Solved: Access serverfarm from another server behind the ACE

jason.williams · ‎02-20-2012

I have a web server farm and an email server farm, both load balanced behind the same ACE. However, the web servers cannot connect to the email servers (and vice versa).

I've also tested from other servers behind the ACE, and they cannot connect to either server farm.

Is there something that prevents the ACE from servicing hosts that actually lie behind the ACE?

I can ping the VIP, but cannot access the web site or connect to port 25 on the mail server.

Thanks.

Jason

jsirstin · ‎02-20-2012

Jason,

There are two reasons why this would not be working when the client is in the server vlan.

1 you need to have the service-policy applied to the server facing vlan.

2 you need SNAT. If the device initiating the connection to the vip is in the server vlan nat is needed to force the server to reply back to the ACE rather than the client directly. this would be considered a one armed mode topology in this case.

Regards

Jim

View solution in original post

jsirstin · ‎02-20-2012

Jason,

There are two reasons why this would not be working when the client is in the server vlan.

1 you need to have the service-policy applied to the server facing vlan.

2 you need SNAT. If the device initiating the connection to the vip is in the server vlan nat is needed to force the server to reply back to the ACE rather than the client directly. this would be considered a one armed mode topology in this case.

Regards

Jim

jason.williams · ‎02-20-2012

That was what I needed. Once I added the SNAT, it worked.

Thank you.

Jason

fd_case17 · ‎03-24-2012

Hello,

i understand the sourcenat but is it mandatory to add the service policy with SN on server side and not only on client side ?

thanx