ACE Problem

Answered Question
Aug 13th, 2010

I have an ACE that I configured a couple of days ago with some very rudimentary configs for load sharing an ldap service. The service worked for one day with no problems. This morning around 9am, it stopped working. I can ping the VIP but cannot telnet to port 389 on the VIP. I can telnet to any of the individual servers, the serverfarm shows all nodes operational, the probe shows success.

I can't seem to figure out what has happened to this service. I reloaded the ACE, and still nothing. The sticky database is empty, no connections, nothing. The serverfarm stats look just like it's sitting there idle with nobody connecting. Yet when you try to connect, you don't get connected. It must be something simple, but I've looked at this until I'm not sure where to go next.

The config is as follows:

ciscoace3/Admin# sh run
Generating configuration....

hostname ciscoace3
boot system image:c6ace-t1k9-mz.A2_1_6a.bin

telnet maxsessions 5

resource-class RC1
  limit-resource all minimum 0.00 maximum unlimited
  limit-resource sticky minimum 10.00 maximum unlimited

context Admin
  member RC1

access-list All line 8 extended permit ip any any

probe tcp ldap_probe
  port 389
  interval 30
  passdetect interval 10

rserver host ldapauth1
  ip address
rserver host ldapauth2
  ip address
rserver host ldapauth3
  ip address
serverfarm host ldapauth_farm
  rserver ldapauth1
    probe ldap_probe
  rserver ldapauth2
    probe ldap_probe
  rserver ldapauth3
    probe ldap_probe
sticky ip-netmask address both ldapauth_sticky
  timeout 30
  replicate sticky
  serverfarm ldapauth_farm
class-map match-all ldapauth_vip
  2 match virtual-address any
class-map match-all nat
  2 match source-address
class-map type management match-any remote-access
  description Remote access traffic match
  2 match protocol ssh any
  3 match protocol telnet any
  4 match protocol icmp any
  5 match protocol snmp any
  6 match protocol https any

policy-map type management first-match everyone
  class remote-access

policy-map type loadbalance first-match ldapauth_lb_policy
  class class-default
    sticky-serverfarm ldapauth_sticky
policy-map multi-match ldapauth_multi_policy
  class ldapauth_vip
    loadbalance vip inservice
    loadbalance policy ldapauth_lb_policy
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
policy-map multi-match nat
  class nat
    nat dynamic 1 vlan 100

interface vlan 100
  description Server VLAN (real server vlan)
  ip address
  nat-pool 1 netmask pat
  service-policy input everyone
  no shutdown
interface vlan 101
  description VLAN for Servers
  ip address
  service-policy input ldapauth_multi_policy
  service-policy input nat
  no shutdown

ip route

I have this problem too.
0 votes
Correct Answer by rocash about 6 years 2 months ago

You need to apply an access-group to allow traffic to the ACE. Example:

access-group input All

It can be applied globally or to an interface.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
gbowling1 Fri, 08/13/2010 - 12:48

Thanks rocash, I knew  it was something simple I was just overlooking it. That actually was in the config yesterday but another person removed and re-installed the access list that was at the top which removed the global access-group input All statement and I just missed it.



This Discussion