Solved: vip not responding on ACE

12pratham · ‎04-25-2012

Source 161.247.133.139 Destnation 161.247.133.27( VIP on ACE ) performing a telent from source to destination on port 25 .

connecction timedout

Servers Behind the vip are 161.247.133.25 and 161.247.133.26

Source ,Servers ,and VIP all are in same vlan.

VIP not responding on port 25 ,but when I access the servers directly on port 25 , connection established.

sh conn output

ace01/production# sh conn serverfarm SMTP1

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
975119     1 in TCP   201 161.247.133.179:42197 161.247.133.27:25     ESTAB
213140     1 out TCP   201 161.247.133.26:25     161.247.133.179:42197 ESTAB
407349     1 in TCP   201 161.247.133.179:42206 161.247.133.27:25     ESTAB
963714     1 out TCP   201 161.247.133.26:25     161.247.133.179:42206 ESTAB
647062     1 in TCP   201 161.247.133.179:42214 161.247.133.27:25     ESTAB
1861891    1 out TCP   201 161.247.133.25:25     161.247.133.179:42214 ESTAB

Borys Berlog · ‎04-26-2012

Hi

No, routing works like this : if IP is from the same network as PC itself (determined by network address , e.g 1.1.1.0/24) then - send an arp request, resolve MAC and send packet directly to this IP. If MAC can't be resolved - packet won't be sent. It will never go to default gateway in this case.

Most specific routes could help, e.g. if route to network 1.1.1.0/28 points to different direction, packets to it will go to this direction.

If you can move Clients and Servers to different subnets - you can either change mask on server interface (that it doesn't cover client IPs) or make a more specific route to client subnet points to ACE.

View solution in original post

Borys Berlog · ‎04-25-2012

Hi , looks like you don't use NAT, and as you have server (S) and client (C) in one VLAN.

So, when C goes to VIP, ACE redirects request to S but , server sees that C IP is in the same subnet as it is , so it will reply directly to C and C will drop this packet as it expects packets from VIP.

If you'd like to have S and C in one subnet - you need to use NAT

You can find configuration examples here :

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Troubleshooting_Network_Address_Translation#Configuring_Dynamic_NAT_and_PAT

12pratham · ‎04-25-2012

Hi Borys

Thanks for your response ,We are using NAT on ACE , even thats applied to this class -map.

I mean from any where in the network different vlans its working fine ,but from the same vlan as that of the vip , its getting timed out.

Even ran some captures on ACEs and all I see is syn from the source to destination ,

EPHRAIM MANI · ‎04-25-2012

I understand you would need SNAT configured.

~EM

Ephraim Mani

Sent via wireless device

Cell# +91 9810350482

Google Voice# +1 972-836-6035

12pratham · ‎04-26-2012

Sorry ,forgot to add couple points

we are having one-arm mode ,and no SNAT enabled ,as application team want to see the client IPs .so on the backend servers we have changed the default gateway point vip

so its working for all when the request is coming from different vlans , but not from the same vlan.

Borys Berlog · ‎04-26-2012

So, you don't use SNAT, do you ? The problem here that if Client and Server are located in the same subnet , server won't send traffic to default gateway - it will send traffic directly to client. It's the way how routing works. You must have SNAT with Client and server in the same subnet.

Borys Berlog · ‎04-26-2012

Hi

No, routing works like this : if IP is from the same network as PC itself (determined by network address , e.g 1.1.1.0/24) then - send an arp request, resolve MAC and send packet directly to this IP. If MAC can't be resolved - packet won't be sent. It will never go to default gateway in this case.

Most specific routes could help, e.g. if route to network 1.1.1.0/28 points to different direction, packets to it will go to this direction.

If you can move Clients and Servers to different subnets - you can either change mask on server interface (that it doesn't cover client IPs) or make a more specific route to client subnet points to ACE.