VIP not reachable on ACE 4710

Unanswered Question
Nov 19th, 2008
User Badges:

Hi All,

I am not able to connect to a virtual IP address of ACE 4710 and either i am able to ping it. Kindly let me know if anything wrong here.


Regards,

Neha.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
ropethic Wed, 11/19/2008 - 03:14
User Badges:
  • Silver, 250 points or more

Did you assign the vlan interface to the virtual server?

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/quick/device_manager/gui/note/dmguiqn.html#wp260945

Also

Configuring the ACE to Reply to a Ping to a VIP only if the Primary Server Farm is in Service

The primary-inservice option has been added to the loadbalance vip icmp-reply active command in policy map class configuration mode. When you specify this option, the ACE replies to an ICMP ping only if the primary server farm state is UP, regardless of the state of the backup server farm. If this option is enabled and the primary server farm state is DOWN, the ACE discards the ICMP request and the request times out.


The syntax of this command is as follows:


loadbalance vip icmp-reply [active [primary-inservice]]


For example, to instruct the ACE to respond to a ping to a VIP only if the primary server farm is in service, enter:


host1/Admin(config-pmap-c)# loadbalance vip icmp-reply active primary-inservice


Gilles Dufour Wed, 11/19/2008 - 03:23
User Badges:
  • Cisco Employee,

show service-policy

is the policy inservice ?

Check rservers if they are up.

Make sure the service-policy is applied on the inbound interface.

Then finally, check with a sniffer trace if traffic is coming in the ACE.


Gilles.

Manuel Cristobal Wed, 11/19/2008 - 05:40
User Badges:

Neha,

when you say "connect" you mean that the VIP is not in service? The reals associated with this VIP are down?

These could be some of the reasons.

I take it if you ping it then the VIP is in service. check the status of the reals.

con you "connect" to the reals bypassing the VIP?

nehakulsum Wed, 11/19/2008 - 06:27
User Badges:

David,

My setup is as follows:-

I have 2 vlans configures on cat4500 switch vlan 10 client side and vlan 20 server side


E1/1 Vlan 10 10.10.10.150

Ace4710 - VIP 10.10.50.1


E1/2 Vlan 20 10.10.40.250


Web server 1 - 10.10.40.103


Yes the VIP is inservice and the webserver is reachable.

dario.didio Thu, 11/20/2008 - 01:05
User Badges:
  • Silver, 250 points or more

Hi,


Your VIP is in another subnet as your VLAN10 SVI on your C4500.


You should configure a static route towards the VIP address/subnet abd use the VLAN10 interface IP address as you next hop.


As far as I can see, your vlan 10 is 10.10.10.0/24, VLAN 20 is 10.10.40.0/24 and your VIP is 10.10.50.1/32.


Your upstream router is 10.10.10.150, ACE is 10.10.10.1 (assume) and for backend, ACE is 10.10.40.1 (This should be the default gateway of your rservers)


Then your static route on your upstream router should be


ip route 10.10.50.1 255.255.255.255 10.10.10.1


Hope this helps


nehakulsum Thu, 11/20/2008 - 06:23
User Badges:

Hi,

I appriciate for the prompt answer. I will do this and will update you.

Gilles Dufour Thu, 11/20/2008 - 02:38
User Badges:
  • Cisco Employee,

please give us the output of 'show service-policy' I want to see if there is any hit and if there are server packets.


G.

yhab_dataconsult Fri, 11/28/2008 - 13:31
User Badges:

Hey nehakulsum,


i am facing the same problem ....did yo get answer for this issue.


dario.didio Mon, 12/01/2008 - 00:18
User Badges:
  • Silver, 250 points or more

Hi, can you post your config?

inayathulla1 Tue, 12/02/2008 - 06:31
User Badges:

Hi Yahb/Neha,

Please try and confirm this:-


1) See if you have permited the traffic:-


access-list ALL line 8 extended permit ip any any



class-map match-all L4_VIP_ADDRESS_CLASS

2 match virtual-address 1.1.1.1 any

class-map type management match-any REMOTE_ACCESS

201 match protocol ssh any

202 match protocol icmp any


policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

class REMOTE_ACCESS

permit


policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY

class class-default

serverfarm SFARM1


policy-map multi-match L4_LB_VIP_POLICY

class L4_VIP_ADDRESS_CLASS

loadbalance vip inservice

loadbalance policy L7_VIP_LB_ORDER_POLICY

loadbalance vip icmp-reply


2)

Apply the ACL on to the correct vlan:-

interface vlan 20

description Server-side Interface

ip address 2.2.2.2 255.255.255.0

access-group input ALL --->make sure you have applied the ACL.

service-policy input L4_LB_VIP_POLICY

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

interface vlan 30

description Client side connectivity

ip address 3.3.3.3. 255.255.255.0

access-group input ALL

service-policy input L4_LB_VIP_POLICY

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown


ip route 0.0.0.0 0.0.0.0 x.x.x.x


Let us know if you have done this.


Regards

Shariff



nehakulsum Tue, 12/02/2008 - 08:34
User Badges:

Hi Inayath,

This solves my issue. Infact the access list and L4 policy was missing on the wrong vlan. everything working fine now after applying the vlan and acl on correct vlan.thanks a lot.

appriciate your help.


regards

neha

Actions

This Discussion