Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1115
Views
0
Helpful
8
Replies

Cisco ACE VIP not responding to Pings

axiasupport
Level 1
Level 1

‎01-13-2014 09:59 AM

I've searched.....  I cannot figure out why my VIPs do not ping.  I have two vlans that both replay to a ping on the interface IPs.  And I'm new at this, thanks in advace.

GKEL2-ACE1/35568059-Axia# show run
Generating configuration....


no ft auto-sync startup-config

logging enable
logging timestamp
logging trap 5
logging host 10.85.242.100 udp/514


login timeout 60


crypto chaingroup walnut-wcrt100
  cert .dom.cer
  cert wcrt100.pem
crypto chaingroup .dom-wcrt100
  cert .dom.cer
  cert wcrt100.pem


crypto csr-params .dom
  country CA
  state AB
  organization-unit IT
  common-name .dom
  serial-number 1000
  email support
crypto csr-params .dom
  country CA
  state AB
  organization-unit IT
  common-name .dom
  serial-number 1001
  email support

access-list ANYONE line 10 extended permit ip any any
access-list ANYONE line 20 extended permit icmp any any
access-list All line 1 extended permit ip any any

probe http HTTP1025
  port 1025
  interval 2
  faildetect 2
  passdetect interval 2
  request method get url /Login.css
  open 1
probe icmp PING
  interval 2
  faildetect 2
  passdetect interval 60
probe tcp PROBE-TCP
  interval 2
  faildetect 2
  passdetect interval 10
  passdetect count 2
  open 1

rserver redirect REDIRECT-HTTPS
  webhost-redirection https://%h%p 302
  inservice
rserver host WL1
  ip address 10.205.70.100
  inservice
rserver host WL2
  ip address 10.205.70.101
  inservice
rserver host WLDev1
  ip address 10.205.71.202
  inservice
rserver host WLDev2
  ip address 10.205.71.203
  inservice
rserver host WLTest1
  ip address 10.205.71.150
  inservice
rserver host WLTest2
  ip address 10.205.71.151
  inservice

serverfarm redirect REDIRECT-SERVERFARM
  rserver REDIRECT-HTTPS
    inservice
serverfarm host WEBLOGIC-7433
  predictor leastconns
  probe PING
  rserver WL1 7433
    inservice
  rserver WL2 7433
    inservice
serverfarm host WEBLOGIC-PROD
  predictor leastconns
  probe PING
  rserver WL1 1025
    inservice
  rserver WL2 1026
    inservice
serverfarm host WEBLOGIC-TEST-SSH
  predictor leastconns
  rserver WLTest1 22
    inservice
  rserver WLTest2 22
    inservice

sticky http-cookie acecookie STICKY-INSERT-COOKIE
  cookie insert
  serverfarm WEBLOGIC-PROD

action-list type modify http REWRITE
  header insert response Via header-value "1.1 web:%ps (ace10-8/a2)value"
  header insert request Via header-value "1.1 web:%ps (ace10-8/a2)value"
  header insert request X-Forwarded-Proto header-value "%pd"
  ssl url rewrite location "*.*"
  ssl header-insert session Id

ssl-proxy service ssl-client
ssl-proxy service ssl-proxy
  key netcracker.cal.dom.key
  cert netcracker.cal.dom.cer
  chaingroup netcracker.cal.dom-wcrt100

class-map match-any L4VIPCLASS
  2 match virtual-address 10.205.70.80 any
class-map type http loadbalance match-any L7-URL
  2 match http url /*.*
class-map type http loadbalance match-all L7SLBCLASS
  2 match http url /*
class-map type management match-any REMOTE-MANAGEMENT
  2 match protocol telnet any
  3 match protocol icmp any
  4 match protocol ssh any
  5 match protocol snmp any
  6 match protocol http any
  7 match protocol https any
class-map match-any SSH_Test
  2 match virtual-address 10.205.71.80 tcp eq 22
class-map match-any weblogic-7433
  2 match virtual-address 10.205.70.80 tcp eq 7433
class-map match-any weblogic-http
  2 match virtual-address 10.205.70.80 tcp eq www
class-map match-any weblogic-https
  2 match virtual-address 10.205.70.80 tcp eq https

policy-map type management first-match REMOTE-MANAGEMENT
  class REMOTE-MANAGEMENT
    permit

policy-map type loadbalance first-match L7SLBPOLICY
  class L7SLBCLASS
    ssl-proxy client ssl-client
policy-map type loadbalance first-match SSH_Test_Policy
  class class-default
    serverfarm WEBLOGIC-TEST-SSH
policy-map type loadbalance first-match weblogic-7433-policy
  class class-default
    serverfarm WEBLOGIC-7433
    ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-http-policy
  class class-default
    serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-https-policy
  class L7-URL
    sticky-serverfarm STICKY-INSERT-COOKIE
  class class-default
    serverfarm WEBLOGIC-PROD
    action REWRITE
    ssl-proxy client ssl-proxy

policy-map multi-match L4LSBPOLICY
  class L4VIPCLASS
    loadbalance policy L7SLBPOLICY
policy-map multi-match LB-VIP
  class weblogic-http
    loadbalance vip inservice
    loadbalance policy weblogic-http-policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3440
  class weblogic-https
    loadbalance vip inservice
    loadbalance policy weblogic-https-policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3440
    ssl-proxy server ssl-proxy
  class weblogic-7433
    loadbalance vip inservice
    loadbalance policy weblogic-7433-policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3440
    ssl-proxy server ssl-proxy
policy-map multi-match LB-VIP-Test
  class SSH_Test
    loadbalance vip inservice
    loadbalance policy SSH_Test_Policy
    loadbalance vip icmp-reply

interface vlan 3440
  description Internal Production
  ip address 10.205.70.250 255.255.255.0
  access-group input All
  access-group output All
  nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
  service-policy input REMOTE-MANAGEMENT
  service-policy input LB-VIP
  service-policy input L4LSBPOLICY
  no shutdown
interface vlan 3516
  description Internal Test/Dev
  ip address 10.205.71.250 255.255.255.0
  access-group input All
  access-group output All
  nat-pool 2 10.205.71.249 10.205.71.249 netmask 255.255.255.0 pat
  service-policy input REMOTE-MANAGEMENT
  service-policy input LB-VIP-Test
  no shutdown
interface vlan 3520
  description LB
  ip address 10.205.72.1 255.255.255.0
  access-group input All
  access-group output All
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.205.70.253
username admin password 5 $1$r2r0NmEH$z8S0RxYdhwOE4RGXQ41  role Admin domain default-domain
username cust_admin password 5 $1$/tOIIfUK$yigE519cqLq1IFgX.  role Admin domain default-domain

Labels:
0 Helpful
8 Replies 8

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎01-13-2014 10:11 AM

Hi Axia,

Is it only ping which is not working or everything directed at VIP's doesn't work? If  it is ping did you check if it allowed on FW etc?

Can you do "show service-policy summary"? Can you see if VIP is in-service or out of service?

Are you able to ping it from same subnet or switch ? You have configured loadbalance vip icmp reply so it should reply to ICMP requests even if serverfarm is down.

Regards,

Kanwal

0 Helpful

axiasupport
Level 1
Level 1
In response to Kanwaljeet Singh

‎01-14-2014 10:33 AM

I have added two more VIPs since yesterday and they respond to to pings properly.  The VIPs all work fine just no pings to 10.205.70.80.  Thanks

GKEL2-ACE1/35568059-Axia# show service-policy summary

service-policy: L4LSBPOLICY

Class                            VIP             Prot  Port        VLAN          State    Curr Conns   Hit Count  Conns Drop

L4VIPCLASS                       10.205.70.80    any   any         1,3440,3516

                                 10.205.71.80    any   any         1,3440,3516

                                 10.205.71.90    any   any         1,3440,3516

                                                                                 OUT-SRVC          0        1080         45

service-policy: LB-VIP

Class                            VIP             Prot  Port        VLAN          State    Curr Conns   Hit Count  Conns Drop

weblogic-http                    10.205.70.80    tcp   eq 80       1,3440        IN-SRVC           0       50739         53

weblogic-https                   10.205.70.80    tcp   eq 443      1,3440        IN-SRVC           0        7384        112

weblogic-7433                    10.205.70.80    tcp   eq 7433     1,3440        IN-SRVC           0      145306         30

service-policy: LB-VIP-Dev

Class                            VIP             Prot  Port        VLAN          State    Curr Conns   Hit Count  Conns Drop

weblogic-http-dev                10.205.71.90    tcp   eq 80       1,3516        IN-SRVC           0           0          0

weblogic-https-dev               10.205.71.90    tcp   eq 443      1,3516        IN-SRVC           0           0          0

weblogic-7433-dev                10.205.71.90    tcp   eq 7433     1,3516        IN-SRVC           0           0          0

service-policy: LB-VIP-Test

Class                            VIP             Prot  Port        VLAN          State    Curr Conns   Hit Count  Conns Drop

SSH_Test                         10.205.71.80    tcp   eq 22       1,3516        IN-SRVC           0          28         24

weblogic-http-test               10.205.71.80    tcp   eq 80       1,3516        IN-SRVC           0          96         40

weblogic-https-test              10.205.71.80    tcp   eq 443      1,3516        IN-SRVC           0         135         61

weblogic-7433-test               10.205.71.80    tcp   eq 7433     1,3516        IN-SRVC           0          27         11

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to axiasupport

‎01-14-2014 11:24 AM

Hi Axia,

Ok. Here's the configuration:

policy-map multi-match L4LSBPOLICY

class L4VIPCLASS

loadbalance policy L7SLBPOLICY

You are missing "loadbalance vip inservice" and "loadbalance vip icmp reply". Please apply these commands and that should resolve the issue. You can see in above output it is OUT-SRVC

Regards,

Kanwal

0 Helpful

axiasupport
Level 1
Level 1
In response to Kanwaljeet Singh

‎01-14-2014 11:31 AM

policy-map multi-match L4LSBPOLICY

  class L4VIPCLASS

    loadbalance vip inservice

    loadbalance policy L7SLBPOLICY

    loadbalance vip icmp-reply

This policy-map isn't really in use  I added the lines you mentioned but no effect.

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to axiasupport

‎01-14-2014 11:43 AM

Hi Axia,

Could you check if it is OUT-SRVC or IN-SRVC now?

show service-policy L4LSBPOLICY summary.

Can you try a different IP for VIP?

Regards,

Kanwal

0 Helpful

axiasupport
Level 1
Level 1
In response to Kanwaljeet Singh

‎01-14-2014 11:48 AM

I have removed that service policy completely.  It was from some knowledgebase article when I was trying to get http redirection working. 

There is no more L4LSBPOLICY nor L4VIPCLASS, Thanks a lot for looking at this...

GKEL2-ACE1/35568059-Axia# show service-policy summary

service-policy: LB-VIP

Class                            VIP             Prot  Port        VLAN          State    Curr Conns   Hit Count  Conns Drop

weblogic-http                    10.205.70.80    tcp   eq 80       1,3440        IN-SRVC           0       50773         53

weblogic-https                   10.205.70.80    tcp   eq 443      1,3440        IN-SRVC           0        7406        112

weblogic-7433                    10.205.70.80    tcp   eq 7433     1,3440        IN-SRVC           0      145321         30

service-policy: LB-VIP-Dev

Class                            VIP             Prot  Port        VLAN          State    Curr Conns   Hit Count  Conns Drop

weblogic-http-dev                10.205.71.90    tcp   eq 80       1,3516        IN-SRVC           0           0          0

weblogic-https-dev               10.205.71.90    tcp   eq 443      1,3516        IN-SRVC           0           0          0

weblogic-7433-dev                10.205.71.90    tcp   eq 7433     1,3516        IN-SRVC           0           0          0

service-policy: LB-VIP-Test

Class                            VIP             Prot  Port        VLAN          State    Curr Conns   Hit Count  Conns Drop

SSH_Test                         10.205.71.80    tcp   eq 22       1,3516        IN-SRVC           0          29         24

weblogic-http-test               10.205.71.80    tcp   eq 80       1,3516        IN-SRVC           0         117         40

weblogic-https-test              10.205.71.80    tcp   eq 443      1,3516        IN-SRVC           0         161         61

weblogic-7433-test               10.205.71.80    tcp   eq 7433     1,3516        IN-SRVC           0          27         11

class-map type http loadbalance match-any L7-URL

  2 match http url /*.*

class-map type http loadbalance match-all L7SLBCLASS

  2 match http url /*

class-map type management match-any REMOTE-MANAGEMENT

  2 match protocol telnet any

  3 match protocol icmp any

  4 match protocol ssh any

  5 match protocol snmp any

  6 match protocol http any

  7 match protocol https any

class-map match-any SSH_Test

  2 match virtual-address 10.205.71.80 tcp eq 22

class-map match-any weblogic-7433

  2 match virtual-address 10.205.70.80 tcp eq 7433

class-map match-any weblogic-7433-dev

  2 match virtual-address 10.205.71.90 tcp eq 7433

class-map match-any weblogic-7433-test

  2 match virtual-address 10.205.71.80 tcp eq 7433

class-map match-any weblogic-http

  2 match virtual-address 10.205.70.80 tcp eq www

class-map match-any weblogic-http-dev

  2 match virtual-address 10.205.71.90 tcp eq www

class-map match-any weblogic-http-test

  2 match virtual-address 10.205.71.80 tcp eq www

class-map match-any weblogic-https

  2 match virtual-address 10.205.70.80 tcp eq https

class-map match-any weblogic-https-dev

  2 match virtual-address 10.205.71.90 tcp eq https

class-map match-any weblogic-https-test

  2 match virtual-address 10.205.71.80 tcp eq https

policy-map type management first-match REMOTE-MANAGEMENT

  class REMOTE-MANAGEMENT

    permit

policy-map type loadbalance first-match L7SLBPOLICY

  class L7SLBCLASS

    ssl-proxy client ssl-client

policy-map type loadbalance first-match SSH_Test_Policy

  class class-default

    serverfarm WEBLOGIC-TEST-SSH

policy-map type loadbalance first-match weblogic-7433-dev-policy

  class class-default

    serverfarm WEBLOGIC-7433-Dev

policy-map type loadbalance first-match weblogic-7433-policy

  class class-default

    serverfarm WEBLOGIC-7433

    ssl-proxy client ssl-client

policy-map type loadbalance first-match weblogic-7433-test-policy

  class class-default

    serverfarm WEBLOGIC-7433-Test

    ssl-proxy client ssl-client

policy-map type loadbalance first-match weblogic-http-dev-policy

  class class-default

    serverfarm REDIRECT-SERVERFARM

policy-map type loadbalance first-match weblogic-http-policy

  class class-default

    serverfarm REDIRECT-SERVERFARM

policy-map type loadbalance first-match weblogic-http-test-policy

  class class-default

    serverfarm REDIRECT-SERVERFARM

policy-map type loadbalance first-match weblogic-https-dev-policy

  class L7-URL

    sticky-serverfarm STICKY-INSERT-COOKIE-DEV

  class class-default

    serverfarm WEBLOGIC-DEV

    action REWRITE

policy-map type loadbalance first-match weblogic-https-policy

  class L7-URL

    sticky-serverfarm STICKY-INSERT-COOKIE

  class class-default

    serverfarm WEBLOGIC-PROD

    action REWRITE

    ssl-proxy client ssl-proxy

policy-map type loadbalance first-match weblogic-https-test-policy

  class L7-URL

    sticky-serverfarm STICKY-INSERT-COOKIE-TEST

  class class-default

    serverfarm WEBLOGIC-TEST

    action REWRITE

    ssl-proxy client ssl-proxy-nctest

policy-map multi-match LB-VIP

  class weblogic-http

    loadbalance vip inservice

    loadbalance policy weblogic-http-policy

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 3440

  class weblogic-https

    loadbalance vip inservice

    loadbalance policy weblogic-https-policy

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 3440

    ssl-proxy server ssl-proxy

  class weblogic-7433

    loadbalance vip inservice

    loadbalance policy weblogic-7433-policy

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 3440

    ssl-proxy server ssl-proxy

policy-map multi-match LB-VIP-Dev

  class weblogic-http-dev

    loadbalance vip inservice

    loadbalance policy weblogic-http-dev-policy

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 3516

  class weblogic-https-dev

    loadbalance vip inservice

    loadbalance policy weblogic-https-dev-policy

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 3516

  class weblogic-7433-dev

    loadbalance vip inservice

    loadbalance policy weblogic-7433-dev-policy

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 3516

policy-map multi-match LB-VIP-Test

  class SSH_Test

    loadbalance vip inservice

    loadbalance policy SSH_Test_Policy

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 3516

  class weblogic-http-test

    loadbalance vip inservice

    loadbalance policy weblogic-http-test-policy

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 3516

  class weblogic-https-test

    loadbalance vip inservice

    loadbalance policy weblogic-https-test-policy

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 3516

    ssl-proxy server ssl-proxy-nctest

  class weblogic-7433-test

    loadbalance vip inservice

    loadbalance policy weblogic-7433-test-policy

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 3516

    ssl-proxy server ssl-proxy-nctest

interface vlan 3440

  description Internal Production

  ip address 10.205.70.250 255.255.255.0

  mac-sticky enable

  access-group input All

  access-group output All

  nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat

  service-policy input REMOTE-MANAGEMENT

  service-policy input LB-VIP

  no shutdown

interface vlan 3516

  description Internal Test/Dev

  ip address 10.205.71.250 255.255.255.0

  mac-sticky enable

  access-group input All

  access-group output All

  nat-pool 1 10.205.71.240 10.205.71.249 netmask 255.255.255.0 pat

  service-policy input REMOTE-MANAGEMENT

  service-policy input LB-VIP-Test

  service-policy input LB-VIP-Dev

  no shutdown

interface vlan 3520

  description LB

  ip address 10.205.72.1 255.255.255.0

  access-group input All

  access-group output All

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.205.70.253

0 Helpful

axiasupport
Level 1
Level 1
In response to axiasupport

‎01-14-2014 11:51 AM

I added an IP to this one policy and it Pings properly.  but still not .80

class-map match-any weblogic-7433

  2 match virtual-address 10.205.70.80 tcp eq 7433

  3 match virtual-address 10.205.70.81 tcp eq 7433

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to axiasupport

‎01-14-2014 12:25 PM

Hi Axia,

Let us concentrate on one.

class-map match-any weblogic-http

2 match virtual-address 10.205.70.80 tcp eq www

policy-map type loadbalance first-match weblogic-http-policy

class class-default

serverfarm REDIRECT-SERVERFARM

policy-map multi-match LB-VIP

class weblogic-http

loadbalance vip inservice

loadbalance policy weblogic-http-policy

loadbalance vip icmp-reply active

nat dynamic 1 vlan 3440

interface vlan 3440

description Internal Production

ip address 10.205.70.250 255.255.255.0

mac-sticky enable

access-group input All

access-group output All

nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat

service-policy input REMOTE-MANAGEMENT

service-policy input LB-VIP

no shutdown

Can you tell me what is the status of serverfarm here? You have loadbalance vip icmp-reply active which means that rserver in serverfarm should be active for VIP to reply to ping. If you just configure loadbalance vip icmp-reply, it will ignore serverfarm status and reply to ping. Can you check on that?

Regards,

Kanwal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents