I have been load balancing our mail servers for quite sometime without an issue however I have been using a dynamic Nat statement. This however causes our mail team to have problems with logging. I then created a whole new vlan and ace context for the mail servers to use. This is where my dilemma is.
I now have dropped connections going to my vip but only from one server which is our Anti-span / Antivirus server which filters the mail from the internet and then passes it on to these other mail servers.
I can send mail just fine if I don't use the VIP I created.
Also if I use a Nat statement the mail sends fine but obviously I don't want to use that anymore.
The only thing I see that the ACE is not doing is closing the connections. So if every five minutes I do a clear conn all, I won't get any dropped connections for at least 10 to 15 minutes but I am not going to be doing this. Right now I have a server with a script that logs into the ace and then clears the connection but this is a band aid problem.
Here is my config. This is the only thing on this context. All 6 of my other contexts do not have this issue.
access-list ALL line 10 extended permit ip any any
access-list ALL line 18 extended permit icmp any any
probe smtp SMTP_Probe
passdetect interval 30
expect status 210 250
parameter-map type connection TCP_Mail_TO
set timeout inactivity 2
set tcp timeout half-closed 15
set tcp ack-delay 300
tcp-options timestamp allow
rserver host hub2
ip address *.*.*.*.*.*
serverfarm host Mail_Hub_Servers_SF
rserver hub2 25
class-map match-all Mail_Hub_VIP
2 match virtual-address *.*.*.*.*.* tcp eq smtp
class-map type management match-any Remote_Management
2 match protocol http any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
policy-map type management first-match rmt_mgt_policy
policy-map type loadbalance first-match Mail_Hub_VIP-l7slb
policy-map multi-match int7
loadbalance vip inservice
loadbalance policy Mail_Hub_VIP-l7slb
loadbalance vip icmp-reply active
loadbalance vip advertise active
connection advanced-options TCP_Mail_TO
access-group input ALL
interface vlan 108
ip address *.*.*.*.
peer ip address *.*.*.*.
service-policy input rmt_mgt_policy
service-policy input int7
ip route 0.0.0.0 0.0.0.0 *.*.*.*