10-14-2010 12:52 AM
Hello All,
I have been given the task in trying to get a cisco ACE 4710 to work. below is the current config.
Also I have added a couple of screen shots of extra's.
Could anybody out there help.
SLB-P1/Admin# sh run
Generating configuration....
boot system image:c4710ace-mz.A3_2_0.bin
hostname SLB-P1
interface gigabitEthernet 1/1
description Client
switchport access vlan 210
no shutdown
interface gigabitEthernet 1/2
description No connection "Not Configured"
no shutdown
interface gigabitEthernet 1/3
description Server VLAN
switchport access vlan 220
no shutdown
interface gigabitEthernet 1/4
description Management access for gui console
switchport access vlan 200
no shutdown
access-list ALL line 8 extended permit ip any any
probe https Server1
ip address 10.11.22.10 routed
interval 15
passdetect interval 60
ssl version all
open 10
parameter-map type connection was-test
rserver host server3-P1
ip address 10.11.22.10
conn-limit max 4000000 min 4000000
inservice
rserver host server3
ip address 10.11.22.11
conn-limit max 4000000 min 4000000
inservice
serverfarm host WebApplicationServers
description Server Farm for server1 and server3
probe server1
rserver server1
conn-limit max 4000000 min 4000000
inservice
rserver server3
conn-limit max 4000000 min 4000000
probe server1
inservice
class-map match-all VIPA
2 match virtual-address 10.11.21.10 tcp eq www
class-map match-all VIPAA
2 match virtual-address 10.11.21.10 tcp eq https
class-map match-all VIPB
2 match virtual-address 10.11.21.11 tcp eq www
class-map match-all VIPBB
2 match virtual-address 10.11.21.11 tcp eq https
class-map type management match-any remote_access
201 match protocol xml-https any
202 match protocol icmp any
203 match protocol telnet any
204 match protocol ssh any
205 match protocol http any
206 match protocol https any
207 match protocol snmp any
class-map match-any was_access1
221 match any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match VIPA-l7slb
class class-default
serverfarm WebApplicationServers
policy-map type loadbalance first-match VIPAA-l7slb
class class-default
serverfarm WebApplicationServers
policy-map type loadbalance first-match VIPB-l7slb
class class-default
serverfarm WebApplicationServers
policy-map type loadbalance first-match VIPBB-l7slb
class class-default
serverfarm WebApplicationServers
policy-map multi-match AllowWASaccess
class was_access1
connection advanced-options was-test
policy-map multi-match int210
class VIPA
loadbalance vip inservice
loadbalance policy VIPA-l7slb
loadbalance vip icmp-reply active
class VIPB
loadbalance vip inservice
loadbalance policy VIPB-l7slb
loadbalance vip icmp-reply active
class VIPAA
loadbalance vip inservice
loadbalance policy VIPAA-l7slb
loadbalance vip icmp-reply active
class VIPBB
loadbalance vip inservice
loadbalance policy VIPBB-l7slb
loadbalance vip icmp-reply active
interface vlan 200
description "MGMT VLAN"
ip address 10.11.20.2 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 210
description "Client Front VLAN 210"
ip address 10.11.21.2 255.255.255.0
no icmp-guard
access-group input ALL
service-policy input int210
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 220
description "Server VLAN 220"
ip address 10.11.22.2 255.255.255.0
no icmp-guard
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 10.11.21.1
ip route 10.12.0.0 255.255.0.0 10.11.21.1
snmp-server contact "ANM"
snmp-server location "ANM"
snmp-server community ro group Network-Monitor
snmp-server community public group Network-Monitor
snmp-server trap-source vlan 200
username admin password 5 $1$rwILxGER$DivbGN5nc5orFToqoCLNk0 role Admin domain
default-domain
username www password 5 $1$UQ5GIBhQ$/AomBaMRgyFzieuHCvEQK/ role Admin domain de
fault-domain
10-14-2010 01:12 AM
10-14-2010 01:47 AM
Hello,
Could you pls try removing "loadbalance vip icmp-reply active" in those classes in the multimatch policy,
then configure "loadbalance vip icmp-reply" instead.
Or make VIP-State are INSERVICE and try ping to it.
Regards,
Kimihito.
10-14-2010 02:02 AM
Your problem is that the vip is out of service.
Could you send us a 'show serverfarm' and a 'show probe details'
BTW, the probe does not look correct.
probe https Server1
ip address 10.11.22.10 routed <===== not good.
interval 15
passdetect interval 60
ssl version all
open 10
So try to remove the probe from the serverfarm.
Thanks,
Gilles.
10-14-2010 02:10 AM
Thanks again for
all your help.
SLB-P1/Admin# show probe
probe : server1
type : HTTPS
state : ACTIVE
----------------------------------------------
port : 443 address : 10.11.22.10 addr type : ROUTED
interval : 15 pass intvl : 60 pass count : 3
fail count: 3 recv timeout: 10
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
real : server3[0]
serverfarm: WebApplicationServers
10.11.22.10 80 VIP 96 96 0 FAILED
10.11.22.10 443 VIP 96 96 0 FAILED
serverfarm : WebApplicationServers
real : server1[0]
10.11.22.10 80 VIP 96 96 0 FAILED
10.11.22.10 443 VIP 96 96 0 FAILED
real : server3[0]
10.11.22.10 80 VIP 96 96 0 FAILED
10.11.22.10 443 VIP 96 96 0 FAILED
SLB-P1/Admin# show se
security serverfarm service-policy
SLB-P1/Admin# show serverfarm
serverfarm type rservers predictor current conns
+--------------------+---------+--------+------------------+---------------
WebApplicationServers
HOST 2 ROUNDROBIN 0
10-14-2010 02:27 AM
probe https Server1
ip address 10.11.22.10 routed <===== not good.
interval 15
passdetect interval 60
ssl version all
open 10
So try to remove the probe from the serverfarm.
Gilles.
10-14-2010 02:27 AM
How are the Cisco Ace devices setup.
Do they have direct connections from any of the 4 ethernet ports to a real server or do they connect to a switch and the vlans work that way.
we are using a 2960g switch which won't allow router on layer 3 if you type "no swithport" which would put a port into layer three mode.
All of the diagrams show that the Ace 4700's are connected to routers.
10-14-2010 02:37 AM
you can either connect the server directly or go through a switch as described in your diagram.
Like any routing/switching device, check your L2 and L3 connectivity before trying extra features.
show interface
show arp
ping
ping
...
Your probe config is wrong because it says to send all probes to ip address x.x.x.x in a routed mode.
This is not what you need.
So, start by removing the probe and see if that works.
Than you can focus on the probe.
Always start from easy setup and build from it.
Especially if you're new to the device.
Gilles.
10-14-2010 03:18 AM
Thanks again for all your help.
I can now ping the vip but not the real server however this may due to a firewall rule.
Context Admin
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
10.11.20.2 00.23.8b.03.99.2e vlan200 INTERFACE LOCAL _ up
10.11.20.10 00.0d.56.7d.84.e5 vlan200 LEARNED 4 12587 sec up
10.11.21.1 00.00.00.00.00.00 vlan210 GATEWAY - dn
10.11.21.2 00.23.8b.03.99.2e vlan210 INTERFACE LOCAL _ up
10.11.21.10 00.23.8b.03.99.2e vlan210 VSERVER LOCAL _ up
10.11.21.11 00.23.8b.03.99.2e vlan210 VSERVER LOCAL _ up
10.11.22.2 00.23.8b.03.99.2e vlan220 INTERFACE LOCAL _ up
10.11.22.10 00.00.00.00.00.00 vlan220 RSERVER - * 2 req dn
10.11.22.11 00.00.00.00.00.00 vlan220 RSERVER - * 2 req dn
================================================================================
Total arp entries 9
SLB-P1/Admin# ping 10.11.22.10
Pinging 10.11.22.10 with timeout = 2, count = 5, size = 100 ....
No response received from 10.11.22.10 within last 2 sec
No response received from 10.11.22.10 within last 2 sec
No response received from 10.11.22.10 within last 2 sec
No response received from 10.11.22.10 within last 2 sec
No response received from 10.11.22.10 within last 2 sec
5 packet sent, 0 responses received, 100% packet loss
SLB-P1/Admin# ping 10.11.21.10
Pinging 10.11.21.10 with timeout = 2, count = 5, size = 100 ....
No response received from 10.11.21.10 within last 2 sec
No response received from 10.11.21.10 within last 2 sec
No response received from 10.11.21.10 within last 2 sec
No response received from 10.11.21.10 within last 2 sec
No response received from 10.11.21.10 within last 2 sec
5 packet sent, 0 responses received, 100% packet loss
SLB-P1/Admin# ping 10.11.22.1
Pinging 10.11.22.1 with timeout = 2, count = 5, size = 100 ....
No response received from 10.11.22.1 within last 2 sec
No response received from 10.11.22.1 within last 2 sec
No response received from 10.11.22.1 within last 2 sec
No response received from 10.11.22.1 within last 2 sec
No response received from 10.11.22.1 within last 2 sec
5 packet sent, 0 responses received, 100% packet loss
SLB-P1/Admin# ping 10.11.22.2
Response from 10.11.22.2 : seq 1 time 0.000 ms
Response from 10.11.22.2 : seq 2 time 0.000 ms
Response from 10.11.22.2 : seq 3 time 0.000 ms
Response from 10.11.22.2 : seq 4 time 0.000 ms
Response from 10.11.22.2 : seq 5 time 0.000 ms
SLB-P1/Admin# ping 10.11.21.2
Response from 10.11.21.2 : seq 1 time 0.000 ms
Response from 10.11.21.2 : seq 2 time 0.000 ms
Response from 10.11.21.2 : seq 3 time 0.000 ms
Response from 10.11.21.2 : seq 4 time 0.000 ms
Response from 10.11.21.2 : seq 5 time 0.000 ms
Thanks again for all you help.
Nearly there.
I'm considering having a crack at this Certification before my CCNP.
best regards
10-14-2010 04:11 AM
Sorry Chaps.
Everything seems to be running and pinging however the real servers are still down.
Context Admin
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
10.11.20.2 00.23.8b.03.99.2e vlan200 INTERFACE LOCAL _ up
10.11.20.10 00.0d.56.7d.84.e5 vlan200 LEARNED 4 12587 sec up
10.11.21.1 00.00.00.00.00.00 vlan210 GATEWAY - dn
10.11.21.2 00.23.8b.03.99.2e vlan210 INTERFACE LOCAL _ up
10.11.21.10 00.23.8b.03.99.2e vlan210 VSERVER LOCAL _ up
10.11.21.11 00.23.8b.03.99.2e vlan210 VSERVER LOCAL _ up
10.11.22.2 00.23.8b.03.99.2e vlan220 INTERFACE LOCAL _ up
10.11.22.10 00.00.00.00.00.00 vlan220 RSERVER - * 2 req dn
10.11.22.11 00.00.00.00.00.00 vlan220 RSERVER - * 2 req dn
================================================================================
I can't get the real servers up and running at the moment
10-14-2010 04:45 AM
10.11.22.10 00.00.00.00.00.00 vlan220 RSERVER - * 2 req dn
10.11.22.11 00.00.00.00.00.00 vlan220 RSERVER - * 2 req dn
Your rserver are not responding to arp request.
Make sure you have your cable correctly connected.
Check vlan configuration.
Check arp table on server and see if you have the ace mac-address.
At this point this is not a loadbalancing issue but a simply layer2 connectivity problem.
Follow standard procedure.
Use a sniffer on the server to see if the arp requests are coming in and if a response is sent.
Try to attach your pc in vlan 220 and see if you can the server and ace.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide