ropethic Wed, 11/19/2008 - 03:14

Did you assign the vlan interface to the virtual server?

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/quick/device_manager/gui/note/dmguiqn.html#wp260945

Also

Configuring the ACE to Reply to a Ping to a VIP only if the Primary Server Farm is in Service

The primary-inservice option has been added to the loadbalance vip icmp-reply active command in policy map class configuration mode. When you specify this option, the ACE replies to an ICMP ping only if the primary server farm state is UP, regardless of the state of the backup server farm. If this option is enabled and the primary server farm state is DOWN, the ACE discards the ICMP request and the request times out.

The syntax of this command is as follows:

loadbalance vip icmp-reply [active [primary-inservice]]

For example, to instruct the ACE to respond to a ping to a VIP only if the primary server farm is in service, enter:

host1/Admin(config-pmap-c)# loadbalance vip icmp-reply active primary-inservice

Gilles Dufour Wed, 11/19/2008 - 03:23

show service-policy

is the policy inservice ?

Check rservers if they are up.

Make sure the service-policy is applied on the inbound interface.

Then finally, check with a sniffer trace if traffic is coming in the ACE.

Gilles.

Manuel Cristobal Wed, 11/19/2008 - 05:40

Neha,

when you say "connect" you mean that the VIP is not in service? The reals associated with this VIP are down?

These could be some of the reasons.

I take it if you ping it then the VIP is in service. check the status of the reals.

con you "connect" to the reals bypassing the VIP?

nehakulsum Wed, 11/19/2008 - 06:27

David,

My setup is as follows:-

I have 2 vlans configures on cat4500 switch vlan 10 client side and vlan 20 server side

E1/1 Vlan 10 10.10.10.150

Ace4710 - VIP 10.10.50.1

E1/2 Vlan 20 10.10.40.250

Web server 1 - 10.10.40.103

Yes the VIP is inservice and the webserver is reachable.

dario.didio Thu, 11/20/2008 - 01:05

Hi,

Your VIP is in another subnet as your VLAN10 SVI on your C4500.

You should configure a static route towards the VIP address/subnet abd use the VLAN10 interface IP address as you next hop.

As far as I can see, your vlan 10 is 10.10.10.0/24, VLAN 20 is 10.10.40.0/24 and your VIP is 10.10.50.1/32.

Your upstream router is 10.10.10.150, ACE is 10.10.10.1 (assume) and for backend, ACE is 10.10.40.1 (This should be the default gateway of your rservers)

Then your static route on your upstream router should be

ip route 10.10.50.1 255.255.255.255 10.10.10.1

Hope this helps

nehakulsum Thu, 11/20/2008 - 06:23

Hi,

I appriciate for the prompt answer. I will do this and will update you.

Gilles Dufour Thu, 11/20/2008 - 02:38

please give us the output of 'show service-policy' I want to see if there is any hit and if there are server packets.

G.

inayathulla1 Tue, 12/02/2008 - 06:31

Hi Yahb/Neha,

Please try and confirm this:-

1) See if you have permited the traffic:-

access-list ALL line 8 extended permit ip any any

class-map match-all L4_VIP_ADDRESS_CLASS

2 match virtual-address 1.1.1.1 any

class-map type management match-any REMOTE_ACCESS

201 match protocol ssh any

202 match protocol icmp any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

class REMOTE_ACCESS

permit

policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY

class class-default

serverfarm SFARM1

policy-map multi-match L4_LB_VIP_POLICY

class L4_VIP_ADDRESS_CLASS

loadbalance vip inservice

loadbalance policy L7_VIP_LB_ORDER_POLICY

loadbalance vip icmp-reply

2)

Apply the ACL on to the correct vlan:-

interface vlan 20

description Server-side Interface

ip address 2.2.2.2 255.255.255.0

access-group input ALL --->make sure you have applied the ACL.

service-policy input L4_LB_VIP_POLICY

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

interface vlan 30

description Client side connectivity

ip address 3.3.3.3. 255.255.255.0

access-group input ALL

service-policy input L4_LB_VIP_POLICY

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

ip route 0.0.0.0 0.0.0.0 x.x.x.x

Let us know if you have done this.

Regards

Shariff

nehakulsum Tue, 12/02/2008 - 08:34

Hi Inayath,

This solves my issue. Infact the access list and L4 policy was missing on the wrong vlan. everything working fine now after applying the vlan and acl on correct vlan.thanks a lot.

appriciate your help.

regards

neha

Actions

This Discussion