Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1343
Views
8
Helpful
11
Replies

VIP not reachable on ACE 4710

nehakulsum
Level 1
Level 1

‎11-19-2008 02:11 AM

Hi All,

I am not able to connect to a virtual IP address of ACE 4710 and either i am able to ping it. Kindly let me know if anything wrong here.

Regards,

Neha.

Labels:
0 Helpful
11 Replies 11

ropethic
Level 4
Level 4

‎11-19-2008 03:14 AM

Did you assign the vlan interface to the virtual server?

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/quick/device_manager/gui/note/dmguiqn.html#wp260945

Also

Configuring the ACE to Reply to a Ping to a VIP only if the Primary Server Farm is in Service

The primary-inservice option has been added to the loadbalance vip icmp-reply active command in policy map class configuration mode. When you specify this option, the ACE replies to an ICMP ping only if the primary server farm state is UP, regardless of the state of the backup server farm. If this option is enabled and the primary server farm state is DOWN, the ACE discards the ICMP request and the request times out.

The syntax of this command is as follows:

loadbalance vip icmp-reply [active [primary-inservice]]

For example, to instruct the ACE to respond to a ping to a VIP only if the primary server farm is in service, enter:

host1/Admin(config-pmap-c)# loadbalance vip icmp-reply active primary-inservice

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee

‎11-19-2008 03:23 AM

show service-policy

is the policy inservice ?

Check rservers if they are up.

Make sure the service-policy is applied on the inbound interface.

Then finally, check with a sniffer trace if traffic is coming in the ACE.

Gilles.

0 Helpful

Manuel Cristobal
Level 1
Level 1

‎11-19-2008 05:40 AM

Neha,

when you say "connect" you mean that the VIP is not in service? The reals associated with this VIP are down?

These could be some of the reasons.

I take it if you ping it then the VIP is in service. check the status of the reals.

con you "connect" to the reals bypassing the VIP?

0 Helpful

nehakulsum
Level 1
Level 1
In response to Manuel Cristobal

‎11-19-2008 06:27 AM

David,

My setup is as follows:-

I have 2 vlans configures on cat4500 switch vlan 10 client side and vlan 20 server side

E1/1 Vlan 10 10.10.10.150

Ace4710 - VIP 10.10.50.1

E1/2 Vlan 20 10.10.40.250

Web server 1 - 10.10.40.103

Yes the VIP is inservice and the webserver is reachable.

0 Helpful

dario.didio
Level 4
Level 4
In response to nehakulsum

‎11-20-2008 01:05 AM

Hi,

Your VIP is in another subnet as your VLAN10 SVI on your C4500.

You should configure a static route towards the VIP address/subnet abd use the VLAN10 interface IP address as you next hop.

As far as I can see, your vlan 10 is 10.10.10.0/24, VLAN 20 is 10.10.40.0/24 and your VIP is 10.10.50.1/32.

Your upstream router is 10.10.10.150, ACE is 10.10.10.1 (assume) and for backend, ACE is 10.10.40.1 (This should be the default gateway of your rservers)

Then your static route on your upstream router should be

ip route 10.10.50.1 255.255.255.255 10.10.10.1

Hope this helps

nehakulsum
Level 1
Level 1
In response to dario.didio

‎11-20-2008 06:23 AM

Hi,

I appriciate for the prompt answer. I will do this and will update you.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to nehakulsum

‎11-20-2008 02:38 AM

please give us the output of 'show service-policy' I want to see if there is any hit and if there are server packets.

G.

0 Helpful

yhab_dataconsult
Level 1
Level 1

‎11-28-2008 01:31 PM

Hey nehakulsum,

i am facing the same problem ....did yo get answer for this issue.

0 Helpful

dario.didio
Level 4
Level 4
In response to yhab_dataconsult

‎12-01-2008 12:18 AM

Hi, can you post your config?

0 Helpful

inayathulla1
Level 1
Level 1
In response to yhab_dataconsult

‎12-02-2008 06:31 AM

Hi Yahb/Neha,

Please try and confirm this:-

1) See if you have permited the traffic:-

access-list ALL line 8 extended permit ip any any

class-map match-all L4_VIP_ADDRESS_CLASS

2 match virtual-address 1.1.1.1 any

class-map type management match-any REMOTE_ACCESS

201 match protocol ssh any

202 match protocol icmp any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

class REMOTE_ACCESS

permit

policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY

class class-default

serverfarm SFARM1

policy-map multi-match L4_LB_VIP_POLICY

class L4_VIP_ADDRESS_CLASS

loadbalance vip inservice

loadbalance policy L7_VIP_LB_ORDER_POLICY

loadbalance vip icmp-reply

2)

Apply the ACL on to the correct vlan:-

interface vlan 20

description Server-side Interface

ip address 2.2.2.2 255.255.255.0

access-group input ALL --->make sure you have applied the ACL.

service-policy input L4_LB_VIP_POLICY

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

interface vlan 30

description Client side connectivity

ip address 3.3.3.3. 255.255.255.0

access-group input ALL

service-policy input L4_LB_VIP_POLICY

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

ip route 0.0.0.0 0.0.0.0 x.x.x.x

Let us know if you have done this.

Regards

Shariff

nehakulsum
Level 1
Level 1
In response to inayathulla1

‎12-02-2008 08:34 AM

Hi Inayath,

This solves my issue. Infact the access list and L4 policy was missing on the wrong vlan. everything working fine now after applying the vlan and acl on correct vlan.thanks a lot.

appriciate your help.

regards

neha

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card