cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2120
Views
0
Helpful
11
Replies

unable to ping the servers behind the ACE

axfalk
Level 1
Level 1

We're running ACE module and have configured servers behind one of its int. We have applied the ICMP any any and IP any any access lists to both, the client int and the servers int in the direction of the input. From the outside, we can ping the client int, however not the servers' int. We can ping the servers from within the ACE.

Does anyone happen to know what we may be missing here?

Thanks..

1 Accepted Solution

Accepted Solutions

GW ----- ACE ----- Servers

From the gateway, you can ping the ACE interface on the GW side, but you can't ping the ace interface on the servers side.

From the servers, you can ping the ace interface on the server side but you can't ping the ace interface on the gw side.

From the servers you should be able to ping the gw and from the gw you should be able to ping the servers if you have an acl to permit the traffic on both interfaces.

Gilles.

View solution in original post

11 Replies 11

dario.didio
Level 4
Level 4

Hi,

Did you configure a static route on your router in front of the ACE for the server subnet, next hop your ACE?

Does your server have the ACE configured as default gateway? (in case of routed mode!)

Can you post your config to get a better view on your setup?

HTH,

Dario

Thnx for your response. Yes...we have a static route on the layer 3 switch where the ACE module is sitting to the server subnet with the next hop of the client alias address. And the ACE is the servers' default gateway. I can ping the servers from within the ACE.

Gilles Dufour
Cisco Employee
Cisco Employee

the ACE is like a firewall.

It does not allow ping to one of its interface from another vlan it is attached to.

So from the client side, you are not allowed the ping the ACE server side ip address.

G.

Thanks for your response.

Just to make sure we're on the same page, I am trying to ping the ACE server side int from the Layer 3 switch in front of the ACE. The ACE server side ip address is in the switche's routing table, but no ARP record exists. Are you saying that can't be done by default?

Thanks again..

Hiya,

Does the arp entry exist for the vlan interface on the ACE?

I assume you have permitted the vlan in your svclc commands on the switch as you can ping from ACE to server.

The above is correct, it behaves like a firewall and nothing is permitted by default. Check your access lists and management policies. Try an ip any any ACL on the back end vlan. If your mgt policy is only applied to the front end vlan, try applying it to the back end also.

Hope this helps,

Claire

Just had another thought, if there is no L3 interface for your server side vlan on the switch, it won't hold an ip arp table for that vlan. My solution for this problem (contacting a server behind an ACE using connectionless protocols, icmp, snmp etc) was to add an L3 interface for the vlan on the switch, and the simply add routes to the server routing table as follows..

Point routes to the icmp/snmp sources to the switch interface, point routes back to the clients to the ACE interface.

You can set one of these groups of traffic as the default gateway, and specifiy the other routes individually.

If the purpose of this question is to monitor/test server reachability, you are better off bypassing the ACE. You don't want your troubleshooting made more difficult by losing access to your servers just because your ACE is rebooting. If there is a problem with the applications reachability you'll need to know if it's the servers OR the ACE.

Let me know how it goes.

Claire

As was previously said this is normal behaviour. In a layer 3 ACE deployment like you have:

1) Client side resources cannot ping the server side ACE interface.

2) Server side resources cannot ping the cliend side ACE interface.

Think of the ACE as an ASA. If you are on the inside of an ASA firewall you cannot ping the DMZ and outside interfaces.

Paul

Paul

Sorry to interrupt in between .I am also facing the same issue with my ACE setup I have permitted icmp any any (input & output acls)on the server interface vlan . I can ping from ACE to outside world .But not to server vlan interface.What should be done to enable ping on the ACE interface? Will attaching a service policy that permits icmp can help ?

Ullas

GW ----- ACE ----- Servers

From the gateway, you can ping the ACE interface on the GW side, but you can't ping the ace interface on the servers side.

From the servers, you can ping the ace interface on the server side but you can't ping the ace interface on the gw side.

From the servers you should be able to ping the gw and from the gw you should be able to ping the servers if you have an acl to permit the traffic on both interfaces.

Gilles.

Thanks.

I am able to ping the ace int on the server side from inside the ace and, since the ping was sourced from the client side vlan, would this be an exception?

thanks again

yes.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: