Does an ACE context work with host static routes?
I've been trying to set up a context to load balance LDAP where the servers have IP addresses across multiple VLANs and I'm not allowed to change the IP addresses. I've tried bridging and routing configurations. The only case that works is where the server is a member of the server-side VLAN. I noticed a comment in the Routing manual page 2-2 is says that secondary IP addresses are not supported. Is a host static route equivalent to a secondary address.
Is it possible to achieve my goal.
Solved! Go to Solution.
you can use host route.
But that will only solve the path from ACE to servers. You also need to make sure that the servers to ACE path is ok.
Also, don't forget one context can't communicate to/through another context.
Thank you Gilles,
As far as I can see the server can see the ACE context. I'm only using one context for this.
Do I need specific routes in the context as well as on the hosting router?
just look at your context as a router.
Make sure there is a valid path between the context vlan and the servers.
Try to ping.
When you have connectivity with the servers, check if you have connectivity with the clients.
Again try to ping the ace interface and then the ace vip.
Be aware you need to explicitly permit icmp traffic in order for the ping to work.
Then, when all this works. You need to make sure that when the server resposne to the client goes through the ACE blade.
This is a stateful device, so it requires to see both side of a connections. No asymetric routing is allowed.
Now I'm baffled. I can ping from server to VIP and client and from client to vip and server. It all looks fine - but it doesn't work.
I've attached the context config and the router vlan definitions. Don't worry about the SSL bit that is unused. The longer term goal is to offload the SSL of LDAPS - but I need to get 636 passed initially.
The problem is most probably asymetric routing.
When the client connects to the vip, the ace module will forward the traffic to the server re-using the client ip address so that the server believes it is communicating directly with the client.
The response from the server is sent to the client.
Since there are routers inbetween, they route the traffic using the best path which is most probably not through the ACE module.
So the client receives a resposne from the server which it drops because it is expecting a response from the vip.
one easy solution is to perform client nat on the ACE blade.
interface vlan 395
nat-pool 1 22.214.171.124 126.96.36.199 netmask 255.255.255.248 pat
policy-map multi-match L4POLICY
nat dynamic 1 vlan 395
If it works after that, you'll now you had an asymetric routing issue.
You can then keep the client nat solution or investigate the asymetry.
The nat didn't work.
Error message: Error: Specified ip address duplicates with an existing ip address configured in
Even changing it to something else didn't work. The LDAP server doesn't see any traffic but when it has an address in VL395 it does. Sounds like a network routing issue - unless the ACE really can't cope with my topology. Every example I've seen has the servers in one subnet.
you can have the server wherever you want.
Could you get a 'show service-policy detail' before and after trying to connect from a client.
If you can, get a sniffer trace by creating a monitor session of the tengig interface associated with the ACE slot.
All your help and advice is really appreciated.
I've attached two files - one containing the config, sh service-policy detail, a capture and another show and the second containing a packet capture from the ACE TenGigabit interface.
this is an asymetric routing issue.
Could you repeat the test with the nat config I told you to use.
You can't use the vip in the nat-pool with your version.
You need version A1.6.3 for that.
So, use an ip that belongs the same subnet as the vip.
Then repeat the operation.
Capture config and sniffer trace.
You used an ip from a different subnet.
The range is : 188.8.131.52 - x.x.x.183
Do you have a free ip in this range ?
ace1/ldap(config)# int vl395
ace1/ldap(config-if)# no nat-pool 1 184.108.40.206 220.127.116.11 netmask 255
ace1/ldap(config-if)# nat-pool 1 18.104.22.168 22.214.171.124 netmask 255.25
Invalid start ip address
Do I put the nat pool on the clientside or serverside vlan?
Thank you! Thank you! Thank you!
All I have to do now is the SSL termination. Are there any issues with NAT and SSL termination?