ACE - Can not get it to work

Unanswered Question
Jun 13th, 2007


I am trying to configure simple load balancing to 4 servers on a ACE (ver 3.0.0A13B), but I can't get it to work.

See config below. I have L3 vlan interfaces on my Cat6513 for vlan 22, 29 and 121.

Can anyone spot the issue?

Thanks, Pieter-Jon

probe tcp TCP

description TCP PROBE

interval 2

faildetect 2

passdetect interval 2

connection term forced

open 2

parameter-map type connection IDLE

set timeout inactivity 600

rserver host INFO-Realserver-1

ip address

probe TCP


rserver host INFO-Realserver-2

ip address

probe TCP


rserver host INFO-Realserver-3

ip address

probe TCP


rserver host INFO-Realserver-4

ip address

probe TCP


serverfarm host INFO2008

predictor leastconns slowstart 15

probe TCP

rserver INFO-Realserver-1


rserver INFO-Realserver-2


rserver INFO-Realserver-3


rserver INFO-Realserver-4


class-map match-all L4_VIP_ADDRESS_CLASS

2 match virtual-address tcp any

class-map type management match-any MGMT-Class

2 match protocol icmp any

3 match protocol ssh any

4 match protocol telnet any

class-map type management match-all SNMP_ALLOW_CLASS

2 match protocol snmp any

class-map type management match-all TELNET_ALLOW_ALL

2 match protocol telnet any

policy-map type management first-match MGMT-Policy

class MGMT-Class


policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY



policy-map type management first-match SNMP_ALLOW_POLICY



policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY

class class-default

serverfarm INFO2008

policy-map multi-match L4_LB_VIP_POLICY


loadbalance vip inservice

loadbalance policy L7_VIP_LB_ORDER_POLICY

loadbalance vip icmp-reply

loadbalance vip advertise

interface vlan 22

description Info Servers vlan

ip address

no shutdown

interface vlan 29

description Info Front End vlan

ip address

service-policy input L4_LB_VIP_POLICY

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

interface vlan 121

ip address

service-policy input REMOTE_MGMT_ALLOW_POLICY

service-policy input SNMP_ALLOW_POLICY

no shutdown

ip route

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Roble Mumin Thu, 06/14/2007 - 00:46

> I have L3 vlan interfaces on my Cat6513 for vlan 22, 29 and 121.

That is your problem first of all.

If i get it right from your config.

VLAN 121 is your transfer network / or client side vlan

VLAN 22 and VLAN 29 are Server VLANS?

What you should keep in mind is that you define the server side vlans only on the ACE contexts with L3. You don't define them on the supervisor.

If you use the ACE in routed mode you have to assign networks exclusive to the ace like routing networks to a layer 3 device in your network. If you use those vlans (22,29) on other parts of your net you should subnet them or take another network.

Your setup should look like this.


L3 ~ VLAN 121

L2 ~ VLAN 22,29,121

ACE Module

L3 ~ VLAN 22,29,121

You assign the 3 vlans or any other to a vlan group and assign this group to the ace module.

Create a new context -> assign the vlan 22,29 and 121 to this context.

6513(L3) <-- vlan 121 --> ACE (L3) /Admin Context

6513(L3) <-- vlan 121 --> ACE(L3) / Server Context --> VLAN 22,29


ACE Admin Context (VLAN121)


ACE Server Context (VLAN 121,22,29)


After you have a working L2/L3 setup start troubleshooting the ace config itself. :)

Hope it helps


Syed Iftekhar Ahmed Thu, 06/14/2007 - 00:54

create an access-list for all traffic

access-list anyone line 10 extended permit ip any any

and apply it to client and server vlans using

access-group input anyone

Ace by default blocks all traffic.You need to assign acl to vlans to gurantee traffic passing through ACE.


Roble Mumin Thu, 06/14/2007 - 01:00

Syed is right if your L2/L3 Setup is okay, then ACL needs to be there.

But i am not sure if that is the only problem. If yes ignore my first post. :)


Gilles Dufour Thu, 06/14/2007 - 03:18

check the probe status.

check the arp table.

Do you have connectivity with the servers ?

If not, make sure your svlc-vlan group are correctly setup on the switch.

Then, verify your topology.

Your default route point to vlan 121.

So, I assume your client will be coming on that vlan.

But you did not configure the policy L4_LB_VIP_POLICY on that vlan.

I think you should get rid of vlan 29 or vlan 121. Use only one of them and set the default route correctly.

Let the default gateway do the routing between the vlans.



This Discussion