Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ACE 4710 Connectivity issue

Hello Guys,

We are having a connectivity issue on two contexts on our cisco ace 4710 (routed mode).

We arent unable to start a communication (Ping/telnet and etc) between two server in differents vlans on the same contexts... however  it is possible to start a communication between servers on differents contexts.

Version A5(1.2)

Context Issue

access-list ALL line 8 extended permit ip any any

access-list routing line 8 extended permit ip any any

ip domain-name xpto

class-map type management match-any Gerenciamento

  2 match protocol icmp any

  3 match protocol ssh any

  4 match protocol telnet any

  5 match protocol snmp any

  6 match protocol xml-https any

  7 match protocol http any

  8 match protocol https any

class-map match-all TESTE

class-map type management match-any permite_ping

  2 match protocol icmp any

policy-map type management first-match Gerenciamento

  class Gerenciamento

    permit

policy-map type management first-match permite_ping

  class permite_ping

    permit

interface vlan 3

  ip address 9.241.45.1 255.255.255.0

  access-group input routing

  access-group output routing

  service-policy input permite_ping

  no shutdown

interface vlan 102

  description servers

  ip address 9.193.46.1 255.255.255.0

   access-group input routing

   access-group output routing

  service-policy input permite_ping

  no shutdown

interface vlan 685

  description Management

  ip address 9.193.164.40 255.255.255.0

  access-group input routing

  access-group output routing

  service-policy input permite_ping

  no shutdown

ip route 0.0.0.0 0.0.0.0 9.194.11.17

ip route  9.193.10.0 255.255.255.0 192.168.42.82

ip route  9.193.38.0 255.255.254.0 192.168.42.82

ip route  9.193.64.0 255.255.255.0 192.168.42.82

11 REPLIES
Cisco Employee

Cisco ACE 4710 Connectivity issue

Hi,

Can you please elaborate on your requirement? the vlan? src & dst ip?

You might have to consider source NAT and I have this explained in the thread below.

https://supportforums.cisco.com/thread/2163723?tstart=0

Regards,

Siva

New Member

Cisco ACE 4710 Connectivity issue

We did a test with the servers on the same context with no response.:

From Server 9.193.46.250 (vlan102/Context Issue) to 9.241.45.100 (vlan 3/ Context Issue)

From Server 9.193.46.250 (Context102/Context Issue) to 9.241.45.200 (vlan 3/Context Issue)

Communication from servers on context issue to another servers  on context called Test is working well.

From Server 9.193.46.250(vlan102/Context Issue)  to 9.241.41.111 (VLAN 18/Context Test)

Cisco Employee

Cisco ACE 4710 Connectivity issue

Can you tell me whats the default gateway for these servers? Are these servers have the gateway pointing to ACE?

For communication between the context the traffic would be sent to router and then to test context.

For traffic within the context, you would have to have the servers gateway pointing back to ACE.

Regards,

Siva

New Member

Cisco ACE 4710 Connectivity issue

Siva,

As per the servers that I have mentioned:

Default gateway is the ACE.

VLAN 102 GW

9.193.46.1

VLAN 3 GW

9.241.45.1

That is so strange, communication between the context is working well... however communication on the same context is not working.

Cisco Employee

Cisco ACE 4710 Connectivity issue

Hi,

For internal clients that need to access the servers behind the ACE  directly, all you need is an ACL in the ingress interface of the ACE to  allow that traffic.  For traffic that comes into the ACE that is not  destined for a VIP, the ACE will simply route the traffic to the  destination according to its routing table (ie static or default  routes).  All you need is the ACL to permit that traffic as it enters  the ACE.

Can you take a packet capture on ACE and see how the traffic is being routed?

Regards,

Siva

New Member

Cisco ACE 4710 Connectivity issue

Siva,

I did the two captures on both vlan interfaces 102 and 3

"From Server 9.193.46.250 (vlan102/Context Issue) to 9.241.45.100 (vlan 3/ Context Issue)"

And cannot see any packet hitting the interfaces, with the above icmp test.

Any idea?

Cisco Employee

Cisco ACE 4710 Connectivity issue

Hi,

Can you run the same capture on context test and if you see any hits? I just want to verify the capture settings are correct.

If you see any hits, run a capture on the src server and verif the packets going out are towards the ACE mac address.

Regards,

Siva

New Member

Cisco ACE 4710 Connectivity issue

Siva,

From a server on vlan 102 on context Issue to a server from vlan 18 on context test, I can see the packets and that communication is OK.

Even testing the servers on the same context Test on different vlans I cannot see any packet hitting the interfaces.

Connection between servers on differents context are ok and hitting the interfaces, but from different vlans on the same context it's not ok.

Cisco Employee

Cisco ACE 4710 Connectivity issue

Hi,

If  the packets are not hitting interfaces then we need to find out where the packets are being sent from the server. Can you run a capture on server and see if the packet is destined to the ACE test interface?

Regards,

Siva

New Member

Cisco ACE 4710 Connectivity issue

Hi,

I have a ping issue too. I am not able to ping the interface IP in a context. After reload the ACE the ping is running for a week. When updating version A5(2.1) the issue was fixed.

I suppose a bug in Version A5(1.2)

Regards

amb

Cisco Employee

Cisco ACE 4710 Connectivity issue

Hi Mueller,

I am suspecting something like this :

By default, the bank of MAC addresses that the ACE uses is randomly selected at

boot time. However, if you configure two ACEs in the same Layer 2 network and

they are using shared VLANs, the ACEs may select the same address bank, which

results in the use of the same MAC addresses.

Specifically in those scenerio I have seen that client is able to reach one of the ACE but not other.

If the above scenerio appear the easier way to verify is to use the below command and check the host ID. 

EHOWAL01/VPN# show np 1 interface iflookup

First burnt-in MAC: 00:1e:be:af:ba:99

Last  burnt-in MAC: 00:1e:be:af:ba:9f

No of burnt-in MACs: 7

Hostid: 1

In case if the host ID is same then you know you are hitting the same issue. It is ideal to make sure that different ACE device use different Host ID.

Please refer the following link for more details.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/rtg_brdg/guide/AceRteGd.pdf

regards,

Ajay Kumar

1180
Views
0
Helpful
11
Replies
CreatePlease to create content