ACE 4710 : Disable NAT

Similar Messages

• ACE 4710 client NAT (outgoing)

  Hi Experts,
       I have a ace 4710 set as load balancing http and https only, seems working fine.
       Now I have another requirment to NAT all real servers IP (server side internal network 10.8.8.0) to VIP (192.168.1.20).
  our configuration is as below,
  two real server ip are 10.8.8.2 and 10.8.8.3 connected to VLAN interface v500 (ip is 10.8.8.254)
  vlan v400 face to public, v400 interface ip 192.168.1.10, and one VIP 192.168.1.20, VIP is mapped to two real servers.
  I need to config: all outgoing trafic from network 10.8.8.0 to public to NAT the source IP to 192.168.1.20 (VIP, not the interface real IP 192.168.1.10).
  Thanks,
  BQ

  Here are a few things you could try
  1. nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat
  changeto
  nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.255 (/32 host)
  2.service-policy input remote-access
  do you have a management Vlan interface defined if so add to that interface
  3. The requirements are to LB http (80), and https (443). In this case you would need two seperate VIPS defined
  VIP1:
  class-map match-all slb-vip
    2 match virtual-address 192.168.1.20 eq tcp 80
  VIP2:
  class-map match-all slb-vip
    2 match virtual-address 192.168.1.20 eq tcp 443
  Is there a requirement to redirect http traffic ? If so you would need to define another class-map to redirect http traffic to https
  show service-policy client-vips detail   
  HTH

• ACE 4710 Disable server

  Hi again!
  Some say that there is a script command, that can disable a server when we want it. It's something like "disable_real" , but i haven't found anything about it... can anyone help please?
  Thanks!

  Need help/advise regarding routing to make this method working.
  When I change server gateway to ace server vlan interface, my server cannot communicate with other vlans. From context, I can ping server vlan and other vlans.
  *Core interface -172.16.36.254 (server vlan),172.19.30.254(client vlan).
  *Lb interface - 172.16.36.70, 172.19.30.65
  *Real Server ip is using default gateway 172.16.36.70
  Routing what I have done:
  CORE- ip route 172.16.36.0 255.255.255.0 172.16.36.70
        ip route 172.19.30.0 255.255.255.0 172.19.30.65
  LB- ip route 0.0.0.0 0.0.0.0 172.19.30.254
  Can someone help me to verify this?
  Thanks

• Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710

  One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
  Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
  Traffic flow as follows
  ===============
  ACE 4710                                                       FWSM (Firewall static NAT)                    Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)
                                               VIP
  Rserver 1   - 10.1.104.80       10.1.246.32           10.1.246.32  < - > 2.2.2.2                              1.1.1.1
  Rserver 2   - 10.1.104.81c
  ---------------------------------------------------------->           ------------------------------->                      - traffic flow from server to the device when we send msg
  Configs:
  ======
  rserver host server1
    ip address 10.1.104.80
    inservice
  rserver host server2
    ip address 10.1.104.81
    inservice
  serverfarm host SFARM
    failaction purge
    probe ICMP
    rserver server1
      inservice
    rserver server2
      inservice
  access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
  access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
  parameter-map type connection UDP_TIMEOUT
    set timeout inactivity 3600
  sticky ip-netmask 255.255.255.255 address source STKY-SFARM
    serverfarm SFARM
    timeout 180
    replicate sticky
  class-map match-all CLS-SFARM
    2 match virtual-address 10.1.246.32 udp eq 1120
  class-map match-all SERVERNAT
    2 match access-list TEST-1120
  policy-map type loadbalance first-match POL-SFARM
    class class-default
      sticky-serverfarm STKY-SFARM
  policy-map multi-match POL-LB
  class CLS-SFARM
      loadbalance vip inservice
      loadbalance policy POL-SFARM
      loadbalance vip icmp-reply active
      connection advanced-options UDP_TIMEOUT
  class SERVERNAT
     nat dynamic 1 vlan 244
  int vlan 244
  ip address 10.1.246.2 255.255.255.0
  service-policy input POL-LB
  nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
    mac-sticky enable
    no icmp-guard
  no shut
  interface vlan 2506
  ip address 10.1.104.2 255.255.255.0
  service-policy input POL-LB
    mac-sticky enable
    no icmp-guard
  no shut

  I see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
  portmap disable in ACE 4710
  Disabling Port Mapping
  By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
  For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services,

• Need help to Configure Cisco ACE 4710 Cluster Deployment

  Dear Experts,
  I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between  two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
  http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
  This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
  This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
  My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
  Thanks....!
  -Amal-

  Dear Kanwal,
  I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
  Following detail required for configuring Oracle EBS Apps tier on HA:
  LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
  Suggested IP and Name for LBR:
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm detail for LBR Setup
  Following detail will be use for configuring the LBR:
  LBR IP and Name :
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm Detail for LBR setup:
  Server 1 (EBS App1 Node, ap1ebs):
  IP : 172.25.45.19
  Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Server 2 (EBS App2 Node, ap2ebs):
  IP : 172.25.45.20
  Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
  Following are my latest config :
  probe http Get-Method
    description Check to url access /OA_HTML/OAInfo.jsp
    interval 10
    faildetect 2
    passdetect interval 30
    request method get url /OA_HTML/OAInfo.jsp
    expect status 200 200
  probe udp http-8000-iRDMI
    description IRDMI (HTTP - 8000)
    port 8000
  probe http http-probe
    description HTTP Probes
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    request method get url /index.html
    expect status 200 200
  probe https https-probe
    description HTTPS traffic
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    ssl version all
    request method get url /index.html
  probe icmp icmp-probe
    description ICMP PROBE FOR TO CHECK ICMP SERVICE
  rserver host ebsapp1
    description ebsapp1.xxxx.lk
    ip address 172.25.45.19
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  rserver host ebsapp2
    description ebsapp2.xxxx.lk
    ip address 172.25.45.20
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  serverfarm host ebsppsvrfarm
    description ebsapp server farm
    failaction purge
    predictor response app-req-to-resp samples 4
    probe http-probe
    probe icmp-probe
    inband-health check log 5 reset 500
    retcode 404 404 check log 1 reset 3
    rserver ebsapp1 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
    rserver ebsapp2 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
  sticky http-cookie jsessionid HTTP-COOKIE
    cookie insert browser-expire
    replicate sticky
    serverfarm ebsppsvrfarm
  class-map type http loadbalance match-any default-compression-exclusion-mime-type
    description DM generated classmap for default LB compression exclusion mime types.
    2 match http url .*gif
    3 match http url .*css
    4 match http url .*js
    5 match http url .*class
    6 match http url .*jar
    7 match http url .*cab
    8 match http url .*txt
    9 match http url .*ps
    10 match http url .*vbs
    11 match http url .*xsl
    12 match http url .*xml
    13 match http url .*pdf
    14 match http url .*swf
    15 match http url .*jpg
    16 match http url .*jpeg
    17 match http url .*jpe
    18 match http url .*png
  class-map match-all ebsapp-vip
    2 match virtual-address 172.25.45.21 tcp eq www
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match ebsapp-vip-l7slb
    class default-compression-exclusion-mime-type
      serverfarm ebsppsvrfarm
    class class-default
      compress default-method deflate
      sticky-serverfarm HTTP-COOKIE
  policy-map multi-match int455
    class ebsapp-vip
      loadbalance vip inservice
      loadbalance policy ebsapp-vip-l7slb
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 455
  interface vlan 455
    ip address 172.25.45.36 255.255.255.0
    peer ip address 172.25.45.35 255.255.255.0
    access-group input ALL
    nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input int455
    no shutdown
  ft interface vlan 999
    ip address 10.1.1.1 255.255.255.0
    peer ip address 10.1.1.2 255.255.255.0
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 999
  ft group 1
    peer 1
    no preempt
    priority 110
    associate-context Admin
    inservice
  ip route 0.0.0.0 0.0.0.0 172.25.45.1
  Hope you will reply me soon
  Thanks....!
  -Amal-

• Cannot Telnet to ACE 4710 after upgrade to A4(2.3)

           I have a pair of ACE 4710s with 12 contexts sharing the load, running A4(2.1). Yesterday I upgraded one of them to A4(2.3)
  now I cannot telnet to the Admin context.Pings ok. I can telnet to other contexts on the box and everything seems to be working ok   
  when i do a " sh telnet"
  comes back with
  No Session Information is available
  sh telnet maxsessions
  telnet maxsessions 16
  Can anybody help?

  further this post, it was not a resource problem as had allocated 5% for the Admin context.
  I up graded IOS Saturday evening, could not Telnet in, tried again on Sunday same result,
  though this morning (Monday) Can now telnet in ok very strange
  I was connecting via the AUX line of a 2851 router to the console port.
  whe I disconnected this morning I saw the following message
  INIT: id "T0" respawning too fast : disabled for  5 minutes
  not sure if this is a 2851 message or an ACE message, but after getting that message is when I was able to Telnet in
  was it a coincidence
  anybody any ideas

• ACE 4710 in bridge mode not working

  I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
  I am not able to ping servers as well as gateway. Below are the topology and context configuration:
  Router   (vlan 13: IP 172.16.11.254)
       |
  ACE     (int gig1/2)
       |
  L2 Switch
       |
  Servers (vlan 11: IP 172.16.11.1 and 11.2)
  Admin Context
  ===========
  resource-class rc1
    limit-resource all minimum 0.00 maximum unlimited
    limit-resource sticky minimum 0.20 maximum unlimited
  boot system image:c4710ace-mz.A3_2_4.bin
  interface gigabitEthernet 1/1
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    switchport trunk allowed vlan 11,13
    no shutdown
  interface gigabitEthernet 1/3
    shutdown
  interface gigabitEthernet 1/4
    shutdown
  access-list ALL line 8 extended permit ip any any
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  interface vlan 1000
    ip address 172.16.16.16 255.255.255.0
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.16.254
  context test
    allocate-interface vlan 11
    allocate-interface vlan 13
    member rc1
  test Context
  =========
  access-list bpdu-fixup ethertype permit bpdu
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 16 extended permit icmp any any
  rserver host srv1
    ip address 172.16.11.1
    inservice
  rserver host srv2
    ip address 172.16.11.2
    inservice
  serverfarm host srv
    rserver srv1
      inservice
    rserver srv2
      inservice
  sticky ip-netmask 255.255.255.255 address both SG1
    timeout 120
    serverfarm srv
  class-map type management match-any remote-mgmt
    201 match protocol snmp any
    202 match protocol ssh any
    203 match protocol icmp any
    204 match protocol http any
    205 match protocol https any
    206 match protocol xml-https any
  class-map match-all slb-vip
    2 match virtual-address 172.16.11.10 any
  policy-map type management first-match remote-mgmt
    class remote-mgmt
      permit
  policy-map type loadbalance first-match slb
    class class-default
      sticky-serverfarm SG1
  policy-map multi-match client-vips
    class slb-vip
      loadbalance vip inservice
      loadbalance policy slb
      loadbalance vip icmp-reply
  interface vlan 11
    bridge-group 1
    access-group input bpdu-fixup
    access-group input ALL
    access-group output ALL
    no shutdown
  interface vlan 13
    bridge-group 1
    access-group input bpdu-fixup
    access-group input ALL
    access-group output ALL
    service-policy input remote-mgmt
    service-policy input client-vips
    no shutdown
  interface bvi 1
    ip address 172.16.11.9 255.255.255.0
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.11.254
  Could you pls. suggest where I am doing wrong?
  Thanks,
  Pawan

  " I tried trunk port also but it got disabled"   <----- if your L2 config is not correct, nothing will work.
  What is the setup on the switch ? Trunk or access vlan ?
  What is the status of the interface ? up ? down ?
  Do you see something in your arp table ?
  Gilles.

• ACE 4710 Connectivity help?

  I'm using an ACE 4710 in a new datacenter, with the following setup:
  2/4 physical ethernet interfaces port channeled into port-channel 1
  2/4 physical ethernet interfaces port channeled into port-channel 2
  I have the following vlans defined:
  1001 - admin     - interface ip: 10.53.136.70
  400 - client side - interface ip: 10.53.136.100
  500 - server side - interface ip: 192.168.128.1
  999 - fault tolerance - interface ip: 192.168.11.2
  My problem is I am trying to nat ssh and web server traffic from the client side, to the server side, but it's never getting to the server.  For example, if I ssh to 10.53.136.102, it times out.  (10.53.136.102 should get nat'd to 192.168.128.2)
  Also, I can connect to the ACE 4710 via telnet using 10.53.136.70, but cannot connect to 10.53.136.100.
  I'm thinking there is either something wrong with the port-channels, or the access lists.  On the other hand there could be something wrong with the nat'ing, but I had it working before switching over to the port-channels.
  Any thoughts?
  Thanks,
  Brent

  I've attached the two contexts which we are using.  The admin context is new_lb_config.txt and the second context where the loadbalancing occurs is in the new_lb_config_VC_WBPX.txt file.
  From the load balancer, I am able to ping the real server ips in the 192.168. ip range.  The 4710 recognizes that they are in service.
  I believe the ACL for the VLAN 400 is set to permit all traffic, but I don't know if the service policies are preventing something from happening.
  Right now, I have disconnected the two 4710s and I am only working on one of them to see if I can get the basic connectivity going.  Once I accomplish that, I will work on high availability.  I'll have to check whether it thinks it is in passive mode...not entirely sure how to do that, but I will check it out.
  Thanks,
  Brent

• ACE 4710 - Internet Explorer cannot display the webpage randomly

  We have a ACE 4710 with a basic config, (see below).
  When clicking on a tab from a window within Interent explorer we occasionally get an issue with it returning: "Internet Explorer cannot display the webpage" The details show "Access is denied" accessing a particular line of a javascript file.
  We have put one web server out of service in the farm to make sure that this isn't a result of stickyness not quite working.
  We have tested extensively by going directly to the web server directly without the load balancer and cannot reproduce the problem but we can produce the issue within a few minutes when going to the load balanced address.
  Thanks in advance for any advice.
  HOST-1/Admin# show run
  Generating configuration....
  logging enable
  logging fastpath
  logging standby
  logging timestamp
  logging trap 6
  logging history 6
  resource-class SLB_ResourceClass_T_R
    limit-resource all minimum 10.00 maximum unlimited
  resource-class sticky
    limit-resource all minimum 10.00 maximum unlimited
  boot system image:c4710ace-t1k9-mz.A5_1_2.bin
  peer hostname HOST-2
  hostname HOST-1
  interface gigabitEthernet 1/1
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    shutdown
  interface gigabitEthernet 1/3
    description LB003
    switchport access vlan 1
    shutdown
  interface gigabitEthernet 1/4
    description LB004
    switchport access vlan 2
    shutdown
  interface port-channel 1
    port-channel load-balance src-dst-port
    no shutdown
  clock timezone standard GMT
  switch-mode
  context Admin
    description SUTLB01
    member SLB_ResourceClass_T_R
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 16 extended permit icmp any any
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  probe tcp probe_tcp_80
    port 80
  rserver host Server_S_W301
    description Server_S_W301
    ip address x.x.32.152
    inservice
  rserver host Server_S_W302
    description Server_S_W302
    ip address x.x.32.154
    inservice
  serverfarm host sfarm_T_R
    description sfarm_T_R
    predictor leastconns
    probe probe_tcp_80
    rserver Server_S_W301 80
    rserver Server_S_W302 80
      inservice
  sticky http-cookie Cookie1 T_R_sticky_cookie
    cookie insert browser-expire
    timeout 3600
    serverfarm sfarm_T_R
  class-map match-any T_R_L4Class
    2 match virtual-address x.x.33.150 tcp eq www
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match T_R_L7policy
    class class-default
      sticky-serverfarm T_R_sticky_cookie
  policy-map multi-match T_R_L4Policy
    class T_R_L4Class
      loadbalance vip inservice
      loadbalance policy T_R_L7policy
      loadbalance vip icmp-reply active
      nat dynamic 2 vlan 1000
  interface vlan 1000
    ip address x.x.33.148 255.255.254.0
    access-group input ALL
    nat-pool 2 x.x.33.151 x.x.33.151 netmask 255.255.254.0 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input T_R_L4Policy
    no shutdown
  ip route 0.0.0.0 0.0.0.0 x.x.32.1
  ssh key rsa 1024 force

  +------------------------------------------+
  +-------------- HTTP statistics -----------+
  +------------------------------------------+
  LB parse result msgs sent : 421347     , TCP data msgs sent       : 2099597
  Inspect parse result msgs : 0          , SSL data msgs sent       : 0
                        sent
  TCP fin msgs sent         : 6169       , TCP rst msgs sent:       : 769
  Bounced fin msgs sent     : 5          , Bounced rst msgs sent:   : 1
  SSL fin msgs sent         : 0          , SSL rst msgs sent:       : 0
  Drain msgs sent           : 337811     , Particles read           : 5040829
  Reuse msgs sent           : 0          , HTTP requests            : 342499
  Reproxied requests        : 183422     , Headers removed          : 37475
  Headers inserted          : 342124     , HTTP redirects           : 0
  HTTP chunks               : 224859     , Pipelined requests       : 71466
  HTTP unproxy conns        : 267246     , Pipeline flushes         : 0
  Whitespace appends        : 0          , Second pass parsing      : 0
  Response entries recycled : 71302      , Analysis errors          : 0
  Header insert errors      : 22         , Max parselen errors      : 215
  Static parse errors       : 99         , Resource errors          : 0
  Invalid path errors       : 0          , Bad HTTP version errors  : 0
  Headers rewritten         : 0          , Header rewrite errors    : 0
  SSL headers inserted      : 0          , SSL header insert errors : 0
  SSL spoof headers deleted : 0         , Unproxy msgs sent         : 267246
  HTTP passthrough stat     : 0
  NOTE - We did turn on caching at one point to try and resolve the issue but it has since been turned off

• ACE 4710 Pls need help

  Hi,
  Pls can you help me find out where is my error in the below:
  I have an ACE 4710. Also I have 2 Bluecoat Proxy SG working in proxy mode. I want the ACE to be the Load Balancer for these 2 Proxy SG. I configure the ACE as below and put the vip-address in the Internet Explorer LAN Settings but it did not work. Also I configure Policy-based Routing on the Core Switch (for any http or https traffic going through core apply set ip next-hop vip-address).
  Core SW SVI:
  interface Vlan56
  description BC Proxy
  ip address 10.0.1.33 255.255.255.224
  interface Vlan57
  description ACE-LB-Alias
  ip address 10.0.1.65 255.255.255.224
  ACE 4710:
  hostname VSS-ACE-BC-01
  interface gigabitEthernet 1/1
    description Management
    speed 1000M
    duplex FULL
    switchport access vlan 101
    no shutdown
  interface gigabitEthernet 1/2
    description User Side
    speed 1000M
    duplex FULL
    switchport access vlan 56
    no shutdown
  interface gigabitEthernet 1/3
    description BC Proxy Side
    speed 1000M
    duplex FULL
    switchport access vlan 57
    no shutdown
  interface gigabitEthernet 1/4
    description Failover
    speed 1000M
    duplex FULL
    ft-port vlan 900
    no shutdown
  context Admin
    member sticky
  access-list external line 10 extended permit ip any any
  access-list external line 20 extended permit icmp any any
  access-list external line 30 extended permit tcp any any
  access-list external line 40 extended permit udp any any
  access-list internal line 10 extended permit ip any any
  access-list internal line 20 extended permit icmp any any
  access-list internal line 30 extended permit tcp any any
  access-list internal line 40 extended permit udp any any
  probe tcp web443
    port 443
    interval 30
    faildetect 1
    passdetect interval 30
    passdetect count 1
    open 1
  probe tcp web8080
    port 8080
    interval 30
    faildetect 1
    passdetect interval 30
    passdetect count 1
    open 1
  rserver host BC01
    ip address 10.0.1.41
    inservice
  rserver host BC02
    ip address 10.0.1.42
    inservice
  serverfarm host web443
    probe web443
    rserver BC01
      inservice
    rserver BC02
      inservice
  serverfarm host web8080
    probe web8080
    rserver BC01
      inservice
    rserver BC02
      inservice
  sticky ip-netmask 255.255.255.255 address source group1
    replicate sticky
    serverfarm web8080
  sticky ip-netmask 255.255.255.255 address source group2
    replicate sticky
    serverfarm web443
  class-map type management match-any REMOTE_ACCESS
    2 match protocol telnet any
    3 match protocol ssh any
    4 match protocol icmp any
    5 match protocol http any
    6 match protocol snmp any
  class-map match-all external-web
    2 match virtual-address 10.0.1.70 any
  class-map match-all external-web443
    2 match virtual-address 10.0.1.70 any
  class-map match-any nat-class
    2 match access-list external
  policy-map type management first-match REMOTE_MGMT
    class REMOTE_ACCESS
      permit
  policy-map type loadbalance http first-match slb
    class class-default
      sticky-serverfarm group1
  policy-map type loadbalance http first-match slb443
    class class-default
      sticky-serverfarm group2
  policy-map multi-match external-access
    class nat-class
      nat dynamic 1 vlan 57
    class external-web
      loadbalance vip inservice
      loadbalance policy slb
    class external-web443
      loadbalance vip inservice
      loadbalance policy slb443
  timeout xlate 120
  interface vlan 56
    description Server-Side
    ip address 10.0.1.43 255.255.255.224
    ip verify reverse-path
    alias 10.0.1.40 255.255.255.224
    peer ip address 10.0.1.44 255.255.255.224
    mac-address autogenerate
    access-group input internal
    service-policy input REMOTE_MGMT
    no shutdown
  interface vlan 57
    description VIP-Interface
    ip address 10.0.1.67 255.255.255.224
    alias 10.0.1.66 255.255.255.224
    peer ip address 10.0.1.68 255.255.255.224
    mac-address autogenerate
    access-group input external
    service-policy input external-access
    service-policy input REMOTE_MGMT
    no shutdown
  interface vlan 101
    description Management
    ip address 10.220.1.131 255.255.255.0
    alias 10.220.1.133 255.255.255.0
    peer ip address 10.220.1.132 255.255.255.0
    mac-address autogenerate
    service-policy input REMOTE_MGMT
    no shutdown
  ft interface vlan 900
    ip address 172.20.100.1 255.255.255.252
    peer ip address 172.20.100.2 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 20
    ft-interface vlan 900
  ft group 1
    peer 1
    priority 200
    peer priority 150
    associate-context Admin
    inservice
  ip route 0.0.0.0 0.0.0.0 10.0.1.65

  I see that you used:
    nat dynamic 1 vlan 57
  Where is the nat pool on Vlan 57 ?
  May be you can try to assign that and that should help.
  Something like below:
  Interface vlan 57
  nat-pool 1 10.0.1.93 10.0.1.93 netmask 255.255.255.224 pat
  regards,
  Ajay Kumar

• Add two servers with ACE 4710

  Dear All,
  We have two servers (sharepoint ) and need to add it in ACE 4710 to works as internal no need WAN , how to add it ?
  Thanks a lot in Advance

  Hi,
  Here's the example:
  Let's say you have two servers
  rserver host SERVER_01
    ip address 192.168.1.11
    inservice
  rserver host SERVER_02
    ip address 192.168.1.12
    inservice
  rserver host SERVER_03
    ip address 192.168.1.13
    inservice
  You add them in serverfarm
  serverfarm host REAL_SERVERS
    rserver SERVER_01
      inservice
    rserver SERVER_02
      inservice
    rserver SERVER_03
      inservice
  After that you configure the VIP and condition. Here any means any protocol and port
  class-map match-all VIP-30
    2 match virtual-address 172.16.51.30 any
  YOu define the L7 policy map
  policy-map type loadbalance first-match SLB_LOGIC
    class class-default
      serverfarm REAL_SERVERS--------->Serverfarm to which traffic would be loadbalanced.
  policy-map multi-match CLIENT_VIPS---->L3 policy map.
    class VIP-30
      loadbalance vip inservice
      loadbalance policy SLB_LOGIC
      nat dynamic 1 vlan 451----------------->You need to apply the NAT when your client is in same subnet as server so that return traffic comes back to ACE and not to client directly.
  interface vlan 251
    description Client vlan
    ip address 172.16.51.11 255.255.255.0
    access-group input ANYONE
    service-policy input REMOTE_MGT
    service-policy input CLIENT_VIPS
    no shutdown
  interface vlan 451
    description Servers vlan
    ip address 192.168.1.1 255.255.255.0
    nat-pool 1 192.168.1.100 192.168.1.110 netmask 255.255.255.0 pat---->Nat pool defined. It should always be on server side vlan.
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.51.1
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• ACE 4710 is not working

  Hi. I'm working on the Cisco ACE 4710 to be able to load balance web Traffic between several web servers. but despite following the steps mentioned on the Cisco configuration guide (specially this link and related docs: http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Creating_a_Virtual_Context) we did not managed to make it. we tested both the "bridged scenario" and "routed scenario" but none of them is working. specifically "configuring Nat" in the above link is very confusing and is not clear; because it's not the same as Cisco IOS, which we used to implement it that way. 
  Routed Scenario:
  ==========================================
  probe http Http_Probe
    description Server Healty Check
    port 80
    request method head url /index.htm
  probe icmp ICMP_Check
    interval 10
    passdetect interval 5
  rserver host NetCad_Server_1
    ip address 172.16.1.100
    probe ICMP_Check
    inservice
  rserver host NetCad_Server_2
    ip address 172.16.1.101
    probe ICMP_Check
    inservice
  rserver host NetCad_Server_3
    ip address 172.16.1.102
    probe ICMP_Check
    inservice
  serverfarm host NetCad_Servers
    probe Http_Probe
    rserver NetCad_Server_1 80
      inservice
    rserver NetCad_Server_2 80
      inservice
    rserver NetCad_Server_3 80
      inservice
  sticky http-cookie Cookie1 1
    serverfarm NetCad_Servers
  class-map match-all VS_NetCad
    2 match virtual-address 192.168.13.162 255.255.252.0 tcp any
  policy-map type management first-match mgmt-pm
    class class-default
      permit
  policy-map type loadbalance first-match VS_NetCad-l7slb
    class class-default
      serverfarm NetCad_Servers
  policy-map multi-match int40
    class VS_NetCad
      loadbalance vip inservice
      loadbalance policy VS_NetCad-l7slb
      loadbalance vip icmp-reply
  interface vlan 40
    description Client Side
    ip address 192.168.13.161 255.255.252.0
    ip options allow
    no normalization
    no icmp-guard
    access-group input Permit_ALL
    service-policy input mgmt-pm
    service-policy input int40
    no shutdown
  interface vlan 41
    description Server Side
    ip address 172.16.1.1 255.255.255.0
    ip options allow
    no normalization
    no icmp-guard
    access-group input Permit_ALL
    nat-pool 1 172.16.1.110 172.16.1.110 netmask 255.255.255.255 pat
    service-policy input mgmt-pm
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.12.1
  ==========================================

  Hi,
  Let me explain you.
  Assuming client IP as 1.1.1.1, VIP as 2.2.2.2 and Real Server as 3.3.3.3
  Consider the simple situation where client needs to access an application hosted on 3.3.3.3. Client sends a request which comes to VIP.
  src 1.1.1.1----->dst------->2.2.2.2. ACE after matching conditions and taking LB decision decides to send  it to 3.3.3.3 real server. Performs destination NAT and forwards the client request to 3.3.3.3. So the above packet L3 header will now look like:
  src 1.1.1.1       dst 3.3.3.3. When reply comes from server, ACE will change src 3.3.3.3 back to 2.2.2.2 and forwards the request to client 1.1.1.1. SIMPLE LB.
  Now comes a situation where let's say you want to hide the client IP from server or let's say server's default GW is not ACE or client and server are in same subnet but need to communicate through VIP on ACE etc.
  Src 1.1.1.1 dst 2.2.2.2
  After LB ace decides to send it to 3.3.3.3 but also policy multi match has nat rule (nat dynamic 1 vlan x). But packet would be forwarded from server vlan where you have NAT pool defined. So let's say pool IP is 3.3.3.4. So ACE will perform both destination as well as src NAT here before forwarding the packet to server and packet L3 header will look like:
  src 3.3.3.4 ----->dst 3.3.3.3
  Now when 3.3.3.3 has to send packet back, ACE will answer ARP for 3.3.3.3 and hence packet will come back to ACE which will again change the L3 header IP's and send it out the client VLAN towards client.
  So NAT is always applied to server side vlan and  that's why pool is  chosen from server side subnet.
  Let me know if you have any questions.
  Regards,
  Kanwal

• Ace 4710 active/standby SNMP config

  We have 2 x Ace 4710 deployed in Active/Standby config. Since the configuration mode is disabled on the Standby unit, how can we configure the SNMP settings (such as location etc.) on the standby unit different from the active unit?
  The 2 devices are in physically separated data centers so the SNMP location settings need to be set differently on both units. The standby unit does not allow any configuration.

  Comments inline:
  Since this is the admin context,  we would better not do this. As i understand correctly, this will turn  off the config sync on the 2 units and we may end up with some issues.
  KM - Correct, you need to manually manage the configurations of both devices. 
  Also,  if at a later stage, we sync the configs again in the admin context, it  will overwrite the different config on the standby unit with that from  the active unit?
  KM - Correct, the device with the lower priority will be overwritten when config-sync is re-enabled.  This is one of the reasons you need to be careful in the Admin context.  For example: Ff the lower priority device has contexts defined that the primary does not, they would be removed when you re-enablethis command.
  Since  my requirement is just the SNMP location config, I do not think i  should go for this; rather i can have some descriptive location setting  identifying the 2 units in cluster mode...
  KM - This would be more ideal than disabling config sync.  You could also put both locations like this:
  snmp-server location "San Jose, CA & Seattle, WA"
  Regards
  Kris

• Access Server through VIP (ACE 4710) but very slow

  Re:  Access Server through VIP (ACE 4710) but very slow
  Hi Shiva
  Kindly  Help .....Accessing the server very slow.., Plz check my real  configuration... this configuration is for application server and after  this i have to configure more serverfarm for different server like  webmail etc. in this ACE 4710. I have only one ACE 4710 .
  ACE Version A4(2.0) = is there supports Probe with this version.???  without probe server will work but very slow. And plz guide Nat-pool is required
  VIP :-- 172.16.15.8
  LB/Admin# sh run
  Generating configuration....
  no ft auto-sync startup-config
  logging enable
  logging host 172.29.91.112 udp/514
  resource-class RC1
    limit-resource all minimum 10.00 maximum unlimited
  boot system image:c4710ace-mz.A4_2_0.bin
  hostname LB
  interface gigabitEthernet 1/1
    description Management
    speed 1000M
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    description clientside
    switchport access vlan 30
    no shutdown
  interface gigabitEthernet 1/3
    description serverside
    switchport access vlan 31
    no shutdown
  interface gigabitEthernet 1/4
    no shutdown
  context Admin
    description Management
    member RC1
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  probe http probe1
    description health check
    interval 5
    passdetect interval 10
    request method head
    expect status 200 200
    open 1
  rserver redirect https_redirect
    description redirect traffic to https
    webhost-redirection / 302
    inservice
  rserver redirect maintenance_page
    description maintenance page displayed
    webhost-redirection /sry.html 301
    inservice
  rserver host web1
    ip address 192.168.10.3
    inservice
  rserver host web2
    ip address 192.168.10.4
    inservice
  rserver host web3
    ip address 192.168.10.5
    inservice
  serverfarm host http
    rserver web1
      inservice
    rserver web2
      inservice
    rserver web3
      inservice
  serverfarm redirect https_redirect_farm
    description Redirect traffic to https
  serverfarm redirect maintenance_farm
    description send user to maintenance page
  parameter-map type connection paramap_http
    description parameter connection tcp
    exceed-mss allow
  sticky ip-netmask 255.255.255.0 address source Sticky_http
    timeout activeconns
    serverfarm http
  class-map match-all REMOTE-ACCESS
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  class-map match-all slb-vip
    2 match virtual-address 172.16.15.8 tcp eq www
  policy-map type management first-match remote_access
    class class-default
      permit
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match slb
    class class-default
      serverfarm http
  policy-map type inspect http all-match slb-vip-http
    class class-default
      permit
  policy-map multi-match client-vips
    class slb-vip
      loadbalance vip inservice
      loadbalance policy slb
      loadbalance vip icmp-reply active
      inspect http policy slb-vip-http
      connection advanced-options paramap_http
  interface vlan 30
    description "Client Side"
    ip address 172.16.15.24 255.255.255.0
    access-group input everyone
    service-policy input client-vips
    no shutdown
  interface vlan 31
    description "Server Side"
    ip address 192.168.10.1 255.255.255.0
    service-policy input remote_access
    no shutdown
  interface vlan 1000
    description managment
    ip address 172.29.91.110 255.255.255.0
    service-policy input remote_mgmt_allow_policy
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.15.1
  snmp-server contact "PHQ"
  snmp-server community phq group Network-Monitor
  snmp-server trap-source vlan 1000
  username admin password 5 $1$b2txbc5U$TA74D920oSdd2eOZ4hSFe/  role Admin domain
  default-domain
  username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR.  role Admin domain de
  fault-domain
  username prem password 5 $1$8C7eRKrI$it3UV4URZ26X4S/Bh6OEr0  role Admin domain d
  efault-domain
  ssh key rsa 1024 force
  banner motd # "ro" #
  Regards,
  Prem

  Hi Shiva,
  plz guide i'm new with ACE LB, also find my n/w design for connected ace to server. but server accessing very very slow, but when i connect through my old server software LB (with two interface)then accessing very fast. I just replace my old serverLB(with two interface) to ACE4710 and connect the same scenario then why not server accessing smoothly with VIP .Reply soon only I connect ACE's two interface with switch.....
  Regards,
  Prem

• ACE 4710 Setup

  Dear All,
  I have task to add two servers to work with ACE 4710 , the client is coming from internal network and the end host (our servers).
  I don,t know how to connect it physically and do the configuration.
  Thanks a lot in advance .

  Hi,
  Below is basic configuration example with three real servers and Source NAT.
  Let's say you have three servers:
  rserver host SERVER_01
    ip address 192.168.1.11
    inservice
  rserver host SERVER_02
    ip address 192.168.1.12
    inservice
  rserver host SERVER_03
    ip address 192.168.1.13
    inservice
  You add them in serverfarm
  serverfarm host REAL_SERVERS
    rserver SERVER_01
      inservice
    rserver SERVER_02
      inservice
    rserver SERVER_03
      inservice
  After that you configure the VIP and condition. Here any means any protocol and port
  class-map match-all VIP-30
    2 match virtual-address 172.16.51.30 any
  YOu define the L7 policy map
  policy-map type loadbalance first-match SLB_LOGIC
    class class-default
      serverfarm REAL_SERVERS--------->Serverfarm to which traffic would be loadbalanced.
  policy-map multi-match CLIENT_VIPS---->L3 policy map.
    class VIP-30
      loadbalance vip inservice
      loadbalance policy SLB_LOGIC
      nat dynamic 1 vlan 451----------------->You need to apply the NAT when your client is in same subnet as server so that return traffic comes back to ACE and not to client directly or when your servers default GW is not ACE.
  interface vlan 251
    description Client vlan------------------->VIP is in this subnet
    ip address 172.16.51.11 255.255.255.0
    access-group input ANYONE
    service-policy input REMOTE_MGT
    service-policy input CLIENT_VIPS
    no shutdown
  interface vlan 451--------------->Server side subnet
    description Servers vlan
    ip address 192.168.1.1 255.255.255.0
    nat-pool 1 192.168.1.100 192.168.1.110 netmask 255.255.255.0 pat---->Nat pool defined. It should always be on server side vlan.
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.51.1
  I would also suggest going through the below for basic troubleshooting and understanding.
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Overview_of_ACE_Troubleshooting
  Basic loadbalancing using routed mode:
  http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Routed_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
  And if you have any questions, please put them here and we will be glad to help.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.