Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1326
Views
0
Helpful
6
Replies

vip not responding on ACE

Go to solution
12pratham
Level 1
Level 1

‎04-25-2012 09:50 AM

   Source 161.247.133.139    Destnation 161.247.133.27( VIP on ACE ) performing a telent from source to destination on port 25 .

connecction timedout

Servers Behind the vip are 161.247.133.25 and 161.247.133.26

Source ,Servers ,and VIP all are in same vlan.

VIP not responding on port 25 ,but  when I access the servers directly on port 25 , connection established.

sh conn output


ace01/production# sh conn serverfarm SMTP1

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
975119     1  in  TCP   201  161.247.133.179:42197 161.247.133.27:25     ESTAB
213140     1  out TCP   201  161.247.133.26:25     161.247.133.179:42197 ESTAB
407349     1  in  TCP   201  161.247.133.179:42206 161.247.133.27:25     ESTAB
963714     1  out TCP   201  161.247.133.26:25     161.247.133.179:42206 ESTAB
647062     1  in  TCP   201  161.247.133.179:42214 161.247.133.27:25     ESTAB
1861891    1  out TCP   201  161.247.133.25:25     161.247.133.179:42214 ESTAB

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Borys Berlog
Cisco Employee
Cisco Employee
In response to Borys Berlog

‎04-26-2012 12:31 PM

Hi

No, routing works like this : if IP is from the same network as PC itself (determined by network address , e.g 1.1.1.0/24) then - send an arp request, resolve MAC and send packet directly to this IP. If MAC can't be resolved - packet won't be sent. It will never go to default gateway in this case.

Most specific routes could help, e.g. if route to network 1.1.1.0/28 points to different direction, packets to it will go to this direction.

If you can move Clients and Servers to different subnets - you can either change mask on server interface (that it doesn't cover client IPs) or make a more specific route to client subnet points to ACE.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Borys Berlog
Cisco Employee
Cisco Employee

‎04-25-2012 02:05 PM

Hi , looks like you don't use NAT, and as you have server (S) and client (C) in one VLAN.

So, when C goes to VIP, ACE redirects request to S but , server sees that C IP is in the same subnet as it is , so it will reply directly to C and C will drop this packet as it expects packets from VIP.

If you'd like to have S and C in one subnet - you need to use NAT

You can find configuration examples here :

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Troubleshooting_Network_Address_Translation#Configuring_Dynamic_NAT_and_PAT

0 Helpful

Go to solution
12pratham
Level 1
Level 1
In response to Borys Berlog

‎04-25-2012 02:21 PM

Hi Borys

Thanks for your response ,We are using NAT  on ACE , even thats applied to this class -map.

I mean from any where in the network  different vlans its working fine ,but from the same vlan as that of the vip , its getting timed out.

Even ran some captures on ACEs and all I see is syn from the source to destination ,

0 Helpful

Go to solution
EPHRAIM MANI
Level 3
Level 3

‎04-25-2012 09:01 PM

I understand you would need SNAT configured.

~EM

Ephraim Mani

Sent via wireless device

Cell# +91 9810350482

Google Voice# +1 972-836-6035

0 Helpful

Go to solution
12pratham
Level 1
Level 1
In response to EPHRAIM MANI

‎04-26-2012 07:47 AM

Sorry ,forgot to add couple points

we are having one-arm mode ,and no SNAT enabled ,as application team want to see the client IPs .so on the backend servers we have changed the default gateway point vip

so its working for all when the request is coming from different vlans , but not from the same vlan.

0 Helpful

Go to solution
Borys Berlog
Cisco Employee
Cisco Employee
In response to 12pratham

‎04-26-2012 09:12 AM

So, you don't use SNAT, do you ? The problem here that if Client and Server are located in the same subnet , server won't send traffic to default gateway - it will send traffic directly to client. It's the way how routing works. You must have SNAT with Client and server in the same subnet.

0 Helpful

Go to solution
Borys Berlog
Cisco Employee
Cisco Employee
In response to Borys Berlog

‎04-26-2012 12:31 PM

Hi

No, routing works like this : if IP is from the same network as PC itself (determined by network address , e.g 1.1.1.0/24) then - send an arp request, resolve MAC and send packet directly to this IP. If MAC can't be resolved - packet won't be sent. It will never go to default gateway in this case.

Most specific routes could help, e.g. if route to network 1.1.1.0/28 points to different direction, packets to it will go to this direction.

If you can move Clients and Servers to different subnets - you can either change mask on server interface (that it doesn't cover client IPs) or make a more specific route to client subnet points to ACE.

0 Helpful
Customers Also Viewed These Support Documents