08-21-2014 11:42 PM
Hello,
We are migrating from CSS to ACE and kind of hit a strange issue.
On CSS when the real server (with internal address like 10.x.x.x) initiates its own connection to Internet for example check for Windows Updates the traffic goes to CSS (as it is set as a default gateway on real server) and then reaches the destination but translated as an VIP address (public IP) from CSS.
Now with ACE setup it does not work that way at all.
The load balancing traffic from Internet goes to ACE normally and reaches a real server and then goes back to ACE and out to Internet.
The ACE is in routed mode and the real server default gateway is set to server farm VLAN IP on ACE.
However nothing gets out from real server if it tries to initiate its own traffic like opening a google page in a browser.
Here is more if I add another network interface to real server and change a default gateway from ACE to the other gateway on the second network card the real server obviously reaches Internet happily but somehow load-balancing traffic goes back to ACE as well.
Any idea how to keep the real server with one adapter and send its own traffic through ACE like CSS?
Any ideas will be very much appreaciated!
Solved! Go to Solution.
08-22-2014 05:20 AM
Hi,
Ensure that you have proper ACL's in place (access group on server side vlan interface) and for server initiated traffic to be NATTED with VIP or any other you need to have configuration in place. Below are posts discussing similar configurations.
https://supportforums.cisco.com/discussion/10744631/ace-module-source-nat-server-initiated-connections-vip-address
https://supportforums.cisco.com/discussion/10282466/ace-initiate-connections-server-vlan-client
https://supportforums.cisco.com/discussion/10482821/ace-source-nat-server-initiated-connections
Let me know if you have any questions.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
08-22-2014 05:20 AM
Hi,
Ensure that you have proper ACL's in place (access group on server side vlan interface) and for server initiated traffic to be NATTED with VIP or any other you need to have configuration in place. Below are posts discussing similar configurations.
https://supportforums.cisco.com/discussion/10744631/ace-module-source-nat-server-initiated-connections-vip-address
https://supportforums.cisco.com/discussion/10282466/ace-initiate-connections-server-vlan-client
https://supportforums.cisco.com/discussion/10482821/ace-source-nat-server-initiated-connections
Let me know if you have any questions.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
08-22-2014 12:08 PM
Thanks kanwalsi!
I was getting to the NAT configuration after I ran a CSS to ACE conversion tool I noticed that there was a NAT statement in the converted configuration.
I did some search and run into several threads on this topic but I noticed one important thing.
The nat pool has to point to VIP address (I suspect you can even create a special VIP for NATed traffic only). I mean if you have a VIP on one IP and the nat pool on the different IP the traffic from real server will not go through.
So it was important to keep that in mind.
The first link in your reply gives the most correct configuration for NATing the traffic from real server through ACE.
Here is the working solution to let real server NON-LB traffic to get through ACE using existing VIP address.
Public address is used as an example
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
rserver host RS005
ip address 10.100.0.15
inservice
serverfarm host PD_farm
rserver RS005
inservice
class-map match-any RS_ALL
2 match source-address 10.100.0.0 255.255.255.0
class-map type management match-any MGMT-CLASS
30 match protocol icmp any
class-map match-all PD_web
2 match virtual-address 217.14.140.200 tcp eq www
policy-map type management first-match MGMT-POLICY
class MGMT-CLASS
permit
policy-map type loadbalance first-match PD_web_pm
class class-default
serverfarm PD_farm
policy-map multi-match RS_NAT
class RS_ALL
nat dynamic 410 vlan 400
policy-map multi-match int400
class PD_web
loadbalance vip inservice
loadbalance policy PD_web_pm
loadbalance vip icmp-reply active
interface vlan 400
description VIP Client side - FrontEnd
ip address 217.14.140.194 255.255.255.0
access-group input INBOUND
access-group output INBOUND
nat-pool 410 217.14.140.200 217.14.140.200 netmask 255.255.255.255 pat
service-policy input MGMT-POLICY
service-policy input int400
no shutdown
interface vlan 500
description Real Server side - Backend
ip address 10.100.0.2 255.255.255.0
access-group input INBOUND
access-group output INBOUND
service-policy input MGMT-POLICY
service-policy input RS_NAT
no shutdown
ip route 0.0.0.0 0.0.0.0 217.14.140.142
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: