I have an ACE that I configured a couple of days ago with some very rudimentary configs for load sharing an ldap service. The service worked for one day with no problems. This morning around 9am, it stopped working. I can ping the VIP but cannot telnet to port 389 on the VIP. I can telnet to any of the individual servers, the serverfarm shows all nodes operational, the probe shows success.
I can't seem to figure out what has happened to this service. I reloaded the ACE, and still nothing. The sticky database is empty, no connections, nothing. The serverfarm stats look just like it's sitting there idle with nobody connecting. Yet when you try to connect, you don't get connected. It must be something simple, but I've looked at this until I'm not sure where to go next.
The config is as follows:
ciscoace3/Admin# sh run Generating configuration....
hostname ciscoace3 boot system image:c6ace-t1k9-mz.A2_1_6a.bin
telnet maxsessions 5
resource-class RC1 limit-resource all minimum 0.00 maximum unlimited limit-resource sticky minimum 10.00 maximum unlimited
context Admin member RC1
access-list All line 8 extended permit ip any any
probe tcp ldap_probe port 389 interval 30 passdetect interval 10
rserver host ldapauth1 ip address 10.0.68.56 inservice rserver host ldapauth2 ip address 10.0.67.176 inservice rserver host ldapauth3 ip address 10.0.67.177 inservice serverfarm host ldapauth_farm rserver ldapauth1 probe ldap_probe inservice rserver ldapauth2 probe ldap_probe inservice rserver ldapauth3 probe ldap_probe inservice sticky ip-netmask 255.255.255.255 address both ldapauth_sticky timeout 30 replicate sticky serverfarm ldapauth_farm class-map match-all ldapauth_vip 2 match virtual-address 10.10.0.10 any class-map match-all nat 2 match source-address 0.0.0.0 0.0.0.0 class-map type management match-any remote-access description Remote access traffic match 2 match protocol ssh any 3 match protocol telnet any 4 match protocol icmp any 5 match protocol snmp any 6 match protocol https any
policy-map type management first-match everyone class remote-access permit
policy-map type loadbalance first-match ldapauth_lb_policy class class-default sticky-serverfarm ldapauth_sticky policy-map multi-match ldapauth_multi_policy class ldapauth_vip loadbalance vip inservice loadbalance policy ldapauth_lb_policy loadbalance vip icmp-reply active loadbalance vip advertise active policy-map multi-match nat class nat nat dynamic 1 vlan 100
interface vlan 100 description Server VLAN (real server vlan) ip address 10.0.64.250 255.255.192.0 nat-pool 1 10.0.64.251 10.0.64.251 netmask 255.255.255.255 pat service-policy input everyone no shutdown interface vlan 101 description VLAN for Servers ip address 10.10.0.5 255.255.255.0 service-policy input ldapauth_multi_policy service-policy input nat no shutdown
Thanks rocash, I knew it was something simple I was just overlooking it. That actually was in the config yesterday but another person removed and re-installed the access list that was at the top which removed the global access-group input All statement and I just missed it.
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
In the Previous articles of ACI Automation, we are using Postman/Newman as the Rest API tool to automate the ACI Configuration.
In this article I’m going to discuss on usin...
One of the first steps in building your ACI Fabric is to go through Fabric Discovery. While Fabric Discovery is usually a straightforward process, there are various issues that may prevent you from discovering an ACI switch. This article wil...