ACE - Fiewall Loadbalancing

Unanswered Question
Apr 3rd, 2007

I have a problem understanding how ACE handels the Firewall Loadbalancing.

In the Doumentation is an example for a secure side and an insecure side.

serverfarm INSEC_SF


predictor hash address source

rserver FW_INSEC_1


rserver FW_INSEC_2


rserver FW_INSEC_3


serverfarm SEC_SF

predictor hash address destination


rserver FW_SEC_1


rserver FW_SEC_2


rserver FW_SEC_3


The ACE on the insecure side makes a hash of the source IP and selects one of 3 firewalls.

The ACE on the secure side makes a hash of the destination IP and selects one of 3 firewalls.

On what Information the ACE makes the hash? IP Adress of the firewalls on secure/insecure side are different.

Names of the real server are also different.

Best Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Gilles Dufour Wed, 04/04/2007 - 00:58


ACE uses the source or destination ip address of the packet to forward.

So, on the non-secure side we receive traffic from CLIENT to SERVER.

ACE takes the CLIENT IP, computes a hash value and select server 1 for example.

On the secure side, the traffic CLIENT -> SERVER is simply forwarded. No hashing or anything.

But the response from the SERVER to CLIENT will hit the service policy and a new hash will be computed.

This time the src is the SERVER and the destination is the CLIENT.

By doing a hash on the destination, the hash is done on the CLIENT IP which will gave the same result as what was done on the non-secure side which guarantees ACE will select the same firewall.

This concept was already used on the CSM.


Sbutzek Wed, 04/04/2007 - 01:36

Hi Gilles,

thanks for your reply. You are right. But my question was on what the Hash does match?

There are 3 Firewalls.

The ACE only knows the local IP Address and name of the Firewall.

So the ACE on the Secure side knows a different IP-Adress than the ACE on the insecure side.

The Names are also different on both sides!

So how does the ACE modules know that rserver FW_INSEC_1 and rserver FW_SEC_1 are the same Firewalldevice? So it is not clear on what the ACE does match the computed HASH Value for SRC or DST IP.

On CSS Systems it is clear. The CSS knows local and remote IP of Firewall + Firewall Index and can compute the hash for both sides to the same firewall.

But on the ACE System i can not see where the match is done.

Is it done by the order of Configuration in the serverfarm?

Gilles Dufour Wed, 04/04/2007 - 02:36

the hash is done on traffic source/destination ip addresses.

The hash result is an index 1 - 2 or 3. [if you have 3 servers].

The name of the rserver is important. To make it simple, just look at the output of "sh serverfarm " or "sh run rserver". The servers are ordered alphabetically in CLI output and this is also the order in which they are ordered for load balancing.


Sbutzek Wed, 04/04/2007 - 03:40

Hello Gilles,

ok that was what i want to know. So the names have to be similar on both sides.

Another question, is it not even better to do src/dst hash on both sides of the firewall to get better distribution over the firewalls?


Gilles Dufour Wed, 04/04/2007 - 04:26


yes, it is indeed a good idea to use both source and destination.


Sbutzek Mon, 04/16/2007 - 05:49

Hi Gilles,

thanks very much!

Very clear answert.

I think it is the same on the CSM?



This Discussion