Migration CSS to ACE.

Unanswered Question
May 8th, 2010

Hi all,

Last night I performed the migration of two CCS to two ACE of our client. In the settings remain the same policies that existed in the CSS. These CSS are giving Internet services so there is a firewall that had reached them. The VIP at that point customers are and, which are the same ones that had what CSS.

A level of connectivity could not leave from the Firewall to either VIP, but he could reach the IP VLAN interface configured on the ACE (

It was clean the ARP table on the firewall without having positive results.

I requested to test the customer to capture traffic on the ACE and when he did ping either the ACE VIP I dont see traffic.

Servers belonging to VLAN 2 on the ACE can be seen, o the VIP are in state IN-SERVICE

I attached the configuration.

I hope your help.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
UHansen1976 Sun, 05/09/2010 - 06:33


I might have completely misunderstood your configuration, but here are my observations.

It looks like you want to apply XLATE to any inbound sessions that hits your VIP. If that is indeed your intention, I'm not sure your NAT-configuration will work as expected. Usually you would translate the public src.ip to an internal ip, usually within the address space, that your internal interface is configured with. In your case,

When looking at your multi-match POLICY, it looks like your trying to catch any traffic originating from one your rservers and applying NAT to them. And it also looks like your trying to NAT this traffic to the same ip as your VIP-addresses are configured with. I would expect, that you wish to apply NAT to inbound traffic hitting any of the VIPS and translating the src.address to an internal address, making it appear as if the request towards the www/ftp service originates from an internal ip.

I've downloaded the attached file and made a few modifications to it. The 'xxx' value in the nat-pool statement is to be replaced with an octet of your choice, since I have no knowledge of your address allocation. This way, any external traffic that hits any of the VIP's, will be translated to an internal address within the same range as your internal interface and servers reside in. You could choose to use seperate NAT-pools for www and ftp traffic respectively.

Furthermore, if you indeed need to handle traffic originating from the serverfarms toward the internet, you might consider using an address not used by your VIPs. And I would recommend handling this traffic in a dedicated service-policy.


Message was edited by: UHansen1976

Jaime Soto Vale... Mon, 05/10/2010 - 06:50

Thank for your response.

But I dont want to do NAT a inbound traffic. The implementation in the ACE is in ROUTED-MODE, so the ACE performed internally routing between VLAN 46 (client side) and VLAN 2 (server side). The NAT is applied to outbound traffic.

What I find strange is that it had no response from the VIP  formerly the CSS and are now in ACE. It may be that these IPs were with  the MAC of the CSS and for that reason are not seeing the new VIP?.

In the ACE the VIP are IN-SERVICE state and is configured to  respond to ICMP when they are active.

This is a part of the configuration:

class-map match-all ftp_www3_CLASS
  2 match virtual-address tcp range 20 22 (without response)
class-map match-all ftp_www_CLASS
  2 match virtual-address tcp range 20 22 (without response)

interface vlan 46
  description Firewalls
  ip address (with response)
  peer ip address (with response)
  access-group input permit_all
  nat-pool 1 netmask pat
  nat-pool 2 netmask pat
  no shutdown

The new IPs configured in the VLAN interfaces (46) Ping response, but the VIP (which were previously the CSS) dont respond.

Thanks and regards,


UHansen1976 Mon, 05/10/2010 - 10:09


When you're ping'ing the VIP's, do you see any hits on your access-list permit_all ? The counter should increment.

What does the ARP-table say?

Also, have you looked into this:


(Optional) Instructs the ACE to reply to an ICMP request only if the  configured VIP is active. If the VIP is not active and the active option is specified, the ACE discards the ICMP  request and the request times out.

From your configuration, it looks like you've configured the icmp-reply with the 'active' option.

Jaime Soto Vale... Mon, 05/10/2010 - 12:04

What I did can verify was to capture traffic and saw no traffic coming to the ACE when pointing to the VIP address.

The ARP tables to wich I refer are those of the FW that performed the routing for VLAN 46 (I guess the FW can have on their ARP tables IPs of the VIP, but with the MAC that it knew of old CSS)

In the next configuration you can see that I have configured policies for reponse a ICMP when VIP is ACTIVE.

Then I attached a output of  "show service-policy summary" in which you can see that VIP is ACTIVE.

policy-map multi-match POLICY
  class www3_CLASS
    loadbalance vip inservice
    loadbalance policy www3_POLICY
    loadbalance vip icmp-reply active
  class www_CLASS
    loadbalance vip inservice
    loadbalance policy www_POLICY
    loadbalance vip icmp-reply active
  class ftp_www3_CLASS
    loadbalance vip inservice
    loadbalance policy ftp_www3_POLICY
    loadbalance vip icmp-reply active
    inspect ftp
  class ftp_www_CLASS
    loadbalance vip inservice
    loadbalance policy ftp_www_POLICY
    loadbalance vip icmp-reply active
    inspect ftp          

ACE-INTERNET-1/CONTEXTO_A# sh service-policy summ

service-policy: POLICY
Class                            VIP             Prot            Port        VLAN                State    Curr Conns   Hit Count  Conns Drop     
www3_CLASS                tcp       23   -65535         ALL           IN-SRVC           0           0          0   

www_CLASS                 tcp       23   -65535         ALL           IN-SRVC           0           0          0      

ftp_www3_CLASS            tcp       20   -22            ALL           IN-SRVC           0           0          0   
ftp_www_CLASS             tcp       20   -22            ALL           OUT-SRVC          0           0          0            



UHansen1976 Tue, 05/11/2010 - 12:12

Does your capture provide you with information on what the fw does with the lost icmp-packets?

Where did you perform the capture, on the ACE itself or in the vlan between the fw and the ACE?.

Jaime Soto Vale... Tue, 05/11/2010 - 12:32

What I did was to capture the incoming traffic to the VLAN 46 but like I said it saw no traffic on the ACE.

With this I conclude that the packages I can not arrive at ACE.



UHansen1976 Tue, 05/11/2010 - 15:34


So I guess to focus should be on the firewall. I would check the arp table (and routing, unless the fw is directly connected to vlan46). Also, I've had some strange things happen to me on account of statics. Can you ping the VIP from the fw, which seems to be the last hop before the ACE?

Other than that, there's not much else I can give you at this moment.



This Discussion