ACE 4700 and SIP load balancing

Unanswered Question
Jan 6th, 2010

Hi peoples... after alot of work on my side i am going to need some help with this one...

all the docs i found on are focused around load balancing http as opposed to my case... SIP

The scenario:

I have a sip based call center on one side (a serverfarm with 2 SIP Proxys for now) and an AS5400 with 2 x E1 on the other side.

I am trying to load balance calls from the AS5400 to the serverfarm in a roundrobin fashion.

The serverfarm and the AS are connected physicli to a HP ProCurve 1700 layer2 switch and all the ports are in vlan 40.

The configuration of ACE is attached.

The AS5400 has the basic config with it's voip dial peer session-target the virtual-ip of ACE.

The punchline

Besides the fack that loadbalancing is not doing what it should be doing (in theory) when i connect the ACE interfaces to the network my network gets slamed by broadcasts to the point of total network failiure.

So basicly i need help... first off all with the basic desing and planing as well as troubleshooting.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Thu, 01/07/2010 - 09:00

Let's start with the main issue:

class-map match-all BHT_SLB
  2 match virtual-address any

Your mask is wrong.

Basically, you tell ACE to loadbalance /21

So, all traffic.

Your mask should be a /32 because you only want to loadbalance the host ip x.x.132.217

After that, let me know if you still have issues.

BTW, you should also upgrade to a more recent version.

The problem above would have been detected with the latest image.

CSCsv32098: ACE CLI allows class-map and interface to have same network range


Kenan Muharemagic Thu, 01/07/2010 - 14:32


Thnx for the help...

I was up all night last night researching the ace and this morning i redid the config which is attached...

Basicly loadbalancing for sip is working fine...

The part with http is not working as it should though... i pick up the http packets with wireshark and although the ace is loadbalancing between real servers the http connections are broken due to some errors in the http header but since i haven't had the time to look into it i left that task for tommorow... if anyone had similar problems and knows a solution i would be gratefull...

Thanx again for your help...

Kenan Muharemagić

Recro-Net d.o.o.

Gilles Dufour Fri, 01/08/2010 - 03:38


the config looks better.

But I do not understand the topology.

Is the ACE appliance in one-armed mode ?

Is the ACE the default gateway for the rservers ?

If not, you need to guarantee that the traffic returns through the ace with either client or policy routing.

What do you see in the trace ?

Do you get a RST from the client or the server ?

Send us the trace, it will be more useful.


Kenan Muharemagic Fri, 01/08/2010 - 06:39

The default gateway for the rservers is and not the ACE.

During testing we tried to open the web page from within the same subnet as the rservers so the gateway should not be a problem i think.

I get The RST from the server.

And concerning client/policy routing... policy routing on the gateway ( or client routing on the servers? Did i understand that correctly?

As far as SIP loadbalancing goes the client is always the AS5400 which is on the same subnet as the rservers so the fact that the ACE is not the sip proxy default gateway shouldn't e a problem... or should it?

Thanx again for all your help

Kenan Muharemagić

Recro-Net d.o.o.

Gilles Dufour Fri, 01/08/2010 - 07:56


this is even worst if we access the vip from the same subnet as the server.

What is happening is that client C connect to the vip V.

ACE loadbalances the request rserver R1 which responds to client C.

Since R1 and C are on the same subnet, R1 does not have to go through the ACE and instead it goes directly to C.

So, C receives a response from R1.

But C sent a request to V and therefore does not expect a response from R1.

You get a connection failure and a RESET.

You need to force the traffic from the server to go through the ACE.

With your initial design in bridge mode, it was mandatory for the servers to go through ACE.

In one-armed the servers will just bypass ACE.

I don't even see how your SIP loadbalancing can work.

You can do client nat to make it work.

But client and NAT is not a good idea with the ACE - too many problems that will only be addressed end of this calendar year.

Therefore I would suggest to go back to a bridge design or a routing mode.

But it is mandatory to have the servers on one side of ACE and the client on the other side if you want to keep it simple.

The other option is policy-routing or client nat.


Kenan Muharemagic Wed, 01/13/2010 - 10:28

Case update:

The ace has been reconfigured in bridged mode with 2 vlans...

Vlan 40 - clients

Vlan 500 - servers

Both vlans use the same subnet - /21

Ip address of the ace interface: /21

Virtual ip address on the ace: /21

Loadbalancing works fine to sip and web servers... but now i have a new problem...

the servers can't reach any ip address in the client vlan nor can they ping any ip address on the ace.

Likewise no one from the client vlan can reach the servers directly on their real ip

I need both of these to work to fulfill the client request...

Is there a way to get this to work in bridged mode or is routed mode the only solution...

Concerning routed mode... is routed mode plain ip routing... meaning can the real servers reach any client and vice versa by their real addresses and the servers be loadbalanced by the vip?

Kenan Muharemagić

Recro-Net d.o.o.

aljaloudi Tue, 03/16/2010 - 04:59

remove and and apply them global configuration, for testing add permit ip any any, let me know how it goes.


This Discussion