cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
905
Views
0
Helpful
15
Replies

ACE and host static routes?

ciscocsoc
Level 4
Level 4

Hi,

Does an ACE context work with host static routes?

I've been trying to set up a context to load balance LDAP where the servers have IP addresses across multiple VLANs and I'm not allowed to change the IP addresses. I've tried bridging and routing configurations. The only case that works is where the server is a member of the server-side VLAN. I noticed a comment in the Routing manual page 2-2 is says that secondary IP addresses are not supported. Is a host static route equivalent to a secondary address.

Is it possible to achieve my goal.

Thank you

Cathy

1 Accepted Solution

Accepted Solutions

Cathy,

sorry, x.x.x.183 is the broadcast ip address for your subnet. So, the range is 177 - 182.

You need to configure the natpool on the outgoing interface, so the server interface.

Gilles.

View solution in original post

15 Replies 15

Gilles Dufour
Cisco Employee
Cisco Employee

Cathy,

you can use host route.

But that will only solve the path from ACE to servers. You also need to make sure that the servers to ACE path is ok.

Also, don't forget one context can't communicate to/through another context.

Gilles.

Thank you Gilles,

As far as I can see the server can see the ACE context. I'm only using one context for this.

Do I need specific routes in the context as well as on the hosting router?

Thanks

Cathy

Cathy,

just look at your context as a router.

Make sure there is a valid path between the context vlan and the servers.

Try to ping.

When you have connectivity with the servers, check if you have connectivity with the clients.

Again try to ping the ace interface and then the ace vip.

Be aware you need to explicitly permit icmp traffic in order for the ping to work.

Then, when all this works. You need to make sure that when the server resposne to the client goes through the ACE blade.

This is a stateful device, so it requires to see both side of a connections. No asymetric routing is allowed.

Gilles.

Thanks Gilles,

Now I'm baffled. I can ping from server to VIP and client and from client to vip and server. It all looks fine - but it doesn't work.

I've attached the context config and the router vlan definitions. Don't worry about the SSL bit that is unused. The longer term goal is to offload the SSL of LDAPS - but I need to get 636 passed initially.

Thank you

Cathy

The problem is most probably asymetric routing.

When the client connects to the vip, the ace module will forward the traffic to the server re-using the client ip address so that the server believes it is communicating directly with the client.

The response from the server is sent to the client.

Since there are routers inbetween, they route the traffic using the best path which is most probably not through the ACE module.

So the client receives a resposne from the server which it drops because it is expecting a response from the vip.

one easy solution is to perform client nat on the ACE blade.

interface vlan 395

nat-pool 1 128.243.253.188 128.243.253.188 netmask 255.255.255.248 pat

Then configure

policy-map multi-match L4POLICY

class L4VIPCLASS

nat dynamic 1 vlan 395

If it works after that, you'll now you had an asymetric routing issue.

You can then keep the client nat solution or investigate the asymetry.

Gilles.

The nat didn't work.

Error message: Error: Specified ip address duplicates with an existing ip address configured in

the context!

Even changing it to something else didn't work. The LDAP server doesn't see any traffic but when it has an address in VL395 it does. Sounds like a network routing issue - unless the ACE really can't cope with my topology. Every example I've seen has the servers in one subnet.

Thank you

Cathy

Cathy,

you can have the server wherever you want.

Could you get a 'show service-policy detail' before and after trying to connect from a client.

If you can, get a sniffer trace by creating a monitor session of the tengig interface associated with the ACE slot.

Thanks,

Gilles.

Hi Gilles,

All your help and advice is really appreciated.

I've attached two files - one containing the config, sh service-policy detail, a capture and another show and the second containing a packet capture from the ACE TenGigabit interface.

Thank you

Cathy

this is an asymetric routing issue.

Could you repeat the test with the nat config I told you to use.

You can't use the vip in the nat-pool with your version.

You need version A1.6.3 for that.

So, use an ip that belongs the same subnet as the vip.

Then repeat the operation.

Capture config and sniffer trace.

Thanks,

Gilles.

Hi Gilles,

I can't see any difference in the results. I must be missing something really basic as this should be a trivial routing configuration.

Thank you

Cathy

You used an ip from a different subnet.

The range is : 128.243.253.177 - x.x.x.183

Do you have a free ip in this range ?

Gilles.

I get:

ace1/ldap(config)# int vl395

ace1/ldap(config-if)# no nat-pool 1 128.243.253.189 128.243.253.189 netmask 255

.255.255.248 pat

ace1/ldap(config-if)# nat-pool 1 128.243.253.183 128.243.253.183 netmask 255.25

5.255.248 pat

Invalid start ip address

Do I put the nat pool on the clientside or serverside vlan?

Thanks

Cathy

Cathy,

sorry, x.x.x.183 is the broadcast ip address for your subnet. So, the range is 177 - 182.

You need to configure the natpool on the outgoing interface, so the server interface.

Gilles.

SUCCESS!!!

Thank you! Thank you! Thank you!

All I have to do now is the SSL termination. Are there any issues with NAT and SSL termination?

Thank you

Cathy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: