cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
619
Views
0
Helpful
2
Replies

ACE 4710 Non-LB traffic from real server

SysEng1999
Level 1
Level 1

Hello,

We are migrating from CSS to ACE and kind of hit a strange issue.

On CSS when the real server (with internal address like 10.x.x.x) initiates its own connection to Internet for example check for Windows Updates the traffic goes to CSS (as it is set as a default gateway on real server) and then reaches the destination but translated as an VIP address (public IP) from CSS.

Now with ACE setup it does not work that way at all.

The load balancing traffic from Internet goes to ACE normally and reaches a real server and then goes back to ACE and out to Internet.

The ACE is in routed mode and the real server default gateway is set to server farm VLAN IP on ACE.

However nothing gets out from real server if it tries to initiate its own traffic like opening a google page in a browser.

Here is more if I add another network interface to real server and change a default gateway from ACE to the other gateway on the second network card the real server obviously reaches Internet happily but somehow load-balancing traffic goes back to ACE as well.

Any idea how to keep the real server with one adapter and send its own traffic through ACE like CSS?

Any ideas will be very much appreaciated!

 

1 Accepted Solution

Accepted Solutions

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi,

Ensure that you have proper ACL's in place (access group on server side vlan interface) and for server initiated traffic to be NATTED with VIP or any other you need to have configuration in place. Below are posts discussing similar configurations.

https://supportforums.cisco.com/discussion/10744631/ace-module-source-nat-server-initiated-connections-vip-address

https://supportforums.cisco.com/discussion/10282466/ace-initiate-connections-server-vlan-client

https://supportforums.cisco.com/discussion/10482821/ace-source-nat-server-initiated-connections

Let me know if you have any questions.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

View solution in original post

2 Replies 2

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi,

Ensure that you have proper ACL's in place (access group on server side vlan interface) and for server initiated traffic to be NATTED with VIP or any other you need to have configuration in place. Below are posts discussing similar configurations.

https://supportforums.cisco.com/discussion/10744631/ace-module-source-nat-server-initiated-connections-vip-address

https://supportforums.cisco.com/discussion/10282466/ace-initiate-connections-server-vlan-client

https://supportforums.cisco.com/discussion/10482821/ace-source-nat-server-initiated-connections

Let me know if you have any questions.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Thanks kanwalsi!

I was getting to the NAT configuration after I ran a CSS to ACE conversion tool I noticed that there was a NAT statement in the converted configuration.

I did some search and  run into several threads on this topic but I noticed one important thing.

The nat pool has to point to VIP address (I suspect you can even create a special VIP for NATed traffic only). I mean if you have a VIP on one IP and the nat pool on the different IP the traffic from real server will not go through.

So it was important to keep that in mind.

The first link in your reply gives the most correct configuration for NATing the traffic from real server through ACE.

Here is the working solution to let real server NON-LB traffic to get through ACE using existing VIP address.

Public address is used as an example

 


access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any

 

rserver host RS005
  ip address 10.100.0.15
  inservice

serverfarm host PD_farm
  rserver RS005
    inservice


class-map match-any RS_ALL
  2 match source-address 10.100.0.0 255.255.255.0
class-map type management match-any MGMT-CLASS
  30 match protocol icmp any
class-map match-all PD_web
  2 match virtual-address 217.14.140.200 tcp eq www

policy-map type management first-match MGMT-POLICY
  class MGMT-CLASS
    permit

policy-map type loadbalance first-match PD_web_pm
  class class-default
    serverfarm PD_farm

policy-map multi-match RS_NAT
  class RS_ALL
    nat dynamic 410 vlan 400

policy-map multi-match int400
  class PD_web
    loadbalance vip inservice
    loadbalance policy PD_web_pm
    loadbalance vip icmp-reply active

interface vlan 400
  description VIP Client side - FrontEnd
  ip address 217.14.140.194 255.255.255.0
  access-group input INBOUND
  access-group output INBOUND
  nat-pool 410 217.14.140.200 217.14.140.200 netmask 255.255.255.255 pat
  service-policy input MGMT-POLICY
  service-policy input int400
  no shutdown
interface vlan 500
  description Real Server side - Backend
  ip address 10.100.0.2 255.255.255.0
  access-group input INBOUND
  access-group output INBOUND
  service-policy input MGMT-POLICY
  service-policy input RS_NAT
  no shutdown

ip route 0.0.0.0 0.0.0.0 217.14.140.142

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: