Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE Load Balancing

Hi all,

I´m configuring 2 ACE 4710 in failover, and I also need to balance 2 webservers at the momment. I have all of the IP address in the same subnet, is that a problem?

Server 1

Server 2


I have a VLAN for administration, and I have a VLAN for the client connection.

But when I try to connect to the VIP, It doesn't show the web page, but if I connect to the servers page directly they are working ok..

Does anybody know what can i check, or if there is any manual that really shows how to configure this type of connections.


Everyone's tags (1)

Re: ACE Load Balancing


This could be helpfull to you:

Other than that, I'd recommend going through the following sequence of troubleshooting:

1. Access-list - Make sure traffic is actually permitted and that an access-list is applied to your ingress-interface.

2. VIPs - Verify, that your vip-addresses are in the state IN-SRVC and that hitcounters are increasing (or dropscounts possibly)

3. Multimatch policy - Do a detailed show of your policy-configuration and see, how far traffic gets or if it's dropped.

4. Serverfarms/realservers - Make sure, they're operational and see if any connections has passed through and failed connections. You could also look

    at your probe-status.

What kind of error are you getting? Timeout, blank page, incomplete page etc. Also, have you tried to run a trace?




Re: ACE Load Balancing


From your description, it sounds like you might have a one-armed configuration for load balancing.  If your management VLAN interface is only used for management, and you only have the client VLAN interface for load balancing, then this would be a one-armed config.  If this is indeed the case, then you would need to use either Policy-Based Routing to route the server response traffic back to the ACE rather than directly back to the client.  Or, the more common solution is to configure source NAT as shown below:

access-list ANYONE line 10 extended permit tcp any any

rserver host SERVER_01
  ip address
rserver host SERVER_02
  ip address

serverfarm host REAL_SERVERS
  rserver SERVER_01
  rserver SERVER_02

class-map match-all VIP-3
  2 match virtual-address any

class-map type management match-any REMOTE_ACCESS
  description remote-access-traffic-match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any

policy-map type management first-match REMOTE_MGT

policy-map type loadbalance first-match SLB_LOGIC
  class class-default
    serverfarm REAL_SERVERS

policy-map multi-match CLIENT_VIPS
  class VIP-3
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    loadbalance icmp-reply active
    nat dynamic 1 vlan 20

interface vlan 10
  description MANAGEMENT VLAN
  ip address
  access-group input ANYONE
  service-policy input REMOTE_MGT
  no shutdown
interface vlan 20
  description CLIENT VLAN
  ip address
  service-policy input CLIENT_VIPS
  nat-pool 1 netmask pat
  no shutdown

ip route

Hope this helps,


CreatePlease login to create content