10-06-2008 06:04 AM
I am not able to access the web server throught the vip. Your help will be greatly appreciated. Below is my configuration on the ACE.
Server:
---------
resource-class RS_web
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A1_8_0a.bin
hostname ACE1
interface gigabitEthernet 1/1
description Client Connectivity on VLAN 100
switchport access vlan 100
no shutdown
interface gigabitEthernet 1/2
description Server Connectivity on VLAN 10
switchport access vlan 10
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
class-map type management match-any remote_access
context VC_web
allocate-interface vlan 10
allocate-interface vlan 100
member RS_web
username admin password 5 xxx role Admin domain default-domain
username www password 5 xxx role Admin domain default-domain
ssh key rsa 1024 force
Virtual:
---------
logging enable
logging console 7
logging trap 7
logging history 7
logging monitor 7
access-list ALL line 8 extended permit ip any any
rserver host RS_web1
description content server web-one
ip address 10.2.0.99
inservice
serverfarm host SF_web
predictor hash header Accept
rserver RS_web1 80
inservice
class-map type management match-any VC_web_Remote
description VC Web Remote Access
2 match protocol telnet any
3 match protocol https any
5 match protocol ssh any
6 match protocol icmp any
class-map match-all VS_web
2 match virtual-address 10.1.0.99 255.255.252.0 tcp eq www
policy-map type management first-match VC_web_MGMT_ALLOW_POLICY
class VC_web_Remote
permit
policy-map type loadbalance first-match PM_LB
class class-default
serverfarm SF_web
policy-map multi-match PM_multi_match
class VS_web
loadbalance vip inservice
loadbalance policy PM_LB
interface vlan 1
description Server Connectivity on VLAN 10
ip address 10.2.0.101 255.255.252.0
nat-pool 1 10.2.0.200 10.2.0.204 netmask 255.255.252.0
no shutdown
interface vlan 100
ip address 10.1.0.101 255.255.252.0
service-policy input VC_web_MGMT_ALLOW_POLICY
service-policy input PM_multi_match
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.0.1
username admin password 5 xxxx role Admin domain default-domain
logging enable
logging console 7
logging trap 7
logging history 7
logging monitor 7
access-list ALL line 8 extended permit ip any any
rserver host RS_web1
description content server web-one
ip address 10.2.0.99
inservice
serverfarm host SF_web
predictor hash header Accept
rserver RS_web1 80
inservice
class-map type management match-any VC_web_Remote
description VC Web Remote Access
2 match protocol telnet any
3 match protocol https any
5 match protocol ssh any
6 match protocol icmp any
class-map match-all VS_web
2 match virtual-address 10.1.0.99 255.255.252.0 tcp eq www
policy-map type management first-match VC_web_MGMT_ALLOW_POLICY
class VC_web_Remote
permit
policy-map type loadbalance first-match PM_LB
10-06-2008 06:08 AM
This is a very strange class-map
class-map match-all VS_web
2 match virtual-address 10.1.0.99 255.255.252.0 tcp eq www
usually you want to catch a /32 vip address.
Could you change the class-map to
class-map match-all VS_web
2 match virtual-address 10.1.0.99 255.255.255.255 tcp eq www
If it still does not work, get a 'show service-policy detail' before and after trying to connect.
Gilles.
10-06-2008 06:31 AM
I've changed my VIP to a /32, and I can't still access the web server. Here my show service-policy detail result.
Policy-map : PM_multi_match
Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 1 100
service-policy: PM_multi_match
class: VS_web
VIP Address: Protocol: Port:
10.1.0.99 tcp eq 80
loadbalance:
L7 loadbalance policy: PM_LB
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : PM_LB
class/match : class-default
LB action :
primary serverfarm: SF_web
state: UP
backup serverfarm : -
hit count : 0
dropped conns : 0
compression : off
compression:
bytes_in : 0
bytes_out : 0
10-06-2008 07:06 AM
there is no hit on your vip.
So, traffic seems not to be getting to the module.
What's the ip address of the src ?
Where is it located ?
Does it have an arp entry for the vip ?
Can you get a sniffer trace to see where the traffic is going ?
Gilles.
10-06-2008 07:55 AM
The source ip add is 10.1.0.52/22 and it is located on vlan 100. Yes, I can see the VServer (10.1.0.99) on the arp table on vlan 100.
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
10.2.0.99 00.14.22.d2.e9.91 vlan10 RSERVER 19 297 sec up
10.2.0.101 00.1b.24.5b.b6.94 vlan10 INTERFACE LOCAL _ up
10.2.0.200 00.1b.24.5b.b6.94 vlan10 NAT LOCAL _ up
- 10.2.0.204
10.1.0.1 00.13.80.b2.06.42 vlan100 GATEWAY 18 297 sec up
10.1.0.50 00.0f.1f.a0.50.f0 vlan100 LEARNED 21 14397 sec up
10.1.0.99 00.1b.24.5b.b6.94 vlan100 VSERVER LOCAL _ up
10.1.0.101 00.1b.24.5b.b6.94 vlan100 INTERFACE LOCAL _ up
================================================================================
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide