ACE Module

Unanswered Question
Mar 4th, 2008

Basically we have a running ACE context which works however we are using natting and we have some applications complaining that they can't see the source address of things. So I created a whole new context with the following config but I have the problem of when the client is on the server side network the traffic never makes it there.

ACE1/ sho run

Generating configuration....

access-list ALL line 8 extended permit ip any any

rserver host CE-565-1

ip address


serverfarm host Content_Engine_SF

rserver CE-565-1


class-map match-all Content_Engine_VIP

2 match virtual-address any

class-map type management match-any Remote_Management

2 match protocol http any

3 match protocol icmp any

4 match protocol telnet any

5 match protocol ssh any

policy-map type management first-match rmt_mgt_policy

class Remote_Management


policy-map type loadbalance first-match Content_Engine_VIP-l7slb

class class-default

serverfarm Content_Engine_SF

policy-map multi-match int18

class Content_Engine_VIP

loadbalance vip inservice

loadbalance policy Content_Engine_VIP-l7slb

loadbalance vip icmp-reply active

access-group input ALL

interface vlan 3

description Server_Side

ip address

mac-sticky enable

no shutdown

interface vlan 18

description Client Side Network

ip address

mac-sticky enable

service-policy input int18

no shutdown

ip route

if I telnet to the vip from my machine it works fine. If I telnet from it works fine. However when I telnet from a machine on the vlan 3 it does not work. I would have thought the mac-sticky option would work but it seems to be doing nothing. Any ideas with out using a NAT pool would be great so we can see the originating IP Address.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kristopher Martinez Tue, 03/04/2008 - 09:11

If you are initiating traffic from serverA to a vip that load balances to serverB in that same vlan you will have an asymmetric flow. ServerA is on the same vlan as serverB. Since both servers are in the same subnet, ServerB will ARP for serverA address and send the response directly to serverA. The traffic will never make it back to the ACE. There are a few things you can do:

1. Use NAT to ensure the return traffice makes it back to ACE.

2. Insert HTTP header with client IP address. This only works for HTTP traffic and your application must be able to recognize this header for logging.

3. Use Direct Server Return (DSR). This feature has been committed to ACE 2.0. This will require the servers to be L2 adjacent to the ACE module and you will need to configure the VIP address as a loopback address on the server. Here is CSM documentation that lists some of the limitations with DSR:


This Discussion