Configuring Cisco ACE

Unanswered Question
Jul 10th, 2007

I have been given the task of configuring a Cisco ACE20 initially for SLB. I have configured IOS SLB sucesfully but the ACE appears far more complex. Does anyone have any confgiuration guides with diagrams. The Cisco documentation only gives command guides which I am finding difficult to follow. I have set up a test scenario as follows:

Client side vlan 10 - / 21

Server side vlan 17 - /24

Vlan 10 is set up on Sup720 as L2/3

Vlan 17 is set up on Sup720 as L2 only

PC with IIS running with IP address

VIP address

Rserver address

Route on ACE

I can ping the rserver from ACE OK as I have captured the ICMP traffic with analyser, when I attempt to HTTP to the vserver address I see the traffic hit the ACE but it sends TCP resets.

I can provide the full config of the ACE etc if needed.

With IOS SLB (without NAT) I used loopback addresses on the real servers from the ACE documentation it appears the VIP address has to be completely unique, does this mean there is no need for loopback interfaces. Also does the VIP address have to be in a different subnet than the clients as mine is not but it is in the same subnet as my client side vlan as was stated in the ACE getting started guide.

I am very new to content swithing especially classifying traffic etc, can anyone please help ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Tue, 07/10/2007 - 22:30

could you please share your config and a 'show service-policy'.

Will start helping you from there.

The vip can be any ip you want.

You can use it as a loopback on the servers, but we usually do this when the loabalancer forward without nating.

This is not mandatory.


Gilles Dufour Wed, 07/11/2007 - 02:58

curr conns : 0 , hit count : 2

dropped conns : 2

client pkt count : 3 , client byte count: 240

server pkt count : 0 , server byte count: 0

Are you sure your servers are responding ?

can you sniff on the server to see if they receive a SYN and if they respond with a SYN/ACK in the right direction [ACE].

The config looks good.


Dan Smith Wed, 07/11/2007 - 04:57


Capture attached (etherreal).

I am the client on, the VIP address replies with a RST/ACK. I can see the connection attempt on the ACE:

switch/Admin# sh conn

total current connections : 6

conn-id np dir proto vlan source destination state


4 1 in TCP 10 SYNSEEN

1 1 out TCP 17 INIT

3 1 in TCP 10 ESTAB

5 1 out TCP 10 ESTAB

4 2 in UDP 17 --

2 2 out UDP 10 --


Do I need a loopback address on the real server. Also I only have one real server set-up at the moment - I didn't think this would matter.

Hope this helps....


Syed Iftekhar Ahmed Wed, 07/11/2007 - 13:31

remove "transparent" from the server farm

serverfarm host WEB-FARM

description WEB SERVERFARM

rserver WEB1


rserver WEB2


Syed Iftekhar Ahmed

Dan Smith Thu, 07/12/2007 - 03:03

Thank you very much - That has worked. I read in one of the manuals that this command had to be included.

One other question - If server administrators require remote access to the rservers real IP address (like ours do), as the rservers are not part of a L3 network on our intermidiate routers I configured a static route via the ACE client side interface as follows:-

ip route

Is this best practice or should I be using a different method.

Syed Iftekhar Ahmed Thu, 07/12/2007 - 09:41

You just need to make sure that intermediate routing devices can route traffic to the real and your ACE should allow traffic to the real.

Static routes can definitely help.

Syed Iftekhar Ahmed


This Discussion