Unable to Access Server through VIP (ACE 4710)

premsaw23 · ‎10-03-2012

Hello ,

Kindly any one help to configure Cisco Ace 4710 , I am new in LB so plz guide to Configure ACE with my scenario which is given by my boss.

Note :- Just a testing face I need to access my one server(192.168.1.11 : 80) through VIP :- 10.13.77.10 , I have only one Cisco Router 2800 and One L2 Cisco Switch 2960 and Cisco Ace 4710 . So I already configured 2 Different VLANS in Switch (Vlan 10 & Vlan 100) and by router I given the ip address of that Vlans with Inter Routing Vlan.

My Connectivity is like this :-- Router Ethernet 0/0 --- 10.13.77.1/24 with vlan 10) & Router Ethernet 0/1 ---- 192.168.1.1/24 with vlan 100 ) connected with switch after that I configured ACE LB and connect the ACE interface with switch Like that ---- Connect to ACE Interface 2/3 vlan10 with switch vlan10(Ethernet port 2-12) and

Connect to ACE Interface 3/3 vlan100 with switch vlan100(Ethernet port 13-24) .

Testing to access server from Switch Vlan10 to Vlan 100 where my server is there.

Configuration :--- ACE> client side Vlan10 (10.13.77.4/24) , VIP :- 10.13.77.10, SM-- 255.255.255.255

ACE> server side Vlan100 (192.168.1.5/24), Web server -- 192.168.1.11 with 80 port

ACE> Managment Vlan 1000 (172.16.6.5/24) ,

ip route 0.0.0.0 0.0.0.0 10.13.77.1

I already Configured in Routed mode but From Vlan10 ip subnet example like 10.13.77.12(Client or User PC) tried to access server 192.168.1.11 with VIP http://10.13.77.10 but not responding , if i access server with real IP then accessible (why boz there is inter vlan routing) , PLZ Guide.

Regards,

Prem

Nick Cutting · ‎10-04-2012

Are you able to post your ace config?

What does "show conn" on the ace give you when you try and connect?

what does "show serverfarm" give you ?

are you using probes?

We use transparent Ace loadbalancers, but ill do my best.

Vlan 10 user

Vlan 100 server

a switchport in vlan 10 connected to the router on 0/0

a switchport in vlan 100 connected to the router on 0/1

a switchport in vlan 10 connected to the Ace port configured on that vlan

a switchport in vlan 100 connected to the Ace port configured on that vlan

so I understand that all Ip addresses can ping all other ip addresses?

Nick Cutting · ‎10-04-2012

This config looks like it is for an ace module in a 6500 series switch rather than a stand alone device:

"interface port-channel 10

description ##ace-to-msfc##

switchport trunk allowed vlan 1000,10-100

port-channel load-balance src-dst-port"

premsaw23 · ‎10-04-2012

Hello,

Yes all other ip addresses is ping accept VIP (10.13.77.10), Yes I already configured Probe as well as Sticky.

Is there any ip Route required in ACE or Router ??? I Given the route in ACE (0.0.0.0 0.0.0.0 10.13.77.1) and Router ( 0.0.0.0 0.0.0.0 192.168.1.5 ) .

This part i'm not configured (if required plz guide):---channel-group 10 (for all interface) and

interface port-channel 10

description ##ace-to-msfc##

switchport trunk allowed vlan 1000,10-100

port-channel load-balance src-dst-port

Regards,

Prem

Nick Cutting · ‎10-04-2012

how many ports are connected to the ace?

If it is just one for each VLAN, you do not need any port channel commands or load balancing commands as the the switch is not doing the load balancing.

Switch Interface connected to ACE with address 10.13.77.4

switchport mode access

switchport access vlan 10

Switch Interface connected to ACE with address 192.168.1.5

switchport mode access

switchport access vlan 100

On the ace are you using sub interfaces for the different vlans, as I see you are trunking between the switch and the ace - do you need to do this?

For the ace config, I'll need to see what you have configured already in order to help you. Just post a show run on the ace. Ace configs require quite alot of config, and some understanding of the cisco Modular QoS CLI

Jorge Bejarano · ‎10-04-2012

Hello Prem,

Can you paste your current configuration?

Basically you have the VIP:10.13.77.10 on the vlan 10(10.13.77.1/24) and you need to connect to the backend server:192.168.1.11 which under the VLAN 100, correct?

Basically your ACE configuration should be like this:

policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb

class-map match-all slb-vip
2 match virtual-address 10.13.77.10 tcp eq http

policy-map type loadbalance http first-match slb
class class-default
serverfarm web

serverfarm host web
rserver myserver
inservice

rserver host myserver
ip address 192.168.1.11
inservice

access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

interface vlan 10
description "Client Side"
ip address 10.13.77.2 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown

interface vlan 100
description "Default gateway of real servers"
ip address 192.168.1.1 255.255.255.0
service-policy input remote-access
no shutdown

ip route 0.0.0.0 0.0.0.0 10.13.77.1

Here you have a link about it:

http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Routed_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example#Design

Hope this helps

Jorge

Jorge Bejarano · ‎10-04-2012

Here you have a link which might help you as well to establish the communication to the client side and server side:

http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Setting_Up_an_ACE_Appliance#Configuring_a_Second_Gigabit_Ethernet_Interface_Port

Also remember to have a management policy, class,etc

Jorge

premsaw23 · ‎10-04-2012

Thanx everyone.

Just i want to clear that i 've only one ACE device . so need to know that Client should be access server through VIP or any other IP.

Very soon I'll be past the Show Run Status ... so that you know the real configuration.

My router one interface is same ip address 192.168.1.1 so is there ok to give ACE one server side interface IP

Prem

premsaw23 · ‎10-04-2012

Hello,

Here are My LB Sh Run plz check and Guide

LB/VC_web# show run

Generating configuration....

logging enable

logging timestamp

logging trap 5

access-list accesslist line 8 extended permit tcp any eq www any eq www

access-list accesslist line 16 extended permit tcp any any

probe http HTTP_probe

description Basic health check

port 80

interval 15

passdetect interval 60

request method head

expect status 200 200

open 1

rserver host web1

description web server1

ip address 192.168.1.11

inservice

rserver host web2

description web server2

ip address 192.168.1.10

inservice

serverfarm host Webserver_farm

description web server farm

failaction reassign across-interface

probe HTTP_probe

rserver web1 80

probe HTTP_probe

inservice

rserver web2 80

inservice

serverfarm redirect Webserver_farm_Redirect

description redirect traffic to https

serverfarm redirect Webserver_farm_maintanence

description send user to maintanence page

parameter-map type http cisco_avs_parametermap

case-insensitive

persistence-rebalance

sticky http-cookie ACEPSESSIONID web_persistance

cookie insert browser-expire

serverfarm Webserver_farm backup Webserver_farm_maintanence

action-list type optimization http cisco_avs_container_latency

flashforward

action-list type optimization http cisco_avs_img_latency

flashforward-object

action-list type optimization http cisco_avs_obj_latency

flashforward-object

ssl-proxy service web_ssl

key web_ecom.key

cert cisco-sample-cert

class-map match-all WEB_HTTP

2 match virtual-address 10.13.77.10 tcp eq www

class-map type http loadbalance match-all cisco_avs_container_latency

2 match http url .*

class-map type http loadbalance match-any cisco_avs_img_latency

2 match http url .*jpg

3 match http url .*jpeg

4 match http url .*jpe

5 match http url .*png

class-map type http loadbalance match-any cisco_avs_obj_latency

2 match http url .*gif

3 match http url .*css

4 match http url .*js

5 match http url .*class

6 match http url .*jar

7 match http url .*cab

8 match http url .*txt

9 match http url .*ps

10 match http url .*vbs

11 match http url .*xsl

12 match http url .*xml

13 match http url .*pdf

14 match http url .*swf

class-map type http loadbalance match-any default-compression-exclusion-mime-typ

e

description DM generated classmap for default LB compression exclusion mime ty

pes.

2 match http url .*gif

3 match http url .*css

4 match http url .*js

5 match http url .*class

6 match http url .*jar

7 match http url .*cab

8 match http url .*txt

9 match http url .*ps

10 match http url .*vbs

11 match http url .*xsl

12 match http url .*xml

13 match http url .*pdf

14 match http url .*swf

15 match http url .*jpg

16 match http url .*jpeg

17 match http url .*jpe

18 match http url .*png

class-map type http loadbalance match-any https_redirect

2 match http url /cart/.*

class-map type management match-any mgmt-cm

2 match protocol http any

3 match protocol https any

4 match protocol icmp any

5 match protocol kalap-udp any

6 match protocol snmp any

7 match protocol ssh any

8 match protocol telnet any

9 match protocol xml-https any

class-map type http loadbalance match-any static_file_objects

2 match http url /images/.*

3 match http url /css/.*

4 match http url /js/.*

5 match http url /sry.html

policy-map type management first-match mgmt-pm

class mgmt-cm

permit

policy-map type loadbalance first-match WEB_HTTP-l7slb

class static_file_objects

serverfarm Webserver_farm

class https_redirect

serverfarm Webserver_farm_Redirect

class default-compression-exclusion-mime-type

sticky-serverfarm web_persistance

class class-default

serverfarm Webserver_farm backup Webserver_farm_maintanence

compress default-method deflate

policy-map type optimization http first-match WEB_HTTP-l7opt

class cisco_avs_obj_latency

action cisco_avs_obj_latency

class cisco_avs_img_latency

action cisco_avs_img_latency

class cisco_avs_container_latency

action cisco_avs_container_latency

policy-map multi-match int10

class WEB_HTTP

loadbalance vip inservice

loadbalance policy WEB_HTTP-l7slb

optimize http policy WEB_HTTP-l7opt

loadbalance vip icmp-reply active

appl-parameter http advanced-options cisco_avs_parametermap

interface vlan 10

description clientside

ip address 10.13.77.4 255.255.255.0

access-group input accesslist

access-group output accesslist

service-policy input int10

service-policy input mgmt-pm

no shutdown

interface vlan 100

description "server vlan"

ip address 192.168.1.5 255.255.255.0

access-group input accesslist

nat-pool 1 192.168.1.30 192.168.1.40 netmask 255.255.255.0 pat

service-policy input int10

service-policy input mgmt-pm

no shutdown

ip route 0.0.0.0 0.0.0.0 10.13.77.1

username DC password 5 $1$zTWHyTWJ$V4ebZI22AFWo42YDsTghW. role Admin domain def

ault-domain

username cisco password 5 $1$.sDsVovB$/INwHzZS/51MjpSfQQwRI0 role Network-Monit

or domain default-domain

username admin password 5 $1$iKZwA9Ca$NwUfJbOmkODdyCUYyr/BS0 role Admin domain

default-domain

snmp-server community public group Network-Monitor

Thanx

Prem

Jorge Bejarano · ‎10-05-2012

Hello Prem,

Can you upload the following outputs?

# show service-policy int10 class-map WEB_HTTP

# show stats http

# show probe HTTP_probe

# show probe HTTP_probe detail

Jorge

Jorge Bejarano · ‎10-05-2012

Hello Prem,

Are you able to ping your default gateway?

Can you ping the servers from the ACE and viceversa?

Can you try to telnet the servers from the ACE?

Could you modify your configuration to look like this to see if it works?

policy-map multi-match int10

class WEB_HTTP

loadbalance vip inservice

loadbalance policy WEB_HTTP-l7slb

loadbalance vip icmp-reply active

policy-map type loadbalance first-match WEB_HTTP-l7slb

class class-default

serverfarm Webserver_farm

serverfarm host Webserver_farm

description web server farm

rserver web1 80

inservice

rserver web2 80

inservice

Jorge

premsaw23 · ‎10-05-2012

Hi Jorge,

I already configured all above which you adviced . and I able ping server ip address from ACE or viceversa but not able to telnet server. But I'm able to access server (192.168.1.11) from client (10.13.77.9), As per my requirement i want to access server from VIP (10.13.77.10 :80).

MY connectivity : 1> Both ACE (client & server side Interface) connect with switch

2> Routers both FastEthernet( 0/0 & 0/1) connect with Switches seperate Vlans (Vlan10 & Vlan100)

3> After that Server (192.168.1.11) connect to Switch's vlan100

and client PC (10.13.77.9) connect to Switch's vlan10 side.

Then I tried to access server from client side with VIP.

Router(2800) :- FEth 0/0 :- 10.13.77.1 ! FEth 0/1 :-- 192.168.1.1

Switch(2960):- Vlan 10 ! Vlan 100

Ace (4710) :- E2 :--10.13.77.4 ! E3 :-- 192.168.1.5 ,, ip route 0.0.0.0 0.0.0.0 10.13.77.1

Server :-- ip addre :- 192.168.1.11 SM :-- 255.255.255.0 Gateway :-- 192.168.1.1

This is my real scenario............

Thanx

Prem

premsaw23 · ‎10-05-2012

Hello jorge,

PLz find the show command (Can I used nat-pool ip address as same as vip or used another ip address.)

LB/VC_web# show service-policy int10 class-map WEB_HTTP

Status : ACTIVE

-----------------------------------------

Interface: vlan 1 10 100

service-policy: int10

class: WEB_HTTP

loadbalance:

L7 loadbalance policy: WEB_HTTP-l7slb

Regex dnld status : SUCCESSFUL

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP state: OUTOFSERVICE

VIP DWS state: DWS_DISABLED

Persistence Rebalance: ENABLED

curr conns : 0 , hit count : 0

dropped conns : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

compression:

bytes_in : 0 bytes_out : 0

Compression ratio : 0.00%

Gzip: 0 Deflate: 0

compression errors:

User-Agent : 0 Accept-Encoding : 0

Content size: 0 Content type : 0

Not HTTP 1.1: 0 HTTP response error: 0

Others : 0

Parameter-map(s):

cisco_avs_parametermap

LB/VC_web# show stats http

+------------------------------------------+

+-------------- HTTP statistics -----------+

+------------------------------------------+

LB parse result msgs sent : 0 , TCP data msgs sent : 0

Inspect parse result msgs : 0 , SSL data msgs sent : 0

sent

TCP fin msgs sent : 0 , TCP rst msgs sent: : 0

Bounced fin msgs sent : 0 , Bounced rst msgs sent: : 0

SSL fin msgs sent : 0 , SSL rst msgs sent: : 0

Drain msgs sent : 0 , Particles read : 0

Reuse msgs sent : 0 , HTTP requests : 0

Reproxied requests : 0 , Headers removed : 0

Headers inserted : 0 , HTTP redirects : 0

HTTP chunks : 0 , Pipelined requests : 0

HTTP unproxy conns : 0 , Pipeline flushes : 0

Whitespace appends : 0 , Second pass parsing : 0

Response entries recycled : 0 , Analysis errors : 0

Header insert errors : 0 , Max parselen errors : 0

Static parse errors : 0 , Resource errors : 0

Invalid path errors : 0 , Bad HTTP version errors : 0

Headers rewritten : 0 , Header rewrite errors : 0

SSL headers inserted : 0 , SSL header insert errors : 0

SSL spoof headers deleted : 0 , Unproxy msgs sent : 0

LB/VC_web#

LB/VC_web# show probe HTTP_probe

probe : HTTP_probe

type : HTTP

state : ACTIVE

----------------------------------------------

port : 80 address : 0.0.0.0 addr type : -

interval : 15 pass intvl : 60 pass count : 3

fail count: 3 recv timeout: 10

------------------ probe results ------------------

associations ip-address port porttype probes failed passed health

------------ ---------------+-----+--------+--------+--------+--------+------

real : web1[80]

serverfarm: Webserver_farm

192.168.1.11 80 PROBE 9 9 0 FAILED

serverfarm : Webserver_farm

real : web1[80]

192.168.1.11 80 PROBE 9 9 0 FAILED

real : web2[80]

192.168.1.10 80 PROBE 9 9 0 FAILED

LB/VC_web# show probe HTTP_probe detail

probe : HTTP_probe

type : HTTP

state : ACTIVE

description : Basic health check

----------------------------------------------

port : 80 address : 0.0.0.0 addr type : -

interval : 15 pass intvl : 60 pass count : 3

fail count: 3 recv timeout: 10

http method : HEAD

http url : /

conn termination : GRACEFUL

expect offset : 0 , open timeout : 1

expect regex : -

send data : -

------------------ probe results ------------------

associations ip-address port porttype probes failed passed health

------------ ---------------+-----+--------+--------+--------+--------+------

real : web1[80]

serverfarm: Webserver_farm

192.168.1.11 80 PROBE 10 10 0 FAILED

Socket state : CLOSED

No. Passed states : 0 No. Failed states : 1

No. Probes skipped : 0 Last status code : 0

No. Out of Sockets : 0 No. Internal error: 0

Last disconnect err : Connect error (Network or Host is unreachable)

Last probe time : Fri Oct 5 22:50:45 2012

Last fail time : Fri Oct 5 22:43:30 2012

Last active time : Never

serverfarm : Webserver_farm

real : web1[80]

192.168.1.11 80 PROBE 10 10 0 FAILED

Socket state : CLOSED

No. Passed states : 0 No. Failed states : 1

No. Probes skipped : 0 Last status code : 0

No. Out of Sockets : 0 No. Internal error: 0

Last disconnect err : Connect error (Network or Host is unreachable)

Last probe time : Fri Oct 5 22:50:45 2012

Last fail time : Fri Oct 5 22:43:30 2012

Last active time : Never

real : web2[80]

192.168.1.10 80 PROBE 10 10 0 FAILED

Socket state : CLOSED

No. Passed states : 0 No. Failed states : 1

No. Probes skipped : 0 Last status code : 0

No. Out of Sockets : 0 No. Internal error: 0

Last disconnect err : Connect error (Network or Host is unreachable)

Last probe time : Fri Oct 5 22:50:42 2012

Last fail time : Fri Oct 5 22:43:27 2012

Last active time : Never

Regards,

Prem

Jorge Bejarano · ‎10-08-2012

Hello Prem,

Please notice your VIP shows: VIP state: OUTOFSERVICE then this won't work since as it is shown in probe details, those servers cannot communicate properly to the ACE, Last disconnect err : Connect error (Network or Host is unreachable)

Could you remove the probe from the configuration and test it just to make sure? It looks like a connectivity issue in your backend side(server side)

Hope this helps.

Jorge

premsaw23 · ‎10-11-2012

Hi Jorge,

I configured in routed mode but I have'n success then I tried to configure in Bridge mode and successfully responding from vip to servers . But when i configured Probe and put in serverfarm then I don't have to access servers from VIP and also ping not getting. For checking perpose when I remooved Probe from serverfarm afterthat VIP responding and working fine . so kindly adviced how to configured Probe...... Plz find the sh run status........

LB/Admin# sh run

Generating configuration....

no ft auto-sync startup-config

resource-class RC1

limit-resource all minimum 10.00 maximum unlimited

boot system image:c4710ace-mz.A4_2_0.bin

hostname LB

interface gigabitEthernet 1/1

description Management

speed 1000M

switchport access vlan 1000

no shutdown

interface gigabitEthernet 1/2

description clientside

switchport access vlan 30

no shutdown

interface gigabitEthernet 1/3

description serverside

switchport access vlan 31

no shutdown

interface gigabitEthernet 1/4

no shutdown

context Admin

description Management

access-list everyone line 8 extended permit ip any any

access-list everyone line 16 extended permit icmp any any

probe http probe1

description health check

interval 5

passdetect interval 10

request method head

expect status 200 200

open 1

rserver redirect https_redirect

description redirect traffic to https

inservice

rserver redirect maintenance_page

description maintenance page displayed

webhost-redirection /sry.html 301

inservice

rserver host web1

ip address 10.13.77.11

inservice

rserver host web2

ip address 10.13.77.12

inservice

serverfarm host http

probe probe1

rserver web1

inservice

rserver web2

inservice

sticky http-cookie Cookie1 StickyGroup1

serverfarm http

--More--

class-map match-all REMOTE-ACCESS

class-map type management match-any remote_access

2 match protocol xml-https any

3 match protocol icmp any

4 match protocol telnet any

5 match protocol ssh any

6 match protocol http any

7 match protocol https any

8 match protocol snmp any

class-map match-all slb-vip

2 match virtual-address 10.13.77.50 tcp eq www

policy-map type management first-match remote_access

class class-default

permit

policy-map type management first-match remote_mgmt_allow_policy

class remote_access

permit

policy-map type loadbalance first-match slb

class class-default

serverfarm http

policy-map type inspect http all-match slb-vip-http

class class-default

permit

policy-map multi-match client-vips

class slb-vip

loadbalance vip inservice

loadbalance policy slb

loadbalance vip icmp-reply active

inspect http policy slb-vip-http

interface vlan 30

description "Client Side"

bridge-group 3

access-group input everyone

service-policy input client-vips

no shutdown

interface vlan 31

description "Server Side"

bridge-group 3

service-policy input remote_access

no shutdown

interface vlan 1000

description managment

ip address 172.29.91.110 255.255.255.0

service-policy input remote_mgmt_allow_policy

no shutdown

interface bvi 3

ip address 10.13.77.5 255.255.255.0

description "client - server bridge group"

no shutdown

ip route 0.0.0.0 0.0.0.0 10.13.77.1

snmp-server contact "PHQ"

snmp-server community phq group Network-Monitor

snmp-server trap-source vlan 1000

username admin password 5 $1$y/CIGMQG$k9VUUNcldd0eVRS5eP9EM0 role Admin domain

default-domain

username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR. role Admin domain de

fault-domain

username prem password 5 $1$4xFbsJYt$H5xb00uJYVRB9PXR6jY/b. role Admin domain d

efault-domain

ssh key rsa 1024 force