01-31-2008 05:10 AM
Hi,
Does an ACE context work with host static routes?
I've been trying to set up a context to load balance LDAP where the servers have IP addresses across multiple VLANs and I'm not allowed to change the IP addresses. I've tried bridging and routing configurations. The only case that works is where the server is a member of the server-side VLAN. I noticed a comment in the Routing manual page 2-2 is says that secondary IP addresses are not supported. Is a host static route equivalent to a secondary address.
Is it possible to achieve my goal.
Thank you
Cathy
Solved! Go to Solution.
02-04-2008 08:30 AM
Cathy,
sorry, x.x.x.183 is the broadcast ip address for your subnet. So, the range is 177 - 182.
You need to configure the natpool on the outgoing interface, so the server interface.
Gilles.
01-31-2008 08:20 AM
Cathy,
you can use host route.
But that will only solve the path from ACE to servers. You also need to make sure that the servers to ACE path is ok.
Also, don't forget one context can't communicate to/through another context.
Gilles.
01-31-2008 08:35 AM
Thank you Gilles,
As far as I can see the server can see the ACE context. I'm only using one context for this.
Do I need specific routes in the context as well as on the hosting router?
Thanks
Cathy
01-31-2008 01:32 PM
Cathy,
just look at your context as a router.
Make sure there is a valid path between the context vlan and the servers.
Try to ping.
When you have connectivity with the servers, check if you have connectivity with the clients.
Again try to ping the ace interface and then the ace vip.
Be aware you need to explicitly permit icmp traffic in order for the ping to work.
Then, when all this works. You need to make sure that when the server resposne to the client goes through the ACE blade.
This is a stateful device, so it requires to see both side of a connections. No asymetric routing is allowed.
Gilles.
02-01-2008 01:05 AM
Thanks Gilles,
Now I'm baffled. I can ping from server to VIP and client and from client to vip and server. It all looks fine - but it doesn't work.
I've attached the context config and the router vlan definitions. Don't worry about the SSL bit that is unused. The longer term goal is to offload the SSL of LDAPS - but I need to get 636 passed initially.
Thank you
Cathy
02-01-2008 04:49 AM
The problem is most probably asymetric routing.
When the client connects to the vip, the ace module will forward the traffic to the server re-using the client ip address so that the server believes it is communicating directly with the client.
The response from the server is sent to the client.
Since there are routers inbetween, they route the traffic using the best path which is most probably not through the ACE module.
So the client receives a resposne from the server which it drops because it is expecting a response from the vip.
one easy solution is to perform client nat on the ACE blade.
interface vlan 395
nat-pool 1 128.243.253.188 128.243.253.188 netmask 255.255.255.248 pat
Then configure
policy-map multi-match L4POLICY
class L4VIPCLASS
nat dynamic 1 vlan 395
If it works after that, you'll now you had an asymetric routing issue.
You can then keep the client nat solution or investigate the asymetry.
Gilles.
02-01-2008 05:19 AM
The nat didn't work.
Error message: Error: Specified ip address duplicates with an existing ip address configured in
the context!
Even changing it to something else didn't work. The LDAP server doesn't see any traffic but when it has an address in VL395 it does. Sounds like a network routing issue - unless the ACE really can't cope with my topology. Every example I've seen has the servers in one subnet.
Thank you
Cathy
02-03-2008 02:34 AM
Cathy,
you can have the server wherever you want.
Could you get a 'show service-policy detail' before and after trying to connect from a client.
If you can, get a sniffer trace by creating a monitor session of the tengig interface associated with the ACE slot.
Thanks,
Gilles.
02-04-2008 12:35 AM
02-04-2008 05:28 AM
this is an asymetric routing issue.
Could you repeat the test with the nat config I told you to use.
You can't use the vip in the nat-pool with your version.
You need version A1.6.3 for that.
So, use an ip that belongs the same subnet as the vip.
Then repeat the operation.
Capture config and sniffer trace.
Thanks,
Gilles.
02-04-2008 06:01 AM
02-04-2008 07:02 AM
You used an ip from a different subnet.
The range is : 128.243.253.177 - x.x.x.183
Do you have a free ip in this range ?
Gilles.
02-04-2008 07:10 AM
I get:
ace1/ldap(config)# int vl395
ace1/ldap(config-if)# no nat-pool 1 128.243.253.189 128.243.253.189 netmask 255
.255.255.248 pat
ace1/ldap(config-if)# nat-pool 1 128.243.253.183 128.243.253.183 netmask 255.25
5.255.248 pat
Invalid start ip address
Do I put the nat pool on the clientside or serverside vlan?
Thanks
Cathy
02-04-2008 08:30 AM
Cathy,
sorry, x.x.x.183 is the broadcast ip address for your subnet. So, the range is 177 - 182.
You need to configure the natpool on the outgoing interface, so the server interface.
Gilles.
02-04-2008 08:42 AM
SUCCESS!!!
Thank you! Thank you! Thank you!
All I have to do now is the SSL termination. Are there any issues with NAT and SSL termination?
Thank you
Cathy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: