ACE and host static routes?

Answered Question
Jan 31st, 2008
User Badges:
  • Silver, 250 points or more

Hi,


Does an ACE context work with host static routes?


I've been trying to set up a context to load balance LDAP where the servers have IP addresses across multiple VLANs and I'm not allowed to change the IP addresses. I've tried bridging and routing configurations. The only case that works is where the server is a member of the server-side VLAN. I noticed a comment in the Routing manual page 2-2 is says that secondary IP addresses are not supported. Is a host static route equivalent to a secondary address.


Is it possible to achieve my goal.


Thank you


Cathy

Correct Answer by Gilles Dufour about 9 years 1 month ago

Cathy,


sorry, x.x.x.183 is the broadcast ip address for your subnet. So, the range is 177 - 182.

You need to configure the natpool on the outgoing interface, so the server interface.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Thu, 01/31/2008 - 08:20
User Badges:
  • Cisco Employee,

Cathy,


you can use host route.

But that will only solve the path from ACE to servers. You also need to make sure that the servers to ACE path is ok.

Also, don't forget one context can't communicate to/through another context.


Gilles.

ciscocsoc Thu, 01/31/2008 - 08:35
User Badges:
  • Silver, 250 points or more

Thank you Gilles,


As far as I can see the server can see the ACE context. I'm only using one context for this.


Do I need specific routes in the context as well as on the hosting router?


Thanks


Cathy

Gilles Dufour Thu, 01/31/2008 - 13:32
User Badges:
  • Cisco Employee,

Cathy,


just look at your context as a router.

Make sure there is a valid path between the context vlan and the servers.

Try to ping.

When you have connectivity with the servers, check if you have connectivity with the clients.

Again try to ping the ace interface and then the ace vip.

Be aware you need to explicitly permit icmp traffic in order for the ping to work.

Then, when all this works. You need to make sure that when the server resposne to the client goes through the ACE blade.

This is a stateful device, so it requires to see both side of a connections. No asymetric routing is allowed.



Gilles.

ciscocsoc Fri, 02/01/2008 - 01:05
User Badges:
  • Silver, 250 points or more

Thanks Gilles,


Now I'm baffled. I can ping from server to VIP and client and from client to vip and server. It all looks fine - but it doesn't work.


I've attached the context config and the router vlan definitions. Don't worry about the SSL bit that is unused. The longer term goal is to offload the SSL of LDAPS - but I need to get 636 passed initially.


Thank you


Cathy



Attachment: 
Gilles Dufour Fri, 02/01/2008 - 04:49
User Badges:
  • Cisco Employee,

The problem is most probably asymetric routing.

When the client connects to the vip, the ace module will forward the traffic to the server re-using the client ip address so that the server believes it is communicating directly with the client.

The response from the server is sent to the client.

Since there are routers inbetween, they route the traffic using the best path which is most probably not through the ACE module.

So the client receives a resposne from the server which it drops because it is expecting a response from the vip.


one easy solution is to perform client nat on the ACE blade.



interface vlan 395

nat-pool 1 128.243.253.188 128.243.253.188 netmask 255.255.255.248 pat


Then configure


policy-map multi-match L4POLICY

class L4VIPCLASS

nat dynamic 1 vlan 395


If it works after that, you'll now you had an asymetric routing issue.

You can then keep the client nat solution or investigate the asymetry.


Gilles.

ciscocsoc Fri, 02/01/2008 - 05:19
User Badges:
  • Silver, 250 points or more

The nat didn't work.

Error message: Error: Specified ip address duplicates with an existing ip address configured in

the context!


Even changing it to something else didn't work. The LDAP server doesn't see any traffic but when it has an address in VL395 it does. Sounds like a network routing issue - unless the ACE really can't cope with my topology. Every example I've seen has the servers in one subnet.


Thank you


Cathy

Gilles Dufour Sun, 02/03/2008 - 02:34
User Badges:
  • Cisco Employee,

Cathy,


you can have the server wherever you want.

Could you get a 'show service-policy detail' before and after trying to connect from a client.

If you can, get a sniffer trace by creating a monitor session of the tengig interface associated with the ACE slot.


Thanks,


Gilles.

ciscocsoc Mon, 02/04/2008 - 00:35
User Badges:
  • Silver, 250 points or more

Hi Gilles,


All your help and advice is really appreciated.


I've attached two files - one containing the config, sh service-policy detail, a capture and another show and the second containing a packet capture from the ACE TenGigabit interface.


Thank you


Cathy



Gilles Dufour Mon, 02/04/2008 - 05:28
User Badges:
  • Cisco Employee,

this is an asymetric routing issue.

Could you repeat the test with the nat config I told you to use.

You can't use the vip in the nat-pool with your version.

You need version A1.6.3 for that.

So, use an ip that belongs the same subnet as the vip.

Then repeat the operation.

Capture config and sniffer trace.


Thanks,


Gilles.

ciscocsoc Mon, 02/04/2008 - 06:01
User Badges:
  • Silver, 250 points or more

Hi Gilles,


I can't see any difference in the results. I must be missing something really basic as this should be a trivial routing configuration.


Thank you


Cathy



Gilles Dufour Mon, 02/04/2008 - 07:02
User Badges:
  • Cisco Employee,

You used an ip from a different subnet.


The range is : 128.243.253.177 - x.x.x.183


Do you have a free ip in this range ?


Gilles.

ciscocsoc Mon, 02/04/2008 - 07:10
User Badges:
  • Silver, 250 points or more

I get:


ace1/ldap(config)# int vl395

ace1/ldap(config-if)# no nat-pool 1 128.243.253.189 128.243.253.189 netmask 255

.255.255.248 pat

ace1/ldap(config-if)# nat-pool 1 128.243.253.183 128.243.253.183 netmask 255.25

5.255.248 pat

Invalid start ip address


Do I put the nat pool on the clientside or serverside vlan?


Thanks


Cathy

Correct Answer
Gilles Dufour Mon, 02/04/2008 - 08:30
User Badges:
  • Cisco Employee,

Cathy,


sorry, x.x.x.183 is the broadcast ip address for your subnet. So, the range is 177 - 182.

You need to configure the natpool on the outgoing interface, so the server interface.


Gilles.

ciscocsoc Mon, 02/04/2008 - 08:42
User Badges:
  • Silver, 250 points or more

SUCCESS!!!

Thank you! Thank you! Thank you!


All I have to do now is the SSL termination. Are there any issues with NAT and SSL termination?


Thank you


Cathy

Gilles Dufour Mon, 02/04/2008 - 09:17
User Badges:
  • Cisco Employee,

no particular concern when enabling ssl termination in regards to nat.


I'm glad we finally found a solution.


Gilles.

Actions

This Discussion