thanks for the reply, i have configured the Load balancer as mention below. I can ping the vitrual IP addresses from inside and outside the network and remote desktop is also working on the virutal Ip addreses but when I am trying to telent on the por 80 virtual Ip addresses It is not working.

Real IP address  192.168.200.161 and 162 (I can open the web page in browser and telnet on port 80 also working).

Virtaul IP address: 172.23.15.163 (Only remote desktop and ping is working nothing else is working).

Real IP address  192.168.200.165 and 166 (I can open the web page in browser and telnet on port 80 also working).

Virtaul IP address: 172.23.15.167 (Only remote desktop and ping is working and port 30005).

though these are the web serververs and these working fine. Why I am not able to telnet them on port 80. I can open the web pages on real IP addresses not on virtual Ip address.

this is my least configuration.

probe tcp ITSMAPP_PROBE_30005
  port 30005
  interval 15
  passdetect interval 60
  open 1

probe tcp ITSMWeb_PROBE_80
  port 80
  interval 15
  passdetect interval 60
  open 1

rserver host ITSMMAPP_2
  description ITSMMAPP_2
  ip address 192.168.200.166
  inservice

rserver host ITSMWeb_1
  description ITSMWeb-1
  ip address 192.168.200.161
  inservice

rserver host ITSMWeb_2
  description ITSMWeb-2
  ip address 192.168.200.162
  inservice

serverfarm host SF_ITSM_MAPP_Server
  probe ITSMAPP_PROBE_30005
  rserver ITSMMAPP_1
    inservice
  rserver ITSMMAPP_2
    inservice
serverfarm host SF_ITSM_Web_Server
  probe ITSMWeb_PROBE_80
  rserver ITSMWeb_1
    inservice
  rserver ITSMWeb_2
    inservice

class-map match-any ITSM_MAPP_Server
  2 match virtual-address 172.23.15.167 any

class-map match-any ITSM_Web_Server
  2 match virtual-address 172.23.15.163 any

class-map match-any RT_FAX
  2 match virtual-address 172.23.15.65 any
class-map match-all clas-default

policy-map type loadbalance first-match PM_LB_ITSM_MAPP_Server
  class class-default
    serverfarm SF_ITSM_MAPP_Server

policy-map type loadbalance first-match PM_LB_ITSM_Web_Server
  class class-default
    serverfarm SF_ITSM_Web_Server

policy-map multi-match PM_ITSM_MAPP_Server
  class ITSM_MAPP_Server
    loadbalance vip inservice
    loadbalance policy PM_LB_ITSM_MAPP_Server
    loadbalance vip icmp-reply active
    nat dynamic 4 vlan 300

policy-map multi-match PM_ITSM_Web_Server
  class ITSM_Web_Server
    loadbalance vip inservice
    loadbalance policy PM_LB_ITSM_Web_Server
    loadbalance vip icmp-reply active
    nat dynamic 3 vlan 300

interface vlan 200
  description WAN-VLAN CONTEXT RACK1
  ip address 192.168.0.33 255.255.255.224
  alias 192.168.0.43 255.255.255.224
  peer ip address 192.168.0.34 255.255.255.224
  mac-address autogenerate
  access-group input acl-wan
  service-policy input PM_BYPASS_HTTP
  service-policy input PM_MAIN_BCPROXY
  service-policy input PM_RT_FAX
  service-policy input PM_ITSM_Web_Server
  service-policy input PM_ITSM_MAPP_Server
  no shutdown

interface vlan 300
  description ACE-INSIDE CONTEXT RACK1
  ip address 192.168.0.65 255.255.255.224
  alias 192.168.0.73 255.255.255.224
  peer ip address 192.168.0.66 255.255.255.224
  mac-address autogenerate
  access-group input acl-in
  nat-pool 1 172.23.16.2 172.23.16.2 netmask 255.255.255.255 pat
  nat-pool 3 172.23.16.3 172.23.16.3 netmask 255.255.255.255 pat
  nat-pool 4 172.23.16.4 172.23.16.4 netmask 255.255.255.255 pat
  service-policy input PM_BYPASS_FOR_LAN_HTTP
  service-policy input PM_BYPASS_HTTP
  service-policy input PM_MAIN_BCPROXY
  service-policy input PM_RT_FAX
  service-policy input PM_ITSM_Web_Server
  service-policy input PM_ITSM_MAPP_Server

Please let me know what I am missing and how to solve this problem.

Can anybody help me out. Why I am not able to open the Virtual IP via HTTP. Real IP is working fine via port 80 but via VIP i m not able to open the web portal

I can hardly believe you have 5 or 6 service-policies of the same type under int vlan 300 and 200. Please copy and paste your config again. I have already pointed out that you need a single multi-match policy-map for each interface.

access-list acl-in remark ACCESS LIST FOR ACE-INSIDE

access-list acl-in line 1 extended permit ip any any

access-list acl-out remark ACCESS LIST FOR ACE-OUTSIDE

access-list acl-out line 1 extended permit ip any any

access-list acl-proxy remark ACCESS LIST FOR PROXY SEGMENT

access-list acl-proxy line 1 extended permit ip any any

access-list acl-wan remark ACCESS LIST FOR WAN SEGMENT

access-list acl-wan line 1 extended permit ip any any

access-list fax line 8 extended permit ip any host 192.168.200.65

access-list fax line 16 extended permit ip any host 192.168.200.66

access-list fax line 24 extended permit ip any host 192.168.200.67

probe tcp ITSMAPP_PROBE_30005

port 30005

interval 15

passdetect interval 60

open 1

probe tcp ITSMWeb_PROBE_80

port 80

interval 15

passdetect interval 60

open 1

probe tcp PROBE_5050

port 5050

interval 15

passdetect interval 60

open 1

probe tcp PROBE_5101

port 5101

interval 15

passdetect interval 60

open 1

probe tcp PROBE_TCP

port 80

interval 15

passdetect interval 60

open 1

parameter-map type http PARAMAP_CASE

case-insensitive

no persistence-rebalance

rserver host ITSMMAPP_1

description ITSMMAPP_1

ip address 192.168.200.165

inservice

rserver host ITSMMAPP_2

description ITSMMAPP_2

ip address 192.168.200.166

inservice

rserver host ITSMWeb_1

description ITSMWeb-1

ip address 192.168.200.161

inservice

rserver host ITSMWeb_2

description ITSMWeb-2

ip address 192.168.200.162

inservice

rserver host RS_BCPR01

ip address 192.168.0.103

inservice

rserver host RS_BCPR02

ip address 192.168.0.104

inservice

rserver host RT_fax1

description Right Fax Server-1

ip address 192.168.200.66

inservice

rserver host RT_fax2

description Right Fax Server-2

ip address 192.168.200.67

inservice

serverfarm host SF_BCPR

transparent

probe PROBE_5050

probe PROBE_5101

probe PROBE_TCP

rserver RS_BCPR01

inservice

rserver RS_BCPR02

inservice

serverfarm host SF_ITSM_MAPP_Server

probe ITSMAPP_PROBE_30005

rserver ITSMMAPP_1

inservice

rserver ITSMMAPP_2

inservice

serverfarm host SF_ITSM_Web_Server

probe ITSMWeb_PROBE_80

rserver ITSMWeb_1

inservice

rserver ITSMWeb_2

inservice

serverfarm host SF_RT_fax

rserver RT_fax1

inservice

rserver RT_fax2

inservice

sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE

replicate sticky

serverfarm SF_BCPR

class-map type management match-any CM_ALL

2 match protocol snmp any

3 match protocol http any

4 match protocol https any

5 match protocol icmp any

6 match protocol telnet any

class-map match-any CM_BYPASS_FOR_LAN

3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www

8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www

9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www

10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www

11 match virtual-address 172.20.0.0 255.255.0.0 tcp eq www

12 match virtual-address 172.23.15.0 255.255.255.0 tcp eq www

class-map match-any CM_BYPASS_SUBNET

9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www

13 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www

15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www

16 match virtual-address 172.20.0.0 255.255.0.0 tcp eq www

17 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www

18 match virtual-address 172.23.15.0 255.255.255.0 tcp eq www

class-map match-any CM_IM

2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050

3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080

4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101

class-map match-all CM_SF_BCPR

255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www

class-map match-any ITSM_MAPP_Server

2 match virtual-address 172.23.15.167 any

class-map match-any ITSM_Web_Server

2 match virtual-address 172.23.15.163 any

class-map match-any RT_FAX

2 match virtual-address 172.23.15.65 any

class-map match-all clas-default

policy-map type management first-match PM_ALL

class CM_ALL

permit

policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP

class class-default

forward

policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP

class class-default

forward

policy-map type loadbalance first-match PM_LB_ITSM_MAPP_Server

class class-default

serverfarm SF_ITSM_MAPP_Server

policy-map type loadbalance first-match PM_LB_ITSM_Web_Server

class class-default

serverfarm SF_ITSM_Web_Server

policy-map type loadbalance first-match PM_LB_RT_FAX

class class-default

serverfarm SF_RT_fax

policy-map type loadbalance http first-match PM_LB_SF_BCPROXY

class class-default

sticky-serverfarm STICKY-SOURCE

policy-map multi-match PM_BYPASS_FOR_LAN_HTTP

class CM_BYPASS_FOR_LAN

loadbalance vip inservice

loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP

policy-map multi-match PM_BYPASS_HTTP

class CM_BYPASS_SUBNET

loadbalance vip inservice

loadbalance policy PM_L7_BYPASS_HTTP

policy-map multi-match PM_ITSM_MAPP_Server

class ITSM_MAPP_Server

loadbalance vip inservice

loadbalance policy PM_LB_ITSM_MAPP_Server

loadbalance vip icmp-reply active

nat dynamic 4 vlan 300

policy-map multi-match PM_ITSM_Web_Server

class ITSM_Web_Server

loadbalance vip inservice

loadbalance policy PM_LB_ITSM_Web_Server

loadbalance vip icmp-reply active

nat dynamic 3 vlan 300

policy-map multi-match PM_MAIN_BCPROXY

class CM_SF_BCPR

loadbalance vip inservice

loadbalance policy PM_LB_SF_BCPROXY

loadbalance vip icmp-reply active

appl-parameter http advanced-options PARAMAP_CASE

class CM_IM

loadbalance vip inservice

loadbalance policy PM_LB_SF_BCPROXY

policy-map multi-match PM_RT_FAX

class RT_FAX

loadbalance vip inservice

loadbalance policy PM_LB_RT_FAX

loadbalance vip icmp-reply active

nat dynamic 1 vlan 300

service-policy input PM_ALL

interface vlan 100

description FW-INSIDE CONTEXT RACK1

ip address 192.168.0.5 255.255.255.224

alias 192.168.0.11 255.255.255.224

peer ip address 192.168.0.6 255.255.255.224

mac-address autogenerate

no icmp-guard

access-group input acl-out

no shutdown

interface vlan 200

description WAN-VLAN CONTEXT RACK1

ip address 192.168.0.33 255.255.255.224

alias 192.168.0.43 255.255.255.224

peer ip address 192.168.0.34 255.255.255.224

mac-address autogenerate

access-group input acl-wan

service-policy input PM_BYPASS_HTTP

service-policy input PM_MAIN_BCPROXY

service-policy input PM_RT_FAX

service-policy input PM_ITSM_Web_Server

service-policy input PM_ITSM_MAPP_Server

no shutdown

interface vlan 300

description ACE-INSIDE CONTEXT RACK1

ip address 192.168.0.65 255.255.255.224

alias 192.168.0.73 255.255.255.224

peer ip address 192.168.0.66 255.255.255.224

mac-address autogenerate

access-group input acl-in

nat-pool 1 172.23.16.2 172.23.16.2 netmask 255.255.255.255 pat

nat-pool 3 172.23.16.3 172.23.16.3 netmask 255.255.255.255 pat

nat-pool 4 172.23.16.4 172.23.16.4 netmask 255.255.255.255 pat

service-policy input PM_BYPASS_FOR_LAN_HTTP

service-policy input PM_BYPASS_HTTP

service-policy input PM_MAIN_BCPROXY

service-policy input PM_RT_FAX

service-policy input PM_ITSM_Web_Server

service-policy input PM_ITSM_MAPP_Server

no shutdown

interface vlan 301

description BC-VLAN CONTEXT RACK1

ip address 192.168.0.97 255.255.255.224

alias 192.168.0.107 255.255.255.224

peer ip address 192.168.0.98 255.255.255.224

mac-address autogenerate

access-group input acl-proxy

no shutdown

ft track interface TRACKING_FOR_FT_VLAN

track-interface vlan 300

peer track-interface vlan 300

priority 255

peer priority 255

My ACE is redirecting the port 80 traffic to my proxy server. But I have exclude teh VIP and real IP from this port 80 redirection towards. proxy server

Everything is fine except the port 80. I can do the RDP, ping, telnet on 30005. Please let me know what I am missing.

One thing to add, currently real servers are being load balance by windows load balancer. I have even given the windows load balancer IP address in the ACE serverform but still it is not working.

Hello,

Since your successful RDP connection to the VIP is using the same exact class-maps and rservers as your unsuccessful HTTP connection, I would suspect that the issue is not with your ACE config.

match virtual-address 172.23.15.167 any

If it were your ACE config causing the problem, then RDP wouldn't work either.

I would recommend that you start getting network captures.  Start with getting them on the client side and/or server side of the ACE.  You'll need to find out more precisely why the connection breaks.  For example:

• Does the ACE send the TCP SYN destined to port 80 to the rserver?
• Does the rserver receive this SYN?
  
• Does the ACE receive a TCP SYN/ACK back from the server?

You may want to open a service request with Cisco TAC if you need assistance in the troubleshooting process.

Regards,

Sean

There is some overlapping in the config. This may interfere with the VIP/80 port you want.

class-map match-any CM_BYPASS_SUBNET

  18 match virtual-address 172.23.15.0 255.255.255.0 tcp eq www

'service-policy input PM_BYPASS_HTTP' precedes your new policies.

Please integrate all your classes into a single policy per interface as I'd recommended and do not let this bypass class (which I can't understand anyway) with 172.23.15.0 before PM_ITSM_Web_Server.

thanks for the reply,

I have proxy server in my network. ACE is redirecting any port 80 traffic to this Proxy server. For this reason we have created this bypass class map so that my internal servers and servers located on remote WAN Locations can be accessible for the users directly instead of redirecting users traffic on port 80 towards proxy servers.

That is reason I mention VIP IP address in the bypass list so that when request comes on VIP for port 80 ACE will not send it to proxy server, that is why my first policy is bypassing the VIP and other servers IP address against the port 80.