I have been load balancing our mail servers for quite sometime without an issue however I have been using a dynamic Nat statement. This however causes our mail team to have problems with logging. I then created a whole new vlan and ace context for the mail servers to use. This is where my dilemma is.
I now have dropped connections going to my vip but only from one server which is our Anti-span / Antivirus server which filters the mail from the internet and then passes it on to these other mail servers.
I can send mail just fine if I don't use the VIP I created.
Also if I use a Nat statement the mail sends fine but obviously I don't want to use that anymore.
The only thing I see that the ACE is not doing is closing the connections. So if every five minutes I do a clear conn all, I won't get any dropped connections for at least 10 to 15 minutes but I am not going to be doing this. Right now I have a server with a script that logs into the ace and then clears the connection but this is a band aid problem.
Here is my config. This is the only thing on this context. All 6 of my other contexts do not have this issue.
access-list ALL line 10 extended permit ip any any
access-list ALL line 18 extended permit icmp any any
probe smtp SMTP_Probe
passdetect interval 30
expect status 210 250
parameter-map type connection TCP_Mail_TO
set timeout inactivity 2
set tcp timeout half-closed 15
set tcp ack-delay 300
tcp-options timestamp allow
rserver host hub2
ip address *.*.*.*.*.*
serverfarm host Mail_Hub_Servers_SF
rserver hub2 25
class-map match-all Mail_Hub_VIP
2 match virtual-address *.*.*.*.*.* tcp eq smtp
class-map type management match-any Remote_Management
2 match protocol http any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
policy-map type management first-match rmt_mgt_policy
policy-map type loadbalance first-match Mail_Hub_VIP-l7slb
Since you are using one-arm mode you need to make sure that the return traffic (from mail servers) shouldnt bypass ACE.
This is normally achieved using Source NAT or PBR. I dont see source NAt in your config, are you using Policy based routing?
Since you are trying to avoid NAT and you are playing with your VLANS, why dont you use routed mode in this ACE context. With routed mode your VIPs will listen on one vlan (separate address space)and reals will reside in a different vlan (address space).
This way ACE will do the destination address translation and you will be able to preserve Source addresses hitting the mail servers.
I would like to avoid trying routed mode for this just right now because we haven't had a good experience in routed mode here. I can try creating a new context in routed mode because I cannot experiment with production mail. Also I have this scenario working fine on 3 other contexts with 0 Connections being dropped. The other thing is I am not dropping all connections its dropping about 2-8%. of the connections. I have been playing around with connection limits.
I am sorry I looked back through my notes and it was not policy based Routing which caused a whole network issue. It was creating BVI interfaces. I am going to work on PBR and read up on it and see what I need to do. If you have any whole configuration examples on setting it up that would be great.. I know the commands but I don't want to mess this up if I don't have an example to follow.
In my scenario (one-armed mode), I am using SNAT for requests originating from server vlan hitting its own VIP. This resolved the self-hit issue.
However, I am unable to get a successful response from the Rserver after mapping the public IP to the VIP on ACE. Would I need Source NAT for Client to Server traffic originated from outside network - internet.
Static translation on ASA and ACL hits are showing correct statistics. I am able to ping the VIP via public IP (icmp is also load balanced on ACE) but the http request fails. The http requests from all other inside networks is successful.
With two armed mode shouldn't the ACe know how to get the traffic back to me without using PBR?
Two Armed Mode - This topology is used when the device that makes the connection to the VIP enters the ACE on a different VLAN than that on which the servers reside. If the servers have the default gateway set to the ACE, there is no need for source NAT. The reply traffic returns to the ACE before it is sent back to the client.
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
==================== VIC FNIC driver does not support Virtual Volumes (
second level LUN ID ) An enhancement request has been created to track
this feature - CSCux64473 UPDATE - 12-14-2016 We made some traction on
the enhancement request - The Fix is in t...