02-29-2012 06:22 AM
I am trying to setup ACE in bridge mode. Network topology is as follows:
1. ACE Gi 1/2 (client-side vlan) is connected to 3750 (vlan 40)
2. ACE Gi 1/3 (server-side vlan) is connected to 3750 (vlan 50)
3. Two real servers are connected to 3750 (vlan 50)
4. One client device (linux box) is connected to 3750 (vlan 40)
I am not using admin context. I have created a new one for user. I am unable to ping VIP (10.10.50.15) either from client linux box or from within ACE.
Can you please take a look at my configuration and let me know if I am missing something ?
Thanks in advance.
--Raja
=============================================================================================================
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe http PROBE_CGNMS_WEB
port 80
interval 15
passdetect interval 60
expect status 200 200
open 1
rserver host RS_10_10_50_11
description 10.10.50.11
ip address 10.10.50.11
conn-limit max 4000000 min 4000000
probe PROBE_CGNMS_WEB
inservice
rserver host RS_10_10_50_12
description 10.10.50.12
ip address 10.10.50.12
conn-limit max 4000000 min 4000000
probe PROBE_CGNMS_WEB
inservice
serverfarm host SF_CGNMS
rserver RS_10_10_50_11
conn-limit max 4000000 min 4000000
probe PROBE_CGNMS_WEB
inservice
rserver RS_10_10_50_12
conn-limit max 4000000 min 4000000
probe PROBE_CGNMS_WEB
inservice
class-map match-all VS_CGNMS
2 match virtual-address 10.10.50.15 255.255.255.0 any
policy-map type loadbalance first-match VS_CGNMS-l7slb
class class-default
serverfarm SF_CGNMS
policy-map multi-match int50-n2
class VS_CGNMS
loadbalance vip inservice
loadbalance policy VS_CGNMS-l7slb
loadbalance vip icmp-reply active
interface vlan 40
description client-side-vlan
bridge-group 1
access-group input everyone
service-policy input int50-n2
no shutdown
interface vlan 50
description server-side-vlan
bridge-group 1
no shutdown
interface bvi 1
ip address 10.10.50.10 255.255.255.0
no shutdown
snmp-server community public group Network-Monitor
=========================================================================================================
Solved! Go to Solution.
02-29-2012 07:56 AM
Hi Raja,
You defined the VIP as a range. The ACE is listening to connections in the 10.10.50.15/24 network.
Try defining the VIP as "match virtual-address 10.10.50.15 any" instead and check if it works.
Also, be aware that the VIP is defined for "any" traffic, which means that even ICMP is getting load-balanced. In this case, it's not the ACE the one replying, but one of the servers. You should consider limitting the VIP to only the kinds of traffic you expect
I hope this helps
Daniel
02-29-2012 07:56 AM
Hi Raja,
You defined the VIP as a range. The ACE is listening to connections in the 10.10.50.15/24 network.
Try defining the VIP as "match virtual-address 10.10.50.15 any" instead and check if it works.
Also, be aware that the VIP is defined for "any" traffic, which means that even ICMP is getting load-balanced. In this case, it's not the ACE the one replying, but one of the servers. You should consider limitting the VIP to only the kinds of traffic you expect
I hope this helps
Daniel
02-29-2012 09:07 AM
Hi Daniel, thanks it worked. Looks like DM does not allow IP without mask. I used CLI and I can now ping VIP.
--Raja
03-01-2012 12:03 AM
Hi Raja,
For the future, if you configure it from the DM, use a mask of 255.255.255.255. It's equivalent to not using a mask at all.
Daniel
03-01-2012 05:55 AM
Hi Daniel, thanks, will try that.
BTW, I am loadbalancing HTTPS traffic to 443. I tested and it is working. But I did not configure neither SSL policy nor sticky session. Trying to understand how does it work without these settings.
Thanks
--Raja
03-01-2012 05:59 AM
Hi Raja,
By SSL policy I assume you mean ssl-proxy, right? This is only required to terminate the SSL session on the ACE. If you don't configure one, the connection is just treated as L4
Stickiness is something compltely unrelated to this.
I would recommend you to have a look at the following two links. The should clarify these two concepts
Daniel
03-06-2012 10:56 AM
Hi Daniel,
I am trying to loadbalance https traffic to port 9121 but ACE resets the connection. Here is the packet capture. I have vip enabled on 10.10.50.15 for port 9121. Plz help.
Thanks
--Raja
reading from file /tmp/cap.12447, link-type EN10MB (Ethernet)
raja-ACE4710/VC_RAJA# 18:50:11.620893 00:0c:29:fe:c0:16 > 00:1e:68:57:24:66, ethertype IPv4 (0x0800), length 74: IP (tos 0x0, ttl 64, id 4548, offset 0, flags [DF], length: 60) 10.10.50.17.26618 > 10.10.50.15.9121: S [bad tcp cksum d3ef (->ebe4)!] 1618077165:1618077165(0) win 5840
18:50:11.621107 00:0c:29:c1:34:6f > 00:0c:29:fe:c0:16, ethertype IPv4 (0x0800), length 54: IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 40) 10.10.50.11.9121 > 10.10.50.17.26618: R [tcp sum ok] 0:0(0) ack 4165815016 win 0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide