Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
503
Views
0
Helpful
2
Replies

ACE Problem

Go to solution
gbowling1
Level 1
Level 1

‎08-13-2010 11:38 AM

I have an ACE that I configured a couple of days ago with some very rudimentary configs for load sharing an ldap service. The service worked for one day with no problems. This morning around 9am, it stopped working. I can ping the VIP but cannot telnet to port 389 on the VIP. I can telnet to any of the individual servers, the serverfarm shows all nodes operational, the probe shows success.

I can't seem to figure out what has happened to this service. I reloaded the ACE, and still nothing. The sticky database is empty, no connections, nothing. The serverfarm stats look just like it's sitting there idle with nobody connecting. Yet when you try to connect, you don't get connected. It must be something simple, but I've looked at this until I'm not sure where to go next.

The config is as follows:

ciscoace3/Admin# sh run
Generating configuration....

hostname ciscoace3
boot system image:c6ace-t1k9-mz.A2_1_6a.bin

telnet maxsessions 5

resource-class RC1
  limit-resource all minimum 0.00 maximum unlimited
  limit-resource sticky minimum 10.00 maximum unlimited

context Admin
  member RC1

access-list All line 8 extended permit ip any any


probe tcp ldap_probe
  port 389
  interval 30
  passdetect interval 10


rserver host ldapauth1
  ip address 10.0.68.56
  inservice
rserver host ldapauth2
  ip address 10.0.67.176
  inservice
rserver host ldapauth3
  ip address 10.0.67.177
  inservice
serverfarm host ldapauth_farm
  rserver ldapauth1
    probe ldap_probe
    inservice
  rserver ldapauth2
    probe ldap_probe
    inservice
  rserver ldapauth3
    probe ldap_probe
    inservice
sticky ip-netmask 255.255.255.255 address both ldapauth_sticky
  timeout 30
  replicate sticky
  serverfarm ldapauth_farm
class-map match-all ldapauth_vip
  2 match virtual-address 10.10.0.10 any
class-map match-all nat
  2 match source-address 0.0.0.0 0.0.0.0
class-map type management match-any remote-access
  description Remote access traffic match
  2 match protocol ssh any
  3 match protocol telnet any
  4 match protocol icmp any
  5 match protocol snmp any
  6 match protocol https any

policy-map type management first-match everyone
  class remote-access
    permit

policy-map type loadbalance first-match ldapauth_lb_policy
  class class-default
    sticky-serverfarm ldapauth_sticky
policy-map multi-match ldapauth_multi_policy
  class ldapauth_vip
    loadbalance vip inservice
    loadbalance policy ldapauth_lb_policy
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
policy-map multi-match nat
  class nat
    nat dynamic 1 vlan 100

interface vlan 100
  description Server VLAN (real server vlan)
  ip address 10.0.64.250 255.255.192.0
  nat-pool 1 10.0.64.251 10.0.64.251 netmask 255.255.255.255 pat
  service-policy input everyone
  no shutdown
interface vlan 101
  description VLAN for Servers
  ip address 10.10.0.5 255.255.255.0
  service-policy input ldapauth_multi_policy
  service-policy input nat
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.0.64.1

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rocash
Cisco Employee
Cisco Employee

‎08-13-2010 12:43 PM

You need to apply an access-group to allow traffic to the ACE. Example:

access-group input All

It can be applied globally or to an interface.

See:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/acl.html

Regards

View solution in original post

0 Helpful
2 Replies 2

Go to solution
rocash
Cisco Employee
Cisco Employee

‎08-13-2010 12:43 PM

You need to apply an access-group to allow traffic to the ACE. Example:

access-group input All

It can be applied globally or to an interface.

See:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/acl.html

Regards

0 Helpful

Go to solution
gbowling1
Level 1
Level 1
In response to rocash

‎08-13-2010 12:48 PM

Thanks rocash, I knew  it was something simple I was just overlooking it. That actually was in the config yesterday but another person removed and re-installed the access list that was at the top which removed the global access-group input All statement and I just missed it.


Gary

0 Helpful
Customers Also Viewed These Support Documents