ACE bridge mode not working

Unanswered Question
Jan 13th, 2008

Folks,

I am trying to configure ACE in transparent mode and it is not working, i can browse to the servers directly,but when i try to hit the vip , I do not get any webpages, all keepalives are up and everything is in inservice.

hostname abc

boot system image:c6ace-t1k9-mz.3.0.0_A1_6_1.bin

access-list ANY line 8 extended permit ip any any

rserver host rs1

ip address 1.1.1.1

inservice

rserver host rs2

ip address 1.1.1.2

inservice

serverfarm host SF1

rserver rs1

inservice

rserver rs2

inservice

class-map type management match-any REMOTE_ACCESS

10 match protocol telnet any

20 match protocol ssh any

30 match protocol icmp any

class-map match-all VIP

2 match virtual-address 1.1.1.3 any

class-map type http loadbalance match-any src1

2 match source-address 0.0.0.0 0.0.0.0

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

class REMOTE_ACCESS

permit

policy-map type loadbalance first-match R-Policy

class class-defaut

serverfarm SF1

policy-map multi-match R-LB

class VIP

loadbalance vip inservice

loadbalance policy R-Policy

loadbalance vip icmp-reply active

loadbalance vip advertise

interface vlan 3

bridge-group 1

access-group input ANY

access-group output ANY

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

interface vlan 4

bridge-group 1

access-group input ANY

access-group output ANY

service-policy input REMOTE_MGMT_ALLOW_POLICY

service-policy input R-LB

no shutdown

interface bvi 1

ip address 1.1.1.4 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 1.1.1.5

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Mon, 01/14/2008 - 00:55

are you sure the traffic from the clients enter the ACE module on vlan 4 ??? Not vlan 3 ???

Try to put the service-policy under vlan 3 as well just to make sure.

If that does not work, capture 2 output of 'show service-policy detail' while sending traffic in between. See if the hit counter does increase.

If not, traffic is not making it to the ACE module.

Then capture a trace of the ace tengig interface while sending traffic.

Gilles.

NAVIN PARWAL Mon, 01/14/2008 - 01:49

traffc is making it through, i see hits and drops, not sure why drops are happening, also i applied l4 policy but service policy shows me drops on l7 policy.

thanks

Gilles Dufour Mon, 01/14/2008 - 05:36

is the server response coming back to the module ?

Could you give us the output of 'show service-policy detail'.

A show tech could be useful as well as a sniffer trace on the server vlan side.

Gilles.

NAVIN PARWAL Mon, 01/14/2008 - 07:50

I made some progress, but still it is not working.

When the server behind the ACE module default gateway is set to the firewall, i can telnet to the vip at port 80,but i still do not see the page when i open the browser and point to the vip. here are the outputs.

hostname RBharti

boot system image:c6ace-t1k9-mz.3.0.0_A1_6_1.bin

access-list ANY line 8 extended permit ip any any

rserver host rs1

ip address 1.1.1.1

inservice

rserver host rs2

ip address 1.1.1.3

inservice

serverfarm host SF1

rserver rs1

inservice

rserver rs2

inservice

class-map type management match-any REMOTE_ACCESS

10 match protocol telnet any

20 match protocol ssh any

30 match protocol icmp any

class-map match-all VIP

2 match virtual-address 1.1.1.5 any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

class REMOTE_ACCESS

permit

policy-map type loadbalance first-match R-Policy

class class-default

serverfarm SF1

policy-map multi-match R-LB

class VIP

loadbalance vip inservice

loadbalance policy R-Policy

loadbalance vip icmp-reply active

loadbalance vip advertise

interface vlan 3

bridge-group 1

access-group input ANY

access-group output ANY

service-policy input REMOTE_MGMT_ALLOW_POLICY

service-policy input R-LB

no shutdown

interface vlan 4

bridge-group 1

access-group input ANY

access-group output ANY

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

interface bvi 1

ip address 1.1.1.4 255.255.255.0

no shutdown

ip route 0.0.0.0 0.0.0.0 202.137.232.193

Ri/Admin# sh service-policy

Policy-map : R-LB

Status : ACTIVE

-----------------------------------------

Interface: vlan 3

service-policy: R-LB

class: VIP

loadbalance:

L7 loadbalance policy: Rediff-Policy

VIP Route Metric : 77

VIP Route Advertise : DISABLED

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 0 , hit count : 54

dropped conns : 54

client pkt count : 81 , client byte count: 3888

server pkt count : 0 , server byte count: 0

Gilles Dufour Mon, 01/14/2008 - 08:28

There is no packet from the servers.

client pkt count : 81 , client byte count: 3888

server pkt count : 0 , server byte count: 0

So, the problem is the return traffic from server to client.

Check what is the default gateway on the server.

Make sure this is the ACE module or a device behind the ace module reachable only through the bridged vlans accross the ace module.

Gilles.

NAVIN PARWAL Mon, 01/14/2008 - 08:57

the default gateway of the server is the firewall.

internet----firewall---cat6500--Ace---Server

We have a flat network from firewall all the way to the server and the servers have a second nic on them. We have tried changing the defualt gateway in the serverto point to the bvi interface on the ace, also the svi interface on the switch and finally right to the firewall. should the default gateway really matter, we we are in bridged mode and the ace module does destinate nat by default, so the server would see the vip of ace coming in on the same network as itself right?

NAVIN PARWAL Mon, 01/14/2008 - 09:02

by the way, we can get to the servers directly from the internet no problem. when we point the default gateway to the firewall directly on the servers, we can point to them directly from the internet and see the webpage, they all have public addresses, as soon as we change the default gateway on them to point to the bvo interface of the ace or the svi interface they not be reached from the outside and also we can not connect to them through the vip, the vip policy shows that it is doing loadbalancing but we get nothing in return when we open our browser and point to the vip ip.

Gilles Dufour Tue, 01/15/2008 - 01:42

the output shows the response from the server is not making it back to the ACE module.

So, at this point there is not much we can do.

Open a service request and provide show tech, topology diagram and sniffer trace of the tengig ACE interface. Will see if the response is in the trace or not.

Gilles.

Actions

This Discussion