Using ACE to Load Balance PPTP flows

Unanswered Question


I'm working on getting my ACE modules to load balance PPTP traffic between two servers.

In the initial setup I want all traffic to go to one server. Below is my initial configuration but it

just is not working. Does anyone have any ideas on what is wrong with my configuration.

access-list any line 8 extended permit ip any any

rserver host server1
  ip address 10.x.x.x
rserver host ushq-dev-vpn2
  ip address 10.x.x.x

serverfarm host GRE
  rserver server11 47
    backup-rserver ushq-dev-vpn2 47
  rserver server2 47
    inservice standby
serverfarm host PPTP
  rserver server1 1723
    backup-rserver ushq-dev-vpn2 1723
  rserver server2 1723
    inservice standby

class-map match-all GRE
  2 match virtual-address 10.x.x.x tcp eq 47

class-map match-all PPTP
  2 match virtual-address 10.x.x.x tcp eq 1723

class-map type management match-any REMOTE_ACCESS
  2 match protocol telnet any
  3 match protocol icmp any
  4 match protocol snmp any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

policy-map type loadbalance first-match GRE-Policy
  class class-default
    serverfarm GRE
policy-map type loadbalance first-match PPTP-Policy
  class class-default
    serverfarm PPTP

policy-map multi-match VIPs
  class PPTP
    loadbalance vip inservice
    loadbalance policy PPTP-Policy
    loadbalance vip icmp-reply
  class GRE
    loadbalance vip inservice
    loadbalance policy GRE-Policy
    loadbalance vip icmp-reply
  class class-default

interface vlan 501
  access-group input any
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input VIPs
  no shutdown
interface vlan 525
  no normalization
  no icmp-guard
  no shutdown

ip route 10.x.x.1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
litrenta Tue, 08/03/2010 - 13:02
User Badges:
  • Cisco Employee,

since the tunnel is

neither tcp or udp ace cannot loadbalnce pptp. Ace can only load balance tcp or

udp flows.  You can LB the control channel but without any application

inspection support ther is no fixup for the gre tunnel.


This Discussion