ropethic Wed, 11/19/2008 - 03:14

Did you assign the vlan interface to the virtual server?


Configuring the ACE to Reply to a Ping to a VIP only if the Primary Server Farm is in Service

The primary-inservice option has been added to the loadbalance vip icmp-reply active command in policy map class configuration mode. When you specify this option, the ACE replies to an ICMP ping only if the primary server farm state is UP, regardless of the state of the backup server farm. If this option is enabled and the primary server farm state is DOWN, the ACE discards the ICMP request and the request times out.

The syntax of this command is as follows:

loadbalance vip icmp-reply [active [primary-inservice]]

For example, to instruct the ACE to respond to a ping to a VIP only if the primary server farm is in service, enter:

host1/Admin(config-pmap-c)# loadbalance vip icmp-reply active primary-inservice

Gilles Dufour Wed, 11/19/2008 - 03:23

show service-policy

is the policy inservice ?

Check rservers if they are up.

Make sure the service-policy is applied on the inbound interface.

Then finally, check with a sniffer trace if traffic is coming in the ACE.


Manuel Cristobal Wed, 11/19/2008 - 05:40


when you say "connect" you mean that the VIP is not in service? The reals associated with this VIP are down?

These could be some of the reasons.

I take it if you ping it then the VIP is in service. check the status of the reals.

con you "connect" to the reals bypassing the VIP?

nehakulsum Wed, 11/19/2008 - 06:27


My setup is as follows:-

I have 2 vlans configures on cat4500 switch vlan 10 client side and vlan 20 server side

E1/1 Vlan 10

Ace4710 - VIP

E1/2 Vlan 20

Web server 1 -

Yes the VIP is inservice and the webserver is reachable.

dario.didio Thu, 11/20/2008 - 01:05


Your VIP is in another subnet as your VLAN10 SVI on your C4500.

You should configure a static route towards the VIP address/subnet abd use the VLAN10 interface IP address as you next hop.

As far as I can see, your vlan 10 is, VLAN 20 is and your VIP is

Your upstream router is, ACE is (assume) and for backend, ACE is (This should be the default gateway of your rservers)

Then your static route on your upstream router should be

ip route

Hope this helps

nehakulsum Thu, 11/20/2008 - 06:23


I appriciate for the prompt answer. I will do this and will update you.

Gilles Dufour Thu, 11/20/2008 - 02:38

please give us the output of 'show service-policy' I want to see if there is any hit and if there are server packets.


inayathulla1 Tue, 12/02/2008 - 06:31

Hi Yahb/Neha,

Please try and confirm this:-

1) See if you have permited the traffic:-

access-list ALL line 8 extended permit ip any any

class-map match-all L4_VIP_ADDRESS_CLASS

2 match virtual-address any

class-map type management match-any REMOTE_ACCESS

201 match protocol ssh any

202 match protocol icmp any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY



policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY

class class-default

serverfarm SFARM1

policy-map multi-match L4_LB_VIP_POLICY


loadbalance vip inservice

loadbalance policy L7_VIP_LB_ORDER_POLICY

loadbalance vip icmp-reply


Apply the ACL on to the correct vlan:-

interface vlan 20

description Server-side Interface

ip address

access-group input ALL --->make sure you have applied the ACL.

service-policy input L4_LB_VIP_POLICY

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

interface vlan 30

description Client side connectivity

ip address

access-group input ALL

service-policy input L4_LB_VIP_POLICY

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

ip route x.x.x.x

Let us know if you have done this.



nehakulsum Tue, 12/02/2008 - 08:34

Hi Inayath,

This solves my issue. Infact the access list and L4 policy was missing on the wrong vlan. everything working fine now after applying the vlan and acl on correct vlan.thanks a lot.

appriciate your help.




This Discussion