unable to ping the servers behind the ACE

Answered Question
Sep 16th, 2009

We're running ACE module and have configured servers behind one of its int. We have applied the ICMP any any and IP any any access lists to both, the client int and the servers int in the direction of the input. From the outside, we can ping the client int, however not the servers' int. We can ping the servers from within the ACE.

Does anyone happen to know what we may be missing here?

Thanks..

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 7 years 2 months ago

GW ----- ACE ----- Servers

From the gateway, you can ping the ACE interface on the GW side, but you can't ping the ace interface on the servers side.

From the servers, you can ping the ace interface on the server side but you can't ping the ace interface on the gw side.

From the servers you should be able to ping the gw and from the gw you should be able to ping the servers if you have an acl to permit the traffic on both interfaces.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dario.didio Wed, 09/16/2009 - 23:39

Hi,

Did you configure a static route on your router in front of the ACE for the server subnet, next hop your ACE?

Does your server have the ACE configured as default gateway? (in case of routed mode!)

Can you post your config to get a better view on your setup?

HTH,

Dario

axfalk Thu, 09/17/2009 - 06:09

Thnx for your response. Yes...we have a static route on the layer 3 switch where the ACE module is sitting to the server subnet with the next hop of the client alias address. And the ACE is the servers' default gateway. I can ping the servers from within the ACE.

Gilles Dufour Thu, 09/17/2009 - 00:04

the ACE is like a firewall.

It does not allow ping to one of its interface from another vlan it is attached to.

So from the client side, you are not allowed the ping the ACE server side ip address.

G.

axfalk Thu, 09/17/2009 - 06:16

Thanks for your response.

Just to make sure we're on the same page, I am trying to ping the ACE server side int from the Layer 3 switch in front of the ACE. The ACE server side ip address is in the switche's routing table, but no ARP record exists. Are you saying that can't be done by default?

Thanks again..

helenokeeffe Thu, 09/17/2009 - 06:32

Hiya,

Does the arp entry exist for the vlan interface on the ACE?

I assume you have permitted the vlan in your svclc commands on the switch as you can ping from ACE to server.

The above is correct, it behaves like a firewall and nothing is permitted by default. Check your access lists and management policies. Try an ip any any ACL on the back end vlan. If your mgt policy is only applied to the front end vlan, try applying it to the back end also.

Hope this helps,

Claire

helenokeeffe Thu, 09/17/2009 - 06:56

Just had another thought, if there is no L3 interface for your server side vlan on the switch, it won't hold an ip arp table for that vlan. My solution for this problem (contacting a server behind an ACE using connectionless protocols, icmp, snmp etc) was to add an L3 interface for the vlan on the switch, and the simply add routes to the server routing table as follows..

Point routes to the icmp/snmp sources to the switch interface, point routes back to the clients to the ACE interface.

You can set one of these groups of traffic as the default gateway, and specifiy the other routes individually.

If the purpose of this question is to monitor/test server reachability, you are better off bypassing the ACE. You don't want your troubleshooting made more difficult by losing access to your servers just because your ACE is rebooting. If there is a problem with the applications reachability you'll need to know if it's the servers OR the ACE.

Let me know how it goes.

Claire

As was previously said this is normal behaviour. In a layer 3 ACE deployment like you have:

1) Client side resources cannot ping the server side ACE interface.

2) Server side resources cannot ping the cliend side ACE interface.

Think of the ACE as an ASA. If you are on the inside of an ASA firewall you cannot ping the DMZ and outside interfaces.

Paul

ullasupendran Fri, 09/18/2009 - 11:31

Paul

Sorry to interrupt in between .I am also facing the same issue with my ACE setup I have permitted icmp any any (input & output acls)on the server interface vlan . I can ping from ACE to outside world .But not to server vlan interface.What should be done to enable ping on the ACE interface? Will attaching a service policy that permits icmp can help ?

Ullas

Correct Answer
Gilles Dufour Sat, 09/19/2009 - 04:17

GW ----- ACE ----- Servers

From the gateway, you can ping the ACE interface on the GW side, but you can't ping the ace interface on the servers side.

From the servers, you can ping the ace interface on the server side but you can't ping the ace interface on the gw side.

From the servers you should be able to ping the gw and from the gw you should be able to ping the servers if you have an acl to permit the traffic on both interfaces.

Gilles.

axfalk Sat, 09/19/2009 - 17:37

Thanks.

I am able to ping the ace int on the server side from inside the ace and, since the ping was sourced from the client side vlan, would this be an exception?

thanks again

Actions

This Discussion