Solved: Unable to ping VIP in bridge mode

rajkanna · ‎02-29-2012

I am trying to setup ACE in bridge mode. Network topology is as follows:

1. ACE Gi 1/2 (client-side vlan) is connected to 3750 (vlan 40)

2. ACE Gi 1/3 (server-side vlan) is connected to 3750 (vlan 50)

3. Two real servers are connected to 3750 (vlan 50)

4. One client device (linux box) is connected to 3750 (vlan 40)

I am not using admin context. I have created a new one for user. I am unable to ping VIP (10.10.50.15) either from client linux box or from within ACE.

Can you please take a look at my configuration and let me know if I am missing something ?

Thanks in advance.

--Raja

=============================================================================================================

access-list everyone line 8 extended permit ip any any

access-list everyone line 16 extended permit icmp any any

probe http PROBE_CGNMS_WEB

port 80

interval 15

passdetect interval 60

expect status 200 200

open 1

rserver host RS_10_10_50_11

description 10.10.50.11

ip address 10.10.50.11

conn-limit max 4000000 min 4000000

probe PROBE_CGNMS_WEB

inservice

rserver host RS_10_10_50_12

description 10.10.50.12

ip address 10.10.50.12

conn-limit max 4000000 min 4000000

probe PROBE_CGNMS_WEB

inservice

serverfarm host SF_CGNMS

rserver RS_10_10_50_11

conn-limit max 4000000 min 4000000

probe PROBE_CGNMS_WEB

inservice

rserver RS_10_10_50_12

conn-limit max 4000000 min 4000000

probe PROBE_CGNMS_WEB

inservice

class-map match-all VS_CGNMS

2 match virtual-address 10.10.50.15 255.255.255.0 any

policy-map type loadbalance first-match VS_CGNMS-l7slb

class class-default

serverfarm SF_CGNMS

policy-map multi-match int50-n2

class VS_CGNMS

loadbalance vip inservice

loadbalance policy VS_CGNMS-l7slb

loadbalance vip icmp-reply active

interface vlan 40

description client-side-vlan

bridge-group 1

access-group input everyone

service-policy input int50-n2

no shutdown

interface vlan 50

description server-side-vlan

bridge-group 1

no shutdown

interface bvi 1

ip address 10.10.50.10 255.255.255.0

no shutdown

snmp-server community public group Network-Monitor

=========================================================================================================

Daniel Arrondo Ostiz · ‎02-29-2012

Hi Raja,

You defined the VIP as a range. The ACE is listening to connections in the 10.10.50.15/24 network.

Try defining the VIP as "match virtual-address 10.10.50.15 any" instead and check if it works.

Also, be aware that the VIP is defined for "any" traffic, which means that even ICMP is getting load-balanced. In this case, it's not the ACE the one replying, but one of the servers. You should consider limitting the VIP to only the kinds of traffic you expect

I hope this helps

Daniel

View solution in original post

Daniel Arrondo Ostiz · ‎02-29-2012

Hi Raja,

You defined the VIP as a range. The ACE is listening to connections in the 10.10.50.15/24 network.

Try defining the VIP as "match virtual-address 10.10.50.15 any" instead and check if it works.

Also, be aware that the VIP is defined for "any" traffic, which means that even ICMP is getting load-balanced. In this case, it's not the ACE the one replying, but one of the servers. You should consider limitting the VIP to only the kinds of traffic you expect

I hope this helps

Daniel

rajkanna · ‎02-29-2012

Hi Daniel, thanks it worked. Looks like DM does not allow IP without mask. I used CLI and I can now ping VIP.

--Raja

Daniel Arrondo Ostiz · ‎03-01-2012

Hi Raja,

For the future, if you configure it from the DM, use a mask of 255.255.255.255. It's equivalent to not using a mask at all.

Daniel

rajkanna · ‎03-01-2012

Hi Daniel, thanks, will try that.

BTW, I am loadbalancing HTTPS traffic to 443. I tested and it is working. But I did not configure neither SSL policy nor sticky session. Trying to understand how does it work without these settings.

Thanks

--Raja

Daniel Arrondo Ostiz · ‎03-01-2012

Hi Raja,

By SSL policy I assume you mean ssl-proxy, right? This is only required to terminate the SSL session on the ACE. If you don't configure one, the connection is just treated as L4

Stickiness is something compltely unrelated to this.

I would recommend you to have a look at the following two links. The should clarify these two concepts

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/sslgd.html

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/sticky.html

Daniel

rajkanna · ‎03-06-2012

Hi Daniel,

I am trying to loadbalance https traffic to port 9121 but ACE resets the connection. Here is the packet capture. I have vip enabled on 10.10.50.15 for port 9121. Plz help.

Thanks

--Raja

reading from file /tmp/cap.12447, link-type EN10MB (Ethernet)

raja-ACE4710/VC_RAJA# 18:50:11.620893 00:0c:29:fe:c0:16 > 00:1e:68:57:24:66, ethertype IPv4 (0x0800), length 74: IP (tos 0x0, ttl 64, id 4548, offset 0, flags [DF], length: 60) 10.10.50.17.26618 > 10.10.50.15.9121: S [bad tcp cksum d3ef (->ebe4)!] 1618077165:1618077165(0) win 5840

18:50:11.621107 00:0c:29:c1:34:6f > 00:0c:29:fe:c0:16, ethertype IPv4 (0x0800), length 54: IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 40) 10.10.50.11.9121 > 10.10.50.17.26618: R [tcp sum ok] 0:0(0) ack 4165815016 win 0