From:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/configuration/rtg_brdg/guide/vlansif.html#wp1062951

For  security reasons, the ACE does not allow pings from an interface on a  VLAN on one side of the ACE through the module to an interface on a  different VLAN on the other side of the module. For example, a host can  ping the ACE address that is on the IP subnet using the same VLAN as the  host, but cannot ping IP addresses configured on other VLANs on the  ACE.

As I understood his question right, he dont want to ping an interface of the ACE

, he wants to ping the VIP.

It's configured on the client side interface, not on the server side,

Thanks..

I'd have to test to confirm but the security feature should be applicable to the VIP as well. The ACE still has to route/bridge from one side to the other to ping the VIP.

A global/serverside service policy would allow the ping but would not make sense from a load-balancing perspective because servers hitting the VIP to access other servers in the same subnet would need to be source NAT'ed. The question really is - do you want to load balance traffic from the back-end servers with the same VIP or are you just checking if you can ping the VIP?

We have some similiar setup and it is possible to ping the

VIP in frontend and to use it access it from backend to

o. If it makes sense? sure not, but it is part of the configuration that the customer wants.

Thanks for your reply. Configuring the service policy on the server side int did the trick. I was also able to ping the physical interface, but not the alias.

Thanks again..

_ Alex