Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
776
Views
0
Helpful
2
Replies

why I could not access servers behind ACE appliance

HWangLoyalty_2
Level 1
Level 1

‎12-01-2010 05:47 AM

I am a new to ACE appliance 4710. I tried to configure it based on the Cisco Doc. But I could not access servers behind them. Our topology is:

ASA-------vlan 28(10.248.28.0/24)--------ACE-----Vlan30(10.248.30.0/23)-----Web servers.

I setup another virtual context named Production_Web for it. The corresponding port on context Admin is configured as trunk only allowed 28,30

The configurations are as follows:

ACE1/Production_Web# sh run
Generating configuration....


logging enable
logging timestamp
logging trap 5
logging buffered 6


access-list Web-Server-access line 8 extended permit ip any any

probe https TCP-HTTPS-Probe
  interval 15
  passdetect interval 60
  ssl version all
  open 1

rserver host BO-PROD-WEB1
  ip address 10.248.30.11
  conn-limit max 4000000 min 4000000
  inservice
rserver host BO-PROD-WEB2
  ip address 10.248.30.12
  conn-limit max 4000000 min 4000000
  inservice


serverfarm host BO-PROD-SF
  probe TCP-HTTPS-Probe
  rserver BO-PROD-WEB1 443
    conn-limit max 4000000 min 4000000
    inservice
  rserver BO-PROD-WEB2 443
    conn-limit max 4000000 min 4000000
    inservice

class-map match-all BO-PROD-WEB
  2 match virtual-address 10.248.28.11 tcp eq https
class-map type management match-any Management
  201 match protocol snmp any
  202 match protocol https any
  203 match protocol ssh any
  204 match protocol telnet any
  205 match protocol icmp any

policy-map type management first-match Management
  class Management
    permit

policy-map type loadbalance first-match BO-PROD-WEB-l7slb
  class class-default
    serverfarm BO-PROD-SF

policy-map multi-match int28
  class BO-PROD-WEB
    loadbalance vip inservice
    loadbalance policy BO-PROD-WEB-l7slb

interface vlan 28
  description *** Production_Web Client Side ***
  ip address 10.248.28.4 255.255.255.0
  alias 10.248.28.6 255.255.255.0
  peer ip address 10.248.28.5 255.255.255.0
  service-policy input int28
  service-policy input Management
  no shutdown
interface vlan 30
  description *** Production_Web Server Side ***
  ip address 10.248.30.4 255.255.254.0
  alias 10.248.30.6 255.255.254.0
  peer ip address 10.248.30.5 255.255.254.0
  access-group input Web-Server-access
  service-policy input Management
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.248.28.1 (point to ASA)

snmp-server contact "ANM"
snmp-server location "ANM"
snmp-server community public group Network-Monitor

====================================================

Issue1: I tried to telnet 10.248.30.11 with 3389. it failed. But this traffics alreday passed through ASA, It looked like there is not return traffics. I did not find any denied traffics on ACE logs.

Issue2: I found the following logs on ACE logs:

Health probe failed for server 10.248.30.11 on port 443, received invalid status code
Health probe failed for server 10.248.30.12 on port 443, server reply timeout

But I could telnet 10.248.30.11 with 443 from ACE itself, why I still get probe failed

I will apprecaite it if you could me any help.

Labels:
0 Helpful
2 Replies 2

Syed Iftekhar Ahmed
Level 8
Level 8

‎12-01-2010 03:04 PM

Issue1: I tried to telnet 10.248.30.11 with 3389. it failed. But this  traffics alreday passed through ASA, It looked like there is not return  traffics. I did not find any denied traffics on ACE logs.

From where are you trying to telnet real server? behind ASA?

Does ASA knows how to reach real server?  An static route is needed on ASA to force traffic destined for 10.248.30.0 network to ACE client side

interface (10.248.28.4).

Similarly your real servers should  route the return traffic for the source ( from where you are initiating telnet session) to Server side ACE interface.

This can be achived either by using ACE Server side interface as default gateway on servers.


Issue2: I found the following logs on ACE logs:

Health probe failed for server 10.248.30.11 on port 443, received invalid status code
Health probe failed for server 10.248.30.12 on port 443, server reply timeout

For Server1 probe failure add  

expect status 200 200

(Provided your server is expected to send 200 for http request, if server sends some other code like 302 then 
chnage this command accordingly.)

For Server2 

It looks as response from server2 doesnt reach ACE.
Can you successfully telnet server2 from ACE?

HTH
Syed Iftekhar Ahmed


0 Helpful

HWangLoyalty_2
Level 1
Level 1
In response to Syed Iftekhar Ahmed

‎12-02-2010 04:15 AM

thanks Syed for your response.

the issue was fixed. I forgot adding access-group on the VLAN 28

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card