replace ACE4710 with ACE20 module. Now traffic passed from client to servers, but servers work very slowly (i think some traffic blocked by ACE).

Correct scheme:

Router (6509 + VLAN1501 SVI) -> ACE -> Router (6509 + VLAN501) ->Servers

face20-1/TerminalServers# sh service-policy

Policy-map : client-vips
Status     : ACTIVE
-----------------------------------------
Interface: vlan 1501
  service-policy: client-vips
    class: slb-corterm-vip
      loadbalance:
        L7 loadbalance policy: slb-corterm-vip
        VIP Route Metric     : 77
        VIP Route Advertise  : DISABLED
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        curr conns       : 1         , hit count        : 2        
        dropped conns    : 0        
        client pkt count : 5         , client byte count: 227                
        server pkt count : 4         , server byte count: 183                
        conn-rate-limit      : 0         , drop-count : 0        
        bandwidth-rate-limit : 0         , drop-count : 0

face20-1/TerminalServers# sh conn det

total current connections : 2

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
32         2  in  TCP   1501 172.17.9.147:4728     172.17.7.10:3389      ESTAB
          [ idle time   : 00:00:04,   byte count  : 110191     ]
          [ elapsed time: 00:21:25,   packet count: 2107       ]
31         2  out TCP   501  172.17.7.11:3389      172.17.9.147:4728     ESTAB
          [ conn in reuse pool : FALSE]
          [ idle time   : 00:00:04,   byte count  : 527124     ]
          [ elapsed time: 00:21:25,   packet count: 2700       ]

I solved this issue!!! Problem was in HP NIC Teaming software on blade servers. If Teaming mode Auto/Auto traffic no correctly returned to ACE. I change mode to Network Fault Tolerance Only (only one NIC active) and now all works.

Yes, this is a known feature acknowledged by TAC. ACE does not allow traffic from the same src IP address and different src MAC addresses. Only frames with the MAC address present in the ARP table can pass through. Load-balancing NIC teaming sends out frames with two different src MAC addresses. One part of them is dropped and you may experience 'ARP collision' error messages.