08-13-2010 11:38 AM
I have an ACE that I configured a couple of days ago with some very rudimentary configs for load sharing an ldap service. The service worked for one day with no problems. This morning around 9am, it stopped working. I can ping the VIP but cannot telnet to port 389 on the VIP. I can telnet to any of the individual servers, the serverfarm shows all nodes operational, the probe shows success.
I can't seem to figure out what has happened to this service. I reloaded the ACE, and still nothing. The sticky database is empty, no connections, nothing. The serverfarm stats look just like it's sitting there idle with nobody connecting. Yet when you try to connect, you don't get connected. It must be something simple, but I've looked at this until I'm not sure where to go next.
The config is as follows:
ciscoace3/Admin# sh run
Generating configuration....
hostname ciscoace3
boot system image:c6ace-t1k9-mz.A2_1_6a.bin
telnet maxsessions 5
resource-class RC1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum unlimited
context Admin
member RC1
access-list All line 8 extended permit ip any any
probe tcp ldap_probe
port 389
interval 30
passdetect interval 10
rserver host ldapauth1
ip address 10.0.68.56
inservice
rserver host ldapauth2
ip address 10.0.67.176
inservice
rserver host ldapauth3
ip address 10.0.67.177
inservice
serverfarm host ldapauth_farm
rserver ldapauth1
probe ldap_probe
inservice
rserver ldapauth2
probe ldap_probe
inservice
rserver ldapauth3
probe ldap_probe
inservice
sticky ip-netmask 255.255.255.255 address both ldapauth_sticky
timeout 30
replicate sticky
serverfarm ldapauth_farm
class-map match-all ldapauth_vip
2 match virtual-address 10.10.0.10 any
class-map match-all nat
2 match source-address 0.0.0.0 0.0.0.0
class-map type management match-any remote-access
description Remote access traffic match
2 match protocol ssh any
3 match protocol telnet any
4 match protocol icmp any
5 match protocol snmp any
6 match protocol https any
policy-map type management first-match everyone
class remote-access
permit
policy-map type loadbalance first-match ldapauth_lb_policy
class class-default
sticky-serverfarm ldapauth_sticky
policy-map multi-match ldapauth_multi_policy
class ldapauth_vip
loadbalance vip inservice
loadbalance policy ldapauth_lb_policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
policy-map multi-match nat
class nat
nat dynamic 1 vlan 100
interface vlan 100
description Server VLAN (real server vlan)
ip address 10.0.64.250 255.255.192.0
nat-pool 1 10.0.64.251 10.0.64.251 netmask 255.255.255.255 pat
service-policy input everyone
no shutdown
interface vlan 101
description VLAN for Servers
ip address 10.10.0.5 255.255.255.0
service-policy input ldapauth_multi_policy
service-policy input nat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.64.1
Solved! Go to Solution.
08-13-2010 12:43 PM
You need to apply an access-group to allow traffic to the ACE. Example:
access-group input All
It can be applied globally or to an interface.
See:
Regards
08-13-2010 12:43 PM
You need to apply an access-group to allow traffic to the ACE. Example:
access-group input All
It can be applied globally or to an interface.
See:
Regards
08-13-2010 12:48 PM
Thanks rocash, I knew it was something simple I was just overlooking it. That actually was in the config yesterday but another person removed and re-installed the access list that was at the top which removed the global access-group input All statement and I just missed it.
Gary
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide