Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
601
Views
0
Helpful
6
Replies

ACE Server Load Balancing

allen.malanda_2
Level 1
Level 1

‎10-07-2008 06:03 AM

I am not able to brower the website by using the VIP. I can ping it or trace it. I enable

logging on the ACE but I do not see any web traffic coming through the vip. When I do a show

service-policy detail, there is no hits on the vip. Below is my configs for the admin context

and the virtual context. Please help!

Admin Context

-----------------

resource-class RS_web

limit-resource all minimum 10.00 maximum unlimited

boot system image:c4710ace-mz.A1_8_0a.bin

hostname ACE1

interface gigabitEthernet 1/1

description Client Connectivity on VLAN 100

switchport access vlan 100

no shutdown

interface gigabitEthernet 1/2

description Server Connectivity on VLAN 10

switchport access vlan 10

no shutdown

interface gigabitEthernet 1/3

shutdown

interface gigabitEthernet 1/4

shutdown

context VC_web

allocate-interface vlan 10

allocate-interface vlan 100

member RS_web

Virtual Context

-----------------

logging enable

logging console 7

logging trap 7

logging history 7

logging monitor 7

access-list ALL line 8 extended permit ip any any

rserver host RS_web1

description content server web-one

ip address 10.2.0.99

inservice

rserver host RS_web2

description content server web-two

ip address 10.2.0.98

inservice

serverfarm host SF_web

rserver RS_web1 80

inservice

rserver RS_web2 80

inservice

class-map type management match-any VC_web_Remote

description VC Web Remote Access

2 match protocol telnet any

3 match protocol https any

5 match protocol ssh any

6 match protocol icmp any

class-map match-all VS_web

2 match virtual-address 10.1.0.99 tcp eq www

policy-map type management first-match VC_web_MGMT_ALLOW_POLICY

class VC_web_Remote

permit

policy-map type loadbalance first-match PM_LB

class class-default

serverfarm SF_web

policy-map multi-match PM_multi_match

class VS_web

loadbalance vip inservice

loadbalance policy PM_LB

loadbalance vip icmp-reply active

interface vlan 10

description Server Connectivity on VLAN 10

ip address 10.2.0.101 255.255.252.0

nat-pool 1 10.2.0.200 10.2.0.204 netmask 255.255.252.0

no shutdown

interface vlan 100

ip address 10.1.0.101 255.255.252.0

service-policy input VC_web_MGMT_ALLOW_POLICY

service-policy input PM_multi_match

no shutdown

ip route 0.0.0.0 0.0.0.0 10.1.0.1

username admin password 5 xxxx role Admin domain default-domain

Labels:
0 Helpful
6 Replies 6

Gilles Dufour
Cisco Employee
Cisco Employee

‎10-07-2008 06:05 AM

As mentioned in the previous discussion you opened on the same subject, you need to check the next-hop and see if it has an arp entry for the vip.

Check what is the mac-address.

Make sure your L2 networks has a valid path for this mac-address.

On which vlan is your client ?

Gilles.

0 Helpful

allen.malanda_2
Level 1
Level 1
In response to Gilles Dufour

‎10-07-2008 06:20 AM

The arp entry is the same on the ACE and my layer 3 switch. Is my configuration looks ok?

ACE VIP ARP

--------------

10.1.0.99 00.1b.24.5b.b6.94 vlan100 VSERVER LOCAL _ up

L3 Switch ARP

----------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

100 001b.245b.b694 DYNAMIC Fa0/1

10 001b.245b.b694 DYNAMIC Fa0/2

0 Helpful

dario.didio
Level 4
Level 4
In response to allen.malanda_2

‎10-07-2008 06:57 AM

You've created an access-list ALL, but it isn't applied on your interfaces.

int vla 10

access-group input ALL

int vla 100

access-group input ALL

0 Helpful

allen.malanda_2
Level 1
Level 1
In response to dario.didio

‎10-07-2008 07:46 AM

I've created an access-list ALL permit ip any any, and applied it on the input of int vlan 10 and 100. The connection is getting build but something is dropping it. Thanks,

Here the log from the ACE

------------------------------

%ACE-6-302022: Built TCP connection 0x9 for vlan100:10.1.0.50/4624 (10.1.0.50/4624) to vlan10:10.1.0.99/80 (10.2.0.99/80)

%ACE-6-302023: Teardown TCP connection 0x9 for vlan100:10.1.0.50/4624 to vlan10:10.1.0.99/80 duration 0:00:06 bytes 48 SYN Timeout

show service-policy detail

--------------------------------

Interface: vlan 1 100

service-policy: PM_multi_match

class: VS_web

VIP Address: Protocol: Port:

10.1.0.99 tcp eq 80

loadbalance:

L7 loadbalance policy: PM_LB

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 0 , hit count : 12

dropped conns : 12

client pkt count : 18 , client byte count: 864

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

L7 Loadbalance policy : PM_LB

class/match : class-default

LB action :

primary serverfarm: SF_web

state: UP

backup serverfarm : -

hit count : 12

dropped conns : 0

compression : off

compression:

bytes_in : 0

bytes_out : 0

0 Helpful

Syed Iftekhar Ahmed
Level 8
Level 8
In response to allen.malanda_2

‎10-07-2008 07:51 AM

Its a sync timeout.

It looks as if response from server is bypassing ACE. What is the default gateway configured on the server?

I suspect that the response is bypassing ACE.

Syed Iftekhar Ahmed

0 Helpful

allen.malanda_2
Level 1
Level 1
In response to Syed Iftekhar Ahmed

‎10-07-2008 07:57 AM

It worked. I've changed the default gateway on the server to the ip address of interface vlan 10 on the ace.

Great Job!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents