Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ACE load-balancing stealth firewall not working

Hi to all, i'm trying to configure, with no luck, two ace to make stealth firewall load balancing

this is my layout:

WEout (cat 6513 + ace) ---- 3 fortinet firewall in stealth mode --- WEin ( another chassis cat 6513 + ace )

In attach you can find a detailed layout and configuration from WEout (supervisor and ace) and WEin (supervisor and ace)

As you can see i used the configuration example from cisco configuration guide, you can find it here :

config from ace is very simple, you can find it in attach to the post

As you can see, i'm trying to reach network 100 (match virtual-address any) from WEin and network 200 (match virtual-address any) from WEout, but it's not working, i also tried to announce from both ACE to match all (change configuration from match virtual-address any and match virtual-address any to match virtual-address any) but also this is not working. On interface connected to firewall it not working.

I make some show on ACE module (the WEin ACE module), and tried to generate some traffic for the other chassis, i found that policy-map is matched, as you can see from the

ACE-IN-CUB/Admin# sh service-policy POL_SEC

Status : ACTIVE


Interface: vlan 200

service-policy: POL_SEC

class: FW_SEC_VIP


L7 loadbalance policy: LB_FW_SEC

VIP Route Metric : 77

VIP Route Advertise : DISABLED



curr conns : 0 , hit count : 16

dropped conns : 16

client pkt count : 0 , client byte count: 1544

server pkt count : 0 , server byte count: 0

and i found also the ace module had balanced to the firewall, as you can see from

ACE-IN-CUB/Admin# sh serverfarm SF_SEC detail

serverfarm : SF_SEC, type: HOST

total rservers : 3

description : -

predictor : HASH-ADDRDEST

ip mask :

failaction : -

total conn-dropcount : 16



real weight state current total


rserver: FW_SEC_1 8 OPERATIONAL 0 0

total conn-failures : 5

rserver: FW_SEC_2 8 OPERATIONAL 0 0

total conn-failures : 2

rserver: FW_SEC_3 8 OPERATIONAL 0 0

total conn-failures : 9

ACE-IN-CUB/Admin# sh rserver FW_SEC_3 detail

rserver : FW_SEC_3, type: HOST


description : -

weight : 8



real weight state current total


serverfarm: SF_SEC 8 OPERATIONAL 0 0

total conn-failures : 9

but all connection are failed and dropped...

On firewall we see no traffic going through, ACE seems not able to forward traffic to the vlan connected to firewall.

this is the configuration related to ACE for cat 6513 :

svclc module 1 vlan-group 10

svclc vlan-group 10 111,200,249,253

interface GigabitEthernet10/44


switchport access vlan 253

switchport mode access

no ip address

Anyone has an idea, why it's not working ?

many thanks



Re: ACE load-balancing stealth firewall not working

Here in attach you can find full configuration from Cat6513 switch both WEin and WEout.

many thanks