ACE 4710 in bridge mode

Similar Messages

• ACE 4710 in bridge mode not working

  I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
  I am not able to ping servers as well as gateway. Below are the topology and context configuration:
  Router   (vlan 13: IP 172.16.11.254)
       |
  ACE     (int gig1/2)
       |
  L2 Switch
       |
  Servers (vlan 11: IP 172.16.11.1 and 11.2)
  Admin Context
  ===========
  resource-class rc1
    limit-resource all minimum 0.00 maximum unlimited
    limit-resource sticky minimum 0.20 maximum unlimited
  boot system image:c4710ace-mz.A3_2_4.bin
  interface gigabitEthernet 1/1
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    switchport trunk allowed vlan 11,13
    no shutdown
  interface gigabitEthernet 1/3
    shutdown
  interface gigabitEthernet 1/4
    shutdown
  access-list ALL line 8 extended permit ip any any
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  interface vlan 1000
    ip address 172.16.16.16 255.255.255.0
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.16.254
  context test
    allocate-interface vlan 11
    allocate-interface vlan 13
    member rc1
  test Context
  =========
  access-list bpdu-fixup ethertype permit bpdu
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 16 extended permit icmp any any
  rserver host srv1
    ip address 172.16.11.1
    inservice
  rserver host srv2
    ip address 172.16.11.2
    inservice
  serverfarm host srv
    rserver srv1
      inservice
    rserver srv2
      inservice
  sticky ip-netmask 255.255.255.255 address both SG1
    timeout 120
    serverfarm srv
  class-map type management match-any remote-mgmt
    201 match protocol snmp any
    202 match protocol ssh any
    203 match protocol icmp any
    204 match protocol http any
    205 match protocol https any
    206 match protocol xml-https any
  class-map match-all slb-vip
    2 match virtual-address 172.16.11.10 any
  policy-map type management first-match remote-mgmt
    class remote-mgmt
      permit
  policy-map type loadbalance first-match slb
    class class-default
      sticky-serverfarm SG1
  policy-map multi-match client-vips
    class slb-vip
      loadbalance vip inservice
      loadbalance policy slb
      loadbalance vip icmp-reply
  interface vlan 11
    bridge-group 1
    access-group input bpdu-fixup
    access-group input ALL
    access-group output ALL
    no shutdown
  interface vlan 13
    bridge-group 1
    access-group input bpdu-fixup
    access-group input ALL
    access-group output ALL
    service-policy input remote-mgmt
    service-policy input client-vips
    no shutdown
  interface bvi 1
    ip address 172.16.11.9 255.255.255.0
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.11.254
  Could you pls. suggest where I am doing wrong?
  Thanks,
  Pawan

  " I tried trunk port also but it got disabled"   <----- if your L2 config is not correct, nothing will work.
  What is the setup on the switch ? Trunk or access vlan ?
  What is the status of the interface ? up ? down ?
  Do you see something in your arp table ?
  Gilles.

• ACE MODULE IN BRIDGE MODE NOT LOADBALANCING

  Hi,
  I setup an ace module in bridge mode as follows:
  mfsc(vla80) > (vla80)outside fwsm, fwsm inside(vla40) > (vla40)ace-clientside, aceserverside(vla41)
  and the servers have the fwsm svi(vla40) as their gateway. But, the ace is not loadbalancing.
  The config script is attached. Is their anything I am missing?
  Attach

  Check my troubleshooting guide on this forum.
  There are few things to do to narrow down the issue.
  Gilles.

• Ace module in bridged mode with client nat

  Could someone confirm whatever a NAT is supported for ACE-20 module, please?
  Let me to explain technical details.
  I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
  if the configuration below is correct. ACE module should be configured in bridge mode with two
  vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
  NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
  "policy-map type loadbalance"
  Could you check two parts of configs and advise me if the ACE config is
  properly converted from CSM and will be working in the same way (especialy for NAT).
  Thank you in advance.
  CSM config
  =======
  vlan 36 client
    ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
    gateway 10.36.3.1
  vlan 436 server
    ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
  natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
  sticky 30 netmask 255.255.255.255 address source timeout 60
  probe SHAREPOINT tcp
    interval 30
    failed 120
    open 3
    port 80
  probe WEBMAIL-443 tcp
    interval 5
    failed 60
    open 2
    port 443
  serverfarm WEBMAIL-443
    nat server
    nat client WEB-MAIL
    predictor leastconns
    real 10.36.3.101 443
     inservice
    real 10.36.3.102 443
     inservice
    probe WEBMAIL-443
  serverfarm WEBMAIL-80
    nat server
    nat client WEB-MAIL
    predictor leastconns
    real 10.36.3.101 80
     inservice
    real 10.36.3.102 80
     inservice
    probe SHAREPOINT
  vserver WEBMAIL-443
    virtual 10.36.3.100 tcp https
    serverfarm WEBMAIL-443
    sticky 60 group 30
    replicate csrp sticky
    replicate csrp connection
    persistent rebalance
    inservice
  vserver WEBMAIL-80
    virtual 10.36.3.100 tcp www
    serverfarm WEBMAIL-80
    replicate csrp connection
    persistent rebalance
    inservice
  ACE config
  =======
  probe tcp WEBMAIL-443
    interval 5
    open 2
    passdetect interval 60
    port 443
  probe tcp SHAREPOINT
    interval 30
    open 3
    passdetect interval 120
    port 80
  serverfarm host WEBMAIL-443
    predictor leastconns
    probe WEBMAIL-443
    rserver 10-36-3-101 443
      inservice
    rserver 10-36-3-102 443
      inservice
  serverfarm host WEBMAIL-80
    predictor leastconns
    probe SHAREPOINT
    rserver 10-36-3-101 80
      inservice
    rserver 10-36-3-102 80
      inservice
  class-map match-all WEBMAIL-80
    match virtual-address 10.36.3.100 tcp eq www
  class-map match-all WEBMAIL-443
    match virtual-address 10.36.3.100 tcp eq https
  sticky ip-netmask 255.255.255.255 address source 30
    serverfarm WEBMAIL-443
    replicate sticky
    timeout 60
  policy-map type loadbalance first-match WEBMAIL-80
    class class-default
      serverfarm WEBMAIL-80
      nat dynamic 1025 vlan 436 serverfarm primary
  policy-map type loadbalance first-match WEBMAIL-443
    class class-default
      sticky-serverfarm 30
      nat dynamic 1025 vlan 436 serverfarm primary
  parameter-map type http HTTP_ADV_OPT
    persistence-rebalance
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
    class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  interface vlan 36
    bridge-group 36
    service-policy input IFVLAN36-POLICY
    mac-sticky enable
    no shutdown
  interface vlan 436
    bridge-group 36
    nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
    no shutdown
  interface bvi 36
    ip address 10.36.3.3 255.255.255.0
    peer ip address 10.36.3.4 255.255.255.0
    no shutdown

  Hello F.Makarenko-
    You will want to use PAT while you do nat, so change the natpool configuration to this:
     nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
    You also need to apply the nat like this:
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
      nat dynamic 1025 vlan 436
    class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
      nat dynamic 1025 vlan 436
  If you are going to build out a lot of classes, you can instead do source nat like this:
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  class class-default
      nat dynamic 1025 vlan 436
  Regards,
  Chris Higgins

• ACE redundancy with bridge mode

  I need configure redundancy between two ACE modules (no problem). There is context in bridge mode. My question is, in which state is standby context. Is it in blocked state (that means, it not ansfer to any L2 requests) similar as for example ASA? I need explain loop-free topology.
  can anybody explain me, how it works?

  Yes, that's correct.
  If you have a redundant setup, don't forget to allow the Spanning-tree BPDUs!
  Create an ACL that permits BPDUs and configure it on the both ACEs on the client- and serverside:
  access-list NONIP ethertype permit bdpu
  int vlan 10 ! client-side
  access-group input NONIP
  int vlan 20 ! server-side
  access-group input NONIP
  more info:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/bridge.html#wp1174530
  Please rate if this was useful for you.
  Kind regards,
  Dario

• SNAT on ACE 4700 in bridging mode

  Hi,
  I would like to implement Source-NAT for some traffic, but not all traffic for the ACE 4700. The ACE 4700 will be configured as a bridge.
  Can I configure Source-NAT using an extended access-list when the ACE 4700 is used as a bridge? I need Source-NAT for servers that need to access the VIPs on the ACE. All VIPs and real servers are on the same IP subnet. I was going to configure the ACE as a bridge so that IP addresses don't have to change.
  Let me know how Source-NAT will work in this bridging scenario. If not, what examples or options do I have?
  Thank you.

  Thanks, Gilles!
  So, does it mean I can just use a standard access-list to identify traffic for Source-NAT? Meaning, I can just Source-NAT based on source IP addresses instead of using an extended access-list to specify both source address and destination VIP?

• ACE in bridged mode and multicast

  We have configured an ACE SM in bridge mode and have a requirement to enable multicast on one of the networks where the back-end servers are residing. Will ACE support multicast out of the box, or will we need to do any tweaking on the ACE to enable the multicast support?
  Thanks..

  Hi Gilles,
  Is it also supported in routed mode?
  The ace isn't doing multicast routing right?
  Actually, the server-side vlan is being routed on the C6500 and has pim sparse-dense mode enabled.
  We want to move this server-side vlan behind the ace in routed mode. What about the pim?
  Any ideas?
  thanks,
  Dario

• ACE bridge mode , FWSM routed mode

  i have the following senario:
  MSFC ---vlan 777----FWSM----vlan160---ACE----VLAN180
  FWSM is working in routed mode and vlan 777 is shared between the MSFC and FWSM
  ACE is working in bridged mode and vlan 160 is shared between the FWSM and ACE
  vlan 180 is the server side vlan
  i want he FWSM ip address to be the Server gateway while ACE module in
  bridge mode
  i create bvi interface but i can't ping from ACE to FWSM or from FWSM to
  ACE
  if i change ACE to routed mode , i can ping to FWSM
  any body can help me in this issue?

  The config looks good.
  I would look at the arp table on FWSM and ACE when the ping fails and also capture a sniffer trace of ACE tengig interface and see if the ping request goes out - on which vlan - and if we get a response.
  Is evertyhing else working ?
  Like ping through the ACE module ?
  Your config does not show a 'no shutdown' on the vlan interface, but I assume you fixed that already.
  Gilles.

• PBR with ACE in bridge mode

  I have one ACE configured in bridge mode.
  for proxy users : they have the VIP as proxy so the traffice from the client with destination the VIP
  but there are some users without proxy so we used the Policy Base Routing and it is working and can see the connections on the ACE
  but with destination IP of the websites so the traffice is not comming back as show below
  BC-LB1/BlueCoat# sho conn | include 10.1.50.10
  1782765    1  in  TCP   210  10.1.50.10:52052      67.195.160.76:80      SYNSEEN
  1355728    1  out TCP   210  67.195.160.76:80      10.1.50.10:52052      INIT
  BC-LB1/BlueCoat#
  in the PBR , we used the VIP as next hop address.
  please advice what is the problem?
  thanks in advance

  Good afternoon,
  As you mentioned, it seems the return traffic is not coming back through the ACE. You should review your PBR configuration to ensure that also the return traffic is matched and sent to the ACE
  Regards
  Daniel

• Firewall Load Balance using bridged mode ACE

  Dear Folks,
  I 'd like to load balance 2 ASA using 3 ACE [ Inside,outside,dmz network zone]
  I 've seen sample configuration, all of them are running the ACE in the route mode, and asa are running in route mode
  Would it be possible to run the ACE in the bridge Mode, because the ip subneted problem, We don't have enough to split,,
  by the way if possible,All server that install behind ACE, what is default gateway should Server Point to [ in our case we have 2 independent firewall ] should I create the VIP for both firewall ? or should I just simply set the server's gateway to BVI interface, ?
  Please Help Thanks

  Thank you very much Gilles,
  You 're the man. ;-)
  Another question in my case I try to load balance 3 interface firewall [inside,outside,dmz] in order to make the packet return the same firewall it has passed earlier,
  What kind of hashing technique do I need to use and Do i need to use mac sticky command ???
  I tried to find some configuration sample from cisco website , but i only found with only 2 interface with ACE running source hash and destination hash in each ends,
  Thank you very much

• ACE in bridge mode with FWSM as gateway

  our design
  FWSM--vlan 7--ACE-vlan 8---servers with default gateway as FWSM
  originally there were no plans of servers looking to load balance traffic when they wanted to communicate each other. now there is a need this
  since ACE is in bridge mode, there are no ip address to VLAN configured on it and cant do source NAT
  what we want servers in serverfarm A can contact a single ip which can be load balanced and traffic to be sent to serverfarm B. both serverfarms reside in vlan 8 and ace is in bridge. with VLAN not having IP how can we get this working. we were looking to create a policy on ACE with an ip address in vlan 8 and then do a source NAT to send the traffic to serverfarm 7.
  with FWSM as the default gateway, by enabling permit intra traffic , it doesnt work because the command routes the traffic, dont think will send the traffic back to the same vlan
  e.g static (inside,outside) 10.7.0.1 10.7.8.13 and allow intra traffic.
  so when a machine 10.7.8.11 pings 10.7.0.1 it goes to the FWSM but fwsm doesnt look for 10.7.8.13
  with ACE in bridge and FWSM doing above how to get around. can something be done on ACE in bridge mode with source NAT
  Thanks

  First, why don't you have an ip in your ACE vlan ?
  Then, for traffic hitting a vip, we can do source nating even in bridge mode.
  But if the vip is not an ip in vlan 8, your server will anyway send the traffic to the FWSM and ACE will first bridge the request.
  The FWSM should then send the request back to ACE (not sure how this can be done).
  So the request from the server will actually hit the vip on vlan 7 (not vlan 8).
  So your policy-map with client nat must be on vlan 7.
  Another option would be to configure a static route on the server to point the vip to the ACE vlan 8 ip address (which you should have configured).
  In this case, the policy-map will have to be in vlan 8 with client-nat.
  Gilles.

• Need help to Configure Cisco ACE 4710 Cluster Deployment

  Dear Experts,
  I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between  two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
  http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
  This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
  This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
  My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
  Thanks....!
  -Amal-

  Dear Kanwal,
  I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
  Following detail required for configuring Oracle EBS Apps tier on HA:
  LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
  Suggested IP and Name for LBR:
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm detail for LBR Setup
  Following detail will be use for configuring the LBR:
  LBR IP and Name :
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm Detail for LBR setup:
  Server 1 (EBS App1 Node, ap1ebs):
  IP : 172.25.45.19
  Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Server 2 (EBS App2 Node, ap2ebs):
  IP : 172.25.45.20
  Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
  Following are my latest config :
  probe http Get-Method
    description Check to url access /OA_HTML/OAInfo.jsp
    interval 10
    faildetect 2
    passdetect interval 30
    request method get url /OA_HTML/OAInfo.jsp
    expect status 200 200
  probe udp http-8000-iRDMI
    description IRDMI (HTTP - 8000)
    port 8000
  probe http http-probe
    description HTTP Probes
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    request method get url /index.html
    expect status 200 200
  probe https https-probe
    description HTTPS traffic
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    ssl version all
    request method get url /index.html
  probe icmp icmp-probe
    description ICMP PROBE FOR TO CHECK ICMP SERVICE
  rserver host ebsapp1
    description ebsapp1.xxxx.lk
    ip address 172.25.45.19
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  rserver host ebsapp2
    description ebsapp2.xxxx.lk
    ip address 172.25.45.20
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  serverfarm host ebsppsvrfarm
    description ebsapp server farm
    failaction purge
    predictor response app-req-to-resp samples 4
    probe http-probe
    probe icmp-probe
    inband-health check log 5 reset 500
    retcode 404 404 check log 1 reset 3
    rserver ebsapp1 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
    rserver ebsapp2 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
  sticky http-cookie jsessionid HTTP-COOKIE
    cookie insert browser-expire
    replicate sticky
    serverfarm ebsppsvrfarm
  class-map type http loadbalance match-any default-compression-exclusion-mime-type
    description DM generated classmap for default LB compression exclusion mime types.
    2 match http url .*gif
    3 match http url .*css
    4 match http url .*js
    5 match http url .*class
    6 match http url .*jar
    7 match http url .*cab
    8 match http url .*txt
    9 match http url .*ps
    10 match http url .*vbs
    11 match http url .*xsl
    12 match http url .*xml
    13 match http url .*pdf
    14 match http url .*swf
    15 match http url .*jpg
    16 match http url .*jpeg
    17 match http url .*jpe
    18 match http url .*png
  class-map match-all ebsapp-vip
    2 match virtual-address 172.25.45.21 tcp eq www
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match ebsapp-vip-l7slb
    class default-compression-exclusion-mime-type
      serverfarm ebsppsvrfarm
    class class-default
      compress default-method deflate
      sticky-serverfarm HTTP-COOKIE
  policy-map multi-match int455
    class ebsapp-vip
      loadbalance vip inservice
      loadbalance policy ebsapp-vip-l7slb
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 455
  interface vlan 455
    ip address 172.25.45.36 255.255.255.0
    peer ip address 172.25.45.35 255.255.255.0
    access-group input ALL
    nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input int455
    no shutdown
  ft interface vlan 999
    ip address 10.1.1.1 255.255.255.0
    peer ip address 10.1.1.2 255.255.255.0
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 999
  ft group 1
    peer 1
    no preempt
    priority 110
    associate-context Admin
    inservice
  ip route 0.0.0.0 0.0.0.0 172.25.45.1
  Hope you will reply me soon
  Thanks....!
  -Amal-

• ACE 4710 and load balancing with sticky cookie

  Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers.  I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall.  The ACE is in bridged mode to load balance web servers that reside in the DMZ.  Everything seems to work just fine, but the cookie stickiness does not seem to be working.

  Hi David,
  As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
  When using cookie-insert, the ACE will not create any dynamic cookie entries.  It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value.  So what you see there is what is expected.
  You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie.   The cookie is included in the server's response, and the ACE will look for the value as configured.  The cookie will also be sent to the client.  If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses.  If the browser opens new connections with that cookie, then the ACE will stick to the same server.
  My suggestion would be to get sticky working with cookie-insert first.  Then if that meets your needs, go with that permanently.  If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
  Sean

• Design question: ACE module connected to 2 different L3 engine while in bridge mode

  fellow engineers,
  i have been working on a design model , where the ACE mldule will provide SLB for both virtual and real servers. we have been deploying several UCS systems and the customer would like to use the ACE as our Enterprise SLB layer
  configured in bridcge mode.
  the msfc within the 6509 provide the L3 routing. however we may extends multiple vlans (v160-v163) via nexus switch layer (7k,5k,2k) to a FW appliance which now is the svi interface for the extended vlans. these vlans will be configured on a dedicated context.
  the extension is based on the bridge mode operation as follow:
  need help with the following:
  1) if i have 4 bvi's configured, do i need to have default route configured?
  2) my total count for vlans are: v160-v163 for server vlans, and v101 is the management vlan. the svi for this vlan is on the msfc card. the server GW are pointing to each dedicated svi's on  the  FW+L3 apliance.
  3) if my default route on the context is pointing to the v160 svi on the FW+L3 engine, will that prevent the return traffic for other vlans ( v161-v163) from the ace toward the client?
  4) is default route neccessary if you hae the ace in bridge mode.
  it was brought to my attention that if you have multiple vlans configured in bridge mode pointing to another L3 engine, then each vlan would have to be configured on seperate context since you can only have one default route per context.
  i appreciate any feedback on this inquiry. if you need additional information please le me know.
  thanks and best regards,
  raman azizian

  Hi Raman,
  You can have up to eight default routes in one context. What the ACE is doing with the entries is to create a ARP-entry with the name GATEWAY. If you need more then eight entries, just declare gateway as rservers. In that case the ARP-entry is stored as RSERVER instead of GATEWAY. The trick is to tell ACE to learn the MAC-address for the IP-address and store it int the ARP-table. The ACE never learn for itself a MAC-address. Don't forget mac-sticky enable on vlan's facing gateway.
  I'm running one context in bridge mode and have 18 bvi's with FW and Router 6509 as gateways.
  Exampel:
  Interface to ROUTER 6509
  interface vlan 300
    bridge-group 300
    no normalization
    mac-sticky enable
    access-group input BPDU
    access-group input alla
    access-group output alla
    service-policy input lb-int-vlan300
    no shutdown
  rserver host 300GATEWAY
    ip address 164.135.121.47
    inservice
  A#1/prod1# sho arp | i 164.135.121.47
  164.135.121.47  00.08.e3.ff.fc.14  vlan300   RSERVER    4775   239 sec      up
  A#1/prod1#
  Interface to FIREWALL
  interface vlan 802      
    bridge-group 802
    no normalization
    mac-sticky enable
    access-group input BPDU
    access-group input alla
    access-group output alla
    service-policy input lb-int-vlan802
    no shutdown
  rserver host 802GATEWAY
    ip address 192.168.137.1
    inservice
  192.168.137.1   00.23.33.6a.bf.80  vlan802   RSERVER    4785   5 sec        up
  Regards
  Mats

• ACE problem - bridge mode - behind a firewall

  Hello
  We are having problems with one of you ACE context, this implementation was done by a supplier and I am trying to troubleshoot it.
  The clients and the servers are on different subnets, there is a Nokia firewall in the middle. The firewalls are setup on a cluster.
  Connecting to port 7072 is taking at least 30 seconds. If I move the server into the VLAN in front of the ACE, the connection is instant. So it does indicate a problem on the ACE.
  The client IP is .99.11.
  The VIP is .100.62 and the server node is .100.12.
  Running the capture command I can see the following behavior:
  1. The client initiates the connection to the ACE Vip
  2. At the same time it looks like a second connection is initiated from the client to the server node
  Please see attachment.
  Is this a normal situation where the connection is duplicated?
  Does this interface setup look correct?
  Is the bridge mode the correct setup in this scenario?
  interface vlan 10
  bridge-group 2
  no normalization
  mac-sticky enable
  access-group input PERMITALL
  service-policy input VLAN10-INTER-MMPM
  no shutdown
  interface vlan 15
  bridge-group 2
  no normalization
  access-group input PERMITALL
  no shutdown
  interface bvi 2
  ip address 192.168.100.7 255.255.255.192
  alias 192.168.100.6 255.255.255.192
  peer ip address 192.168.100.8 255.255.255.192
  no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.100.1
  Many thanks,
  Damian

  Thanks for replying James,
  I am sure I configured the capture only for VLAN10 which is in the VIP side.
  But you are right, it looks like is showing both VLAN10 and VLAN15. So that is one of my theories out of the window! :)
  This is a new installation, still on the testing stage. So it would be good time to make changes.
  Do you normally implement a routed setup behind a firewall? Rather than a bridged….
  It is quite a small setup:
  • Traffic is coming from a separate local subnet
  • Traffic is not coming from the internet so it does not required a NAT
  • We need 1 VIP listening on two ports
  • The backend servers are four Linux boxes
  Thanks again,
  Damian