Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1603
Views
0
Helpful
9
Replies

Issues With ACE 4710 Config

Wes Neary
Level 1
Level 1

‎09-18-2013 06:39 AM

Hi all, We are currently in the process of setting up a routed Mode context on an ACE4710 Appliance and have come across some problems which im hoping that someone here maybe able to highlight where we are going wrong.

At the moment the setup is very simple we have a client Side VLAN-VLAN 2 10.1.2.0/24 and a backend VLAN-VLAN3 10.1.3.0/24 At present we have only created on rserver (Server1-10.1.3.11) when we encountered the problems below and so have stopped to try and diagnose the issue.

Please see attached a text file of the context Config.(Some details have been removed while others have been changed.)

The symptons we are experiencing are

1. If the servers default Gateway is set as 10.1.3.1 the server cant communicate with anything including the ACE, If the Servers DG is set to .

2 the server can communicate with the ACE and the ACE Probes are succsesful, however it cant communicate with anything on the Front end of the ACE. 2. The Ace can communicate with the server as long as the servers DG is sert as .2 in the 10.1.3. subnet.

3. The next L3 Device in the network can communicate with the front end vlan.  It can also communicate with the VIP address'  however it has no communication with anything in the Backend VLAN. Thanks in Advance for your help.

Labels:
15367681-ACE Config.txt.zip
0 Helpful
9 Replies 9

ajayku2
Cisco Employee
Cisco Employee

‎09-19-2013 12:27 AM

Hi,

Ideally you should allow the traffic from inside to outside. Also try to use server NAT as used in below thread.

https://supportforums.cisco.com/thread/132052

In case if you dont want to use ACE as default gateway then you can also use source NAT. That will help you to pass the traffic without issue.

Hope that helps.

regards,

Ajay Kumar

0 Helpful

Wes Neary
Level 1
Level 1
In response to ajayku2

‎09-24-2013 04:59 AM

Ajay,

forgive my ignorance, but i thought that traffice was allowed by applying the access policy to the server side SVI.  Also i thought the servers had to have there DG as the ACE Server Side VLAN IP.

Regards

Wes

0 Helpful

stephen.stack
Level 4
Level 4

‎09-25-2013 02:44 AM

When you set the servers default Gateway is set as 10.1.3.1, can you run a continous ping to a host in the 10.1.2.x subnet. Run a 'show access-list INBOUND' and make sure the counter is incrementing. Then also do a 'sh conn' and ensure you see connections for this pair in the connection table. Also, enabel logging and ensure no errors in the logs.

logging enable

logging timestamp

logging buffered 6

Also, I assume you have routing configured correctly in the 10.1.2.x subnet to route back to 10.1.3.x via 10.21.2.4?

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Wes Neary
Level 1
Level 1
In response to stephen.stack

‎09-25-2013 05:11 AM

Hi Stepen when a ping is launched from the server, there is no increment in the ACL on the LB.  Also no conn is established.

Thanks for the Help.

0 Helpful

stephen.stack
Level 4
Level 4
In response to Wes Neary

‎09-25-2013 05:49 AM

Well, back to basics i guess. Is there an ARP entry on the ACE for Server1-10.1.3.11? What is it?

Can the ACE ping the server?

==========================
http://www.rconfig.com 

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Wes Neary
Level 1
Level 1
In response to stephen.stack

‎09-25-2013 07:52 AM

Hi,

Yes the ACE can ping the server the arp entry has the correct address to the correct MAC in the right vlan. the type is rserver the encap is 83 and the status is up.

Hope this helps.

0 Helpful

Wes Neary
Level 1
Level 1
In response to Wes Neary

‎10-01-2013 05:15 AM

Any Ideas anyone.

0 Helpful

pablo.nxh
Level 3
Level 3
In response to Wes Neary

‎10-03-2013 02:44 PM

Hi Wes,

Do you have a sketch of your current setup? I feel there's a switching connectivity issue behind this; more than an ACE issue, that ping test you're doing will only be generating routed traffic through the ACE which will only need your interfaces up and ACLs in place (no LB required). Also is there a special reason for using the ACE cluster as your server gateway?

__ __

Pablo

0 Helpful

Jorge Bejarano
Level 4
Level 4
In response to Wes Neary

‎10-07-2013 09:15 PM

Wes,

Please upload the configuration and specify the current default gateway.

Can´t you make the ACE as the default gateway?

What willl be the VIP in question?

Jorge

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents