ACE 4710 VIP

Unanswered Question
Oct 6th, 2008

I am not able to access the web server throught the vip. Your help will be greatly appreciated. Below is my configuration on the ACE.

Server:

---------

resource-class RS_web

limit-resource all minimum 10.00 maximum unlimited

boot system image:c4710ace-mz.A1_8_0a.bin

hostname ACE1

interface gigabitEthernet 1/1

description Client Connectivity on VLAN 100

switchport access vlan 100

no shutdown

interface gigabitEthernet 1/2

description Server Connectivity on VLAN 10

switchport access vlan 10

no shutdown

interface gigabitEthernet 1/3

shutdown

interface gigabitEthernet 1/4

shutdown

class-map type management match-any remote_access

context VC_web

allocate-interface vlan 10

allocate-interface vlan 100

member RS_web

username admin password 5 xxx role Admin domain default-domain

username www password 5 xxx role Admin domain default-domain

ssh key rsa 1024 force

Virtual:

---------

logging enable

logging console 7

logging trap 7

logging history 7

logging monitor 7

access-list ALL line 8 extended permit ip any any

rserver host RS_web1

description content server web-one

ip address 10.2.0.99

inservice

serverfarm host SF_web

predictor hash header Accept

rserver RS_web1 80

inservice

class-map type management match-any VC_web_Remote

description VC Web Remote Access

2 match protocol telnet any

3 match protocol https any

5 match protocol ssh any

6 match protocol icmp any

class-map match-all VS_web

2 match virtual-address 10.1.0.99 255.255.252.0 tcp eq www

policy-map type management first-match VC_web_MGMT_ALLOW_POLICY

class VC_web_Remote

permit

policy-map type loadbalance first-match PM_LB

class class-default

serverfarm SF_web

policy-map multi-match PM_multi_match

class VS_web

loadbalance vip inservice

loadbalance policy PM_LB

interface vlan 1

description Server Connectivity on VLAN 10

ip address 10.2.0.101 255.255.252.0

nat-pool 1 10.2.0.200 10.2.0.204 netmask 255.255.252.0

no shutdown

interface vlan 100

ip address 10.1.0.101 255.255.252.0

service-policy input VC_web_MGMT_ALLOW_POLICY

service-policy input PM_multi_match

no shutdown

ip route 0.0.0.0 0.0.0.0 10.1.0.1

username admin password 5 xxxx role Admin domain default-domain

logging enable

logging console 7

logging trap 7

logging history 7

logging monitor 7

access-list ALL line 8 extended permit ip any any

rserver host RS_web1

description content server web-one

ip address 10.2.0.99

inservice

serverfarm host SF_web

predictor hash header Accept

rserver RS_web1 80

inservice

class-map type management match-any VC_web_Remote

description VC Web Remote Access

2 match protocol telnet any

3 match protocol https any

5 match protocol ssh any

6 match protocol icmp any

class-map match-all VS_web

2 match virtual-address 10.1.0.99 255.255.252.0 tcp eq www

policy-map type management first-match VC_web_MGMT_ALLOW_POLICY

class VC_web_Remote

permit

policy-map type loadbalance first-match PM_LB

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Mon, 10/06/2008 - 06:08

This is a very strange class-map

class-map match-all VS_web

2 match virtual-address 10.1.0.99 255.255.252.0 tcp eq www

usually you want to catch a /32 vip address.

Could you change the class-map to

class-map match-all VS_web

2 match virtual-address 10.1.0.99 255.255.255.255 tcp eq www

If it still does not work, get a 'show service-policy detail' before and after trying to connect.

Gilles.

allen.malanda_2 Mon, 10/06/2008 - 06:31

I've changed my VIP to a /32, and I can't still access the web server. Here my show service-policy detail result.

Policy-map : PM_multi_match

Status : ACTIVE

Description: -

-----------------------------------------

Interface: vlan 1 100

service-policy: PM_multi_match

class: VS_web

VIP Address: Protocol: Port:

10.1.0.99 tcp eq 80

loadbalance:

L7 loadbalance policy: PM_LB

VIP ICMP Reply : DISABLED

VIP State: INSERVICE

curr conns : 0 , hit count : 0

dropped conns : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

L7 Loadbalance policy : PM_LB

class/match : class-default

LB action :

primary serverfarm: SF_web

state: UP

backup serverfarm : -

hit count : 0

dropped conns : 0

compression : off

compression:

bytes_in : 0

bytes_out : 0

Gilles Dufour Mon, 10/06/2008 - 07:06

there is no hit on your vip.

So, traffic seems not to be getting to the module.

What's the ip address of the src ?

Where is it located ?

Does it have an arp entry for the vip ?

Can you get a sniffer trace to see where the traffic is going ?

Gilles.

allen.malanda_2 Mon, 10/06/2008 - 07:55

The source ip add is 10.1.0.52/22 and it is located on vlan 100. Yes, I can see the VServer (10.1.0.99) on the arp table on vlan 100.

================================================================================

IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status

================================================================================

10.2.0.99 00.14.22.d2.e9.91 vlan10 RSERVER 19 297 sec up

10.2.0.101 00.1b.24.5b.b6.94 vlan10 INTERFACE LOCAL _ up

10.2.0.200 00.1b.24.5b.b6.94 vlan10 NAT LOCAL _ up

- 10.2.0.204

10.1.0.1 00.13.80.b2.06.42 vlan100 GATEWAY 18 297 sec up

10.1.0.50 00.0f.1f.a0.50.f0 vlan100 LEARNED 21 14397 sec up

10.1.0.99 00.1b.24.5b.b6.94 vlan100 VSERVER LOCAL _ up

10.1.0.101 00.1b.24.5b.b6.94 vlan100 INTERFACE LOCAL _ up

================================================================================

Actions

This Discussion