10-07-2008 06:03 AM
I am not able to brower the website by using the VIP. I can ping it or trace it. I enable
logging on the ACE but I do not see any web traffic coming through the vip. When I do a show
service-policy detail, there is no hits on the vip. Below is my configs for the admin context
and the virtual context. Please help!
Admin Context
-----------------
resource-class RS_web
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A1_8_0a.bin
hostname ACE1
interface gigabitEthernet 1/1
description Client Connectivity on VLAN 100
switchport access vlan 100
no shutdown
interface gigabitEthernet 1/2
description Server Connectivity on VLAN 10
switchport access vlan 10
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
context VC_web
allocate-interface vlan 10
allocate-interface vlan 100
member RS_web
Virtual Context
-----------------
logging enable
logging console 7
logging trap 7
logging history 7
logging monitor 7
access-list ALL line 8 extended permit ip any any
rserver host RS_web1
description content server web-one
ip address 10.2.0.99
inservice
rserver host RS_web2
description content server web-two
ip address 10.2.0.98
inservice
serverfarm host SF_web
rserver RS_web1 80
inservice
rserver RS_web2 80
inservice
class-map type management match-any VC_web_Remote
description VC Web Remote Access
2 match protocol telnet any
3 match protocol https any
5 match protocol ssh any
6 match protocol icmp any
class-map match-all VS_web
2 match virtual-address 10.1.0.99 tcp eq www
policy-map type management first-match VC_web_MGMT_ALLOW_POLICY
class VC_web_Remote
permit
policy-map type loadbalance first-match PM_LB
class class-default
serverfarm SF_web
policy-map multi-match PM_multi_match
class VS_web
loadbalance vip inservice
loadbalance policy PM_LB
loadbalance vip icmp-reply active
interface vlan 10
description Server Connectivity on VLAN 10
ip address 10.2.0.101 255.255.252.0
nat-pool 1 10.2.0.200 10.2.0.204 netmask 255.255.252.0
no shutdown
interface vlan 100
ip address 10.1.0.101 255.255.252.0
service-policy input VC_web_MGMT_ALLOW_POLICY
service-policy input PM_multi_match
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.0.1
username admin password 5 xxxx role Admin domain default-domain
10-07-2008 06:05 AM
As mentioned in the previous discussion you opened on the same subject, you need to check the next-hop and see if it has an arp entry for the vip.
Check what is the mac-address.
Make sure your L2 networks has a valid path for this mac-address.
On which vlan is your client ?
Gilles.
10-07-2008 06:20 AM
The arp entry is the same on the ACE and my layer 3 switch. Is my configuration looks ok?
ACE VIP ARP
--------------
10.1.0.99 00.1b.24.5b.b6.94 vlan100 VSERVER LOCAL _ up
L3 Switch ARP
----------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
100 001b.245b.b694 DYNAMIC Fa0/1
10 001b.245b.b694 DYNAMIC Fa0/2
10-07-2008 06:57 AM
You've created an access-list ALL, but it isn't applied on your interfaces.
int vla 10
access-group input ALL
int vla 100
access-group input ALL
10-07-2008 07:46 AM
I've created an access-list ALL permit ip any any, and applied it on the input of int vlan 10 and 100. The connection is getting build but something is dropping it. Thanks,
Here the log from the ACE
------------------------------
%ACE-6-302022: Built TCP connection 0x9 for vlan100:10.1.0.50/4624 (10.1.0.50/4624) to vlan10:10.1.0.99/80 (10.2.0.99/80)
%ACE-6-302023: Teardown TCP connection 0x9 for vlan100:10.1.0.50/4624 to vlan10:10.1.0.99/80 duration 0:00:06 bytes 48 SYN Timeout
show service-policy detail
--------------------------------
Interface: vlan 1 100
service-policy: PM_multi_match
class: VS_web
VIP Address: Protocol: Port:
10.1.0.99 tcp eq 80
loadbalance:
L7 loadbalance policy: PM_LB
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 12
dropped conns : 12
client pkt count : 18 , client byte count: 864
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : PM_LB
class/match : class-default
LB action :
primary serverfarm: SF_web
state: UP
backup serverfarm : -
hit count : 12
dropped conns : 0
compression : off
compression:
bytes_in : 0
bytes_out : 0
10-07-2008 07:51 AM
Its a sync timeout.
It looks as if response from server is bypassing ACE. What is the default gateway configured on the server?
I suspect that the response is bypassing ACE.
Syed Iftekhar Ahmed
10-07-2008 07:57 AM
It worked. I've changed the default gateway on the server to the ip address of interface vlan 10 on the ace.
Great Job!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: