Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Cisco Employee

Unable to ping VIP in bridge mode

I am trying to setup ACE in bridge mode. Network topology is as follows:

1. ACE Gi 1/2 (client-side vlan) is connected to 3750 (vlan 40)

2. ACE Gi 1/3 (server-side vlan) is connected to 3750 (vlan 50)

3. Two real servers are connected to 3750 (vlan 50)

4. One client device (linux box) is connected to 3750 (vlan 40)

I am not using admin context. I have created a new one for user. I am unable to ping VIP (10.10.50.15) either from client linux box or from within ACE.

Can you please take a look at my configuration and let me know if I am missing something ?

Thanks in advance.

--Raja

=============================================================================================================

access-list everyone line 8 extended permit ip any any

access-list everyone line 16 extended permit icmp any any

probe http PROBE_CGNMS_WEB

  port 80

  interval 15

  passdetect interval 60

  expect status 200 200

  open 1

rserver host RS_10_10_50_11

  description 10.10.50.11

  ip address 10.10.50.11

  conn-limit max 4000000 min 4000000

  probe PROBE_CGNMS_WEB

  inservice

rserver host RS_10_10_50_12

  description 10.10.50.12

  ip address 10.10.50.12

  conn-limit max 4000000 min 4000000

  probe PROBE_CGNMS_WEB

  inservice

serverfarm host SF_CGNMS

  rserver RS_10_10_50_11

    conn-limit max 4000000 min 4000000

    probe PROBE_CGNMS_WEB

    inservice

  rserver RS_10_10_50_12

    conn-limit max 4000000 min 4000000

    probe PROBE_CGNMS_WEB

    inservice

class-map match-all VS_CGNMS

  2 match virtual-address 10.10.50.15 255.255.255.0 any

policy-map type loadbalance first-match VS_CGNMS-l7slb

  class class-default

    serverfarm SF_CGNMS

policy-map multi-match int50-n2

  class VS_CGNMS

    loadbalance vip inservice

    loadbalance policy VS_CGNMS-l7slb

    loadbalance vip icmp-reply active

interface vlan 40

  description client-side-vlan

  bridge-group 1

  access-group input everyone

  service-policy input int50-n2

  no shutdown

interface vlan 50

  description server-side-vlan

  bridge-group 1

  no shutdown

interface bvi 1

  ip address 10.10.50.10 255.255.255.0

  no shutdown

snmp-server community public group Network-Monitor

=========================================================================================================

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Unable to ping VIP in bridge mode

Hi Raja,

You defined the VIP as a range. The ACE is listening to connections in the 10.10.50.15/24 network.

Try defining the VIP as "match virtual-address 10.10.50.15 any" instead and check if it works.

Also, be aware that the VIP is defined for "any" traffic, which means that even ICMP is getting load-balanced. In this case, it's not the ACE the one replying, but one of the servers. You should consider limitting the VIP to only the kinds of traffic you expect

I hope this helps

Daniel

6 REPLIES
Cisco Employee

Unable to ping VIP in bridge mode

Hi Raja,

You defined the VIP as a range. The ACE is listening to connections in the 10.10.50.15/24 network.

Try defining the VIP as "match virtual-address 10.10.50.15 any" instead and check if it works.

Also, be aware that the VIP is defined for "any" traffic, which means that even ICMP is getting load-balanced. In this case, it's not the ACE the one replying, but one of the servers. You should consider limitting the VIP to only the kinds of traffic you expect

I hope this helps

Daniel

Cisco Employee

Unable to ping VIP in bridge mode

Hi Daniel, thanks it worked. Looks like DM does not allow IP without mask. I used CLI and I can now ping VIP.

--Raja

Cisco Employee

Unable to ping VIP in bridge mode

Hi Raja,

For the future, if you configure it from the DM, use a mask of 255.255.255.255. It's equivalent to not using a mask at all.

Daniel

Cisco Employee

Unable to ping VIP in bridge mode

Hi Daniel, thanks, will try that.

BTW, I am loadbalancing HTTPS traffic to 443. I tested and it is working. But I did not configure neither SSL policy nor sticky session. Trying to understand how does it work without these settings.

Thanks

--Raja

Cisco Employee

Unable to ping VIP in bridge mode

Hi Raja,

By SSL policy I assume you mean ssl-proxy, right? This is only required to terminate the SSL session on the ACE. If you don't configure one, the connection is just treated as L4

Stickiness is something compltely unrelated to this.

I would recommend you to have a look at the following two links. The should clarify these two concepts

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/sslgd.html

http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/sticky.html

Daniel

Cisco Employee

Unable to ping VIP in bridge mode

Hi Daniel,

I am trying to loadbalance https traffic to port 9121 but ACE resets the connection. Here is the packet capture. I have vip enabled on 10.10.50.15 for port 9121. Plz help.

Thanks

--Raja

reading from file /tmp/cap.12447, link-type EN10MB (Ethernet)

raja-ACE4710/VC_RAJA# 18:50:11.620893 00:0c:29:fe:c0:16 > 00:1e:68:57:24:66, ethertype IPv4 (0x0800), length 74: IP (tos 0x0, ttl  64, id 4548, offset 0, flags [DF], length: 60) 10.10.50.17.26618 > 10.10.50.15.9121: S [bad tcp cksum d3ef (->ebe4)!] 1618077165:1618077165(0) win 5840

18:50:11.621107 00:0c:29:c1:34:6f > 00:0c:29:fe:c0:16, ethertype IPv4 (0x0800), length 54: IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 40) 10.10.50.11.9121 > 10.10.50.17.26618: R [tcp sum ok] 0:0(0) ack 4165815016 win 0

629
Views
0
Helpful
6
Replies
CreatePlease login to create content