ACE module contents of disk: erased

well - infact the whole lot - all config wiped, all that is left in the disks is the software and a few other files. I read from core: a file called
ixp1_crash.txt which was time exactly one hour and 2 mins before info in ha_mgr logs showed the device failing over.
any ideas ???
Ta muchly

Hi,
I will recommend to open a TAC case in order to analyze the core file, and it seems to be a HW issue, but it would be better to check with TAC in order to have a solid answer.
Cheers,
Rodrigo.

Similar Messages

Reuse of context in ACE module

Hi all, just have a question about som reuse of resources in a ACE module context. I don't want to make a new context, and can reuse most of the existing configuration in one of my context. The config is not complex and difficult, but I'm not sure if I can do this.
The primary goal is to loadbalance 2 webservers with a new vip, new serverfarm, stickygroup, policy-map and different nat-pool.
Since I haven't decided the ip addresses to be used, they are just xx in the config below.
The changes I want to implement are in bold. Will this work for me?
probe http WEBGUI_D2
description Probe for http mot webgui
interval 10
passdetect interval 10
passdetect count 1
request method get url /D2/auth/login.aspx
expect status 200 302
header User-Agent header-value "IDENTITY"
rserver host cwi003
description content server logon
ip address 10.163.22.27
inservice
rserver host cwi004
description content server logon
ip address 10.163.22.28
inservice
rserver host cwi503
description content server logon 2
ip address 10.163.22.23
inservice
rserver host cwi504
description content server logon 2
ip address 10.163.22.24
inservice
serverfarm host SF_LOGON_D2
probe WEBGUI_D2
rserver cwi003 80
   inservice
rserver cwi004 80
   inservice
serverfarm host SF_LOGON2_D2
probe WEBGUI_D2
rserver cwi503 80
   inservice
rserver cwi504 80
   inservice
sticky ip-netmask 255.255.255.255 address source STICKYGROUP1
timeout 20
replicate sticky
serverfarm SF_LOGON_D2
serverfarm SF_LOGON2_D2
class-map match-all VS_LOGON_D2
3 match virtual-address 10.163.22.13 any
class-map match-all VS_LOGON2_D2
3 match virtual-address 10.163.22.xx any
policy-map type loadbalance first-match PM_ONE_ARM_LB
class class-default
   sticky-serverfarm STICKYGROUP1
policy-map multi-match PM_ONE_ARM_MULTI_MATCH
class VS_LOGON_D2
   loadbalance vip inservice
   loadbalance policy PM_ONE_ARM_LB
   nat dynamic 5 vlan 1240
class VS_LOGON2_D2
   loadbalance vip inservice
   loadbalance policy PM_ONE_ARM_LB
   nat dynamic 6 vlan 1240
interface vlan 1240
description Client_server
ip address 10.163.22.11 255.255.255.0
peer ip address 10.163.22.12 255.255.255.0
access-group input INBOUND
nat-pool 5 10.163.22.14 10.163.22.17 netmask 255.255.255.192 pat
nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
service-policy input PM_ONE_ARM_MULTI_MATCH
no shutdown
ip route 0.0.0.0 0.0.0.0 10.163.22.1
BR
Geir

Thanks for your reply.
Hope I understand you correct. This sould be the config I need to paste into the existing context.
rserver host cwi503
description content server logon 2
ip address 10.163.22.23
inservice
rserver host cwi504
description content server logon 2
ip address 10.163.22.24
inservice
serverfarm host SF_LOGON2_D2
probe WEBGUI_D2
rserver cwi503 80
    inservice
rserver cwi504 80
    inservice
sticky ip-netmask 255.255.255.255 address source STICKYGROUP2
   timeout 20
   replicate sticky
   serverfarm SF_LOGON2_D2
class-map match-all VS_LOGON2_D2
   3 match virtual-address 10.163.22.xx any
policy-map type loadbalance first-match PM_ONE_ARM_LB2
class class-default
    sticky-serverfarm STICKYGROUP2
policy-map multi-match PM_ONE_ARM_MULTI_MATCH
class VS_LOGON2_D2
    loadbalance vip inservice
    loadbalance policy PM_ONE_ARM_LB2
    nat dynamic 6 vlan 1240
interface vlan 1240
nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
Br
Geir

Simple SLB with the ACE Module

Hello,
i have some problems with a ACE module i am currently tesing.
I have a simple Serverfarm with two Servers.
But there seems to be some Problems with the Loadbalancing i not understand:
1) I use Round Robin, but the ACE seems to put me serval times to the same server. I notice this, because i have different content on both servers, also different URLs.
2) withz the show serverfarm statement the total connects do not increment.
switch/slb-c1# show serverfarm webfarm
serverfarm : webfarm, type: HOST
total rservers : 2
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
rserver: web1
10.0.33.201:0 8 OPERATIONAL 0 0
rserver: web2
10.0.33.200:0 8 OPERATIONAL 0 0
switch/slb-c1# show service-policy L4_LB_VIP
Status : ACTIVE
Interface: vlan 300
service-policy: L4_LB_VIP
class: L4_VIP_CLASS
loadbalance:
L7 loadbalance policy: L7_SLB_POLICY
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
curr conns : 0 , hit count : 15
dropped conns : 0
client pkt count : 10198 , client byte count: 420991
server pkt count : 23367 , server byte count: 34915173
I have attatched the Config.
Any Idea what is going on?

what version do you have ?
I would recommend to run the very recent A1.4.
This is something that really should work.
Gilles.

ACE Module support loadbalance rmi, ajp, jms, etc?

Hello,
Do you know if ACE Module support balance the follow protocols:
1. rmis
2. ajp
3. jms
4. IIOP
5. CORBA
6. IIOPS
I know that ACE module support http, https and tcp/udp port.
Best Regards

Hi Alvaro,
There are no specific handlers in ACE for the protocols listed. RMI over IIOP and majority of CORBA implementations are TCP socket based and typically require persistent (Sticky) assignments to real servers if load-balanced, so generic ACE loadbalancing predictors, probes and sticky features should suffice. If you need to do a deeper inspection you can use the Generic Protocol Parsing, and custom Probe (TCL) capabilities to track content of interest. Same applies for JMS and AJP, although there are different transports for these prototocls (i.e. JMS over HTTP) which may change configuration requirements.
In general, since these protocols are used for stateful application integration, long running transactions, messaging, and data access...and they are very sensitive to object namespace/target references you should detail individual use case requirements and applicability of external application delivery controller based load balancing (i.e. using ACE).
Let me know if this helps or if you need more detail. Thanks. -George

A problem with ACL in the class-map on the ACE module

Hi all,
I configured the following on the ACE module:
object-group network test
host 192.168.1.21
host 192.168.1.22
host 192.168.1.23
object-group service port
tcp eq www
tcp eq 8080
access-list T line 8 extended permit object-group port object-group test any
I tried to configure a class-map for matching this ACL:
ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
Error: Cannot associate acl having object-group ACEs in class-map.
So couldn't I configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
Thank you
Roman

Hi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel

HT4972 I replaced the computer I originally used to synch my iPhone. I get the message stating that my content will be erased, even though this is the computer I now synch with. Is there a way to make the update recognize the new computer?

I replaced the computer I originally used to synch my iPhone. When trying to update to iOS5.0, I get the message stating that my content will be erased, even though this is the computer I now synch my phone with. Is there a way to make the update recognize the new computer so that my content will be kept?

The best option is to copy your entire iTunes folder from your old computer to your new one using one of the methods described here: http://support.apple.com/kb/HT4527. This will allow iTunes on your new computer to recognize and sync with your phone without deleting content. You will also need to copy over any other synced data not in your iTunes library such as photos synced to your phone, calendars and contacts.
If you can't do this, these articles will help you start syncing with your new computer with minimal or no data loss:
Syncing to a "New" Computer or replacing a "crashed" Hard Drive
Recovering your iTunes library from your iPod or iOS device

External Drive Disk Erase Failed with the Error Input/Output Error

I have 2 hard drives in an external FW800 enclosure that I am unable to format. When I go to initialize the drives in Disk Utility, I get the following error message: "Disk Erase failed with the error: Input/output error."
The drives show up in Disk Utility, but I can't repair them (that option is grayed out). Disk Utility correctly ID's the manufacturer of the drives (Maxtor), their size (200gb each), so it's obviously seeing that the drives are there. But it won't let me format them.
The drives are new, by the way; they don't have any data/files on them. I have Disk Warrior, but the drives don't show up there to be repaired -- probably because they aren't formatted yet.
After looking at other posts, I tried switching the jumper settings around on the drives -- from Master/Slave to cable select and back again, but it didn't help. I also tried doing a zero erase (even though the drives are new), zapping the PRAM -- again, no help.
One question I had is whether this could be a bad FW800 cable? The cable is new -- it came with the enclosure, which is an OWC Dual FW 800 enclosure. Other than that, does anyone have any other thoughts about what's causing this? Any help would be greatly appreciated.
Matthew

SOLUTION!!!!
I had the exact same problem. I have the original 20 GB hard drive that came in my Powerbook G4 550MHz and a couple of years ago I traded up for a 60 GB drive and bought a FW/USB enclosure for my original drive to use it to backup my important files. I hadn't backed up in over a year (shame on me!) and I decided maybe I should erase the drive and start from scratch. It was connected via USB.
At that point DiskUtility gave me the exact same Input/Output error. I tried partitioning the drive into 1 or more partitions but came up with the same error. I couldn't figure out what was wrong so I decided to startup in OS 9.2.2, I did that and let it start up, then plugged in the hard drive and it gave me the standard "This disk is unrecognizable, do you want to eject or erase?" so I clicked Initalize. It worked!
Just make sure you choose the MacOS Extended option when initializing out of OS 9 (instead of the MacOS Standard option) so it can be read and viewed in OS X.
If your computer is too new to be able to boot from an OS 9 folder on your drive or an OS 9 CD, then see if a friend or a local library has older computers that are running OS 9 or can boot from it. If not let me know and you can send me your drive and I'll reformat it.
Kind of crazy...I haven't used the OS 9 partition on my HD in YEARS...was even thinking about erasing it since I don't use any Classic applications anymore...good thing I didn't!
Nick
Powerbook G4 550Mhz Mac OS X (10.4.6)

Is my HD Dead? Reformat Disk Utility Error: secure disk erase failed with the error could not open disk.

Hi,
Fed up with seeing the spinning beach ball I decided to reformat my MacBook Pro...
After backing up everything on an external hard drive I put in the OSX install DVD, restarted the machine and held down 'C'.
I followed the install prcedure, clicking next a few times etc...
I then went into Utilities > Disk Utility. I chose 7-Pass to erase the Macintosh HD and set it off erasing.
I checked the process an hour in and message on screen read:
Secure disk erase failed with the error:
could not open disk
The internal hard drive no longer exists in the disk utility so I cant retry erasing it.
The only thing that appears in disk utility is the OSX install DVD.
I can't even shut down the mac as everything under the apple tab is greyed out!
I'm guessing this means my hard drive is broken right?
If anyone has any other ideas of what to try I'd really appreciate that.
How do I turn the machine off?
If my hard drive is gone then should I consider getting an SSD drive?
Any recommendations for such a drive would be great.
Hope you can help!

Did you partition the drive?
Extended Hard Drive Preparation
1. Open Disk Utility in your Utilities folder. If you need to reformat your startup volume, then you must boot from your OS X Installer Disc. After the installer loads select your language and click on the Continue button. When the menu bar appears select Disk Utility from the Installer menu (Utilities menu for Tiger or Leopard.)
2. After DU loads select your hard drive (this is the entry with the mfgr.'s ID and size) from the left side list. Note the SMART status of the drive in DU's status area. If it does not say "Verified" then the drive is failing or has failed and will need replacing. SMART info will not be reported on external drives. Otherwise, click on the Partition tab in the DU main window.
3. Click on the Options button, set the partition scheme to GUID (only required for Intel Macs) then click on the OK button. Set the number of partitions from the dropdown menu (use 1 partition unless you wish to make more.) Set the format type to Mac OS Extended (Journaled.) Click on the Partition button and wait until the volume(s) mount on the Desktop.
4. Select the volume you just created (this is the sub-entry under the drive entry) from the left side list. Click on the Erase tab in the DU main window.
5. Set the format type to Mac OS Extended (Journaled.) Click on the Options button, check the button for Zero Data and click on OK to return to the Erase window.
6. Click on the Erase button. The format process can take up to several hours depending upon the drive size.
Steps 4-6 are optional but should be used on a drive that has never been formatted before, if the format type is not Mac OS Extended, if the partition scheme has been changed, or if a different operating system (not OS X) has been installed on the drive.

How to Virtual IP configuration in ACE module?

Hi,
I am in the process of configuring load balancing on ACE module but struggling to configure virtual IP address for ACE module.
I'm working on ACE30 module and using software version A5 (1.2). ACE module is in slot of Catalyst 6504 switch.
Can anybody please post the steps/commands to perform this activity? An early response would be appreciated.
Regards,
Rachit.

Hi Rachit,
Here is a basic configuration example:
access-list Allow_Access line 10 extended permit ip any any
rserver host test
ip address 10.198.16.98
inservice
rserver host test2
ip address 10.198.16.93
inservice
serverfarm host test
rserver test 80
    inservice
rserver test2 80
    inservice
sticky http-cookie test group2
cookie insert
serverfarm test
class-map match-all VIP
2 match virtual-address 10.198.16.122 tcp eq www
policy-map type loadbalance first-match test
class class-default
    sticky-serverfarm group1
policy-map multi-match clients
class VIP
    loadbalance vip inservice
    loadbalance policy test
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 112
interface vlan 112
ip address 10.198.16.91 255.255.255.192
access-group input Allow_Access
nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
service-policy input NSS_MGMT
service-policy input clients
no shutdown
ip route 0.0.0.0 0.0.0.0 10.198.16.65
Here is the configuration guide:
http://tools.cisco.com/squish/101AD
Cesar R

Load Balancing on ACE Modules

hi,
Is it possible to load balance VIP hits on two ACE Modules in an active/active configuration. Or is it that only per FT group only single context could be active.
Regards.

You can have 1 context active on one ACE and the other context active on the other ACE.
If you have 2 Vip, you can have 1 vip belonging to one context and the other vip belonging to the other context.
Like this, you split the traffic between the 2 devices which allows you to handle more traffic than what 1 device could normally do.
If one device can handle all your traffic, I prefer to only have 1 active unit and 1 standby.
Easier to implement and troubleshoot.
Gilles.

Disk Erase Failed

Hello,
I have 1TB WD external hard drive connected directly to my macbook pro, I have always used it without problems, but recently it was not recognized! I went to disk utility to format the drive but I get "Disk Erase failed" "Disk Erase failed with the error: unable to write to the last block of the device", I tried going to partition but it also gave the same answer. The status of the disk in the bottom are as follows:
Name : WD Elements 1042 Media
          Type :           Disk
          Partition Map Scheme :           Unformatted
          Disk Identifier :           disk1
          Media Name :           WD Elements 1042 Media
          Media Type :           Generic
          Connection Bus :           USB
          USB Serial Number :           575846314137323034303939
          Device Tree :           IODeviceTree:/PCI0@0/XHC1@14
          Writable :           Yes
          Ejectable :           Yes
          Location :           External
          Total Capacity :           1 TB (1,000,202,043,392 Bytes)
          Disk Number :           1
          Partition Number :           0
          S.M.A.R.T. Status :           Not Supported

The drive may be defective. You can try repartitioning it before the format to see if that helps, but if not the drive or the SATA controller in the enclosure is bad. I'd guess the drive. Try formatting as a single GUID partition, OS X Extended (Journaled) NOT case sensitive and see if you get anywhere.

ACE module - Qos - set ip tos #

All,
Trying to mark traffic to/from L4 rules in the ACE.
Documentation (like always) says it's really easy. Mark traffic by using the "set ip tos <value>" command in Policy/Class configuration. Ok, so I do this, set ip tos 24.
Enable qos globally on the 6500 host, but don't see the traffic being marked.
sh mls qos says that packets are being modified by module 5 (ACE)
But I never see the tos value in any of my captures either via netflow from the host 6500, or at the firewall one hop away.
sh mls qos:
QoS is enabled globally
Policy marking depends on port_trust
QoS ip packet dscp rewrite enabled globally
Input mode for GRE Tunnel is Pipe mode
Input mode for MPLS is Pipe mode
QoS Trust state is CoS on the following interface:
Te3/1
QoS Trust state is DSCP on the following interface:
Gi2/3
Vlan or Portchannel(Multi-Earl) policies supported: Yes
Egress policies supported: Yes
----- Module [5] -----
QoS global counters:
    Total packets: 207147888661
    IP shortcut packets: 0
    Packets dropped by policing: 0
    IP packets with TOS changed by policing: 2663386
    IP packets with COS changed by policing: 4889352
    Non-IP packets with COS changed by policing: 0
    MPLS packets with EXP changed by policing: 0
Can someone explain to me what I've got wrong here? Is the ACE simply marking traffic destined for the servers behind it and not the return traffic? Am I missunderstanding something?

Well... hopefully someone knows how to classify traffic coming from the ACE.
I've given up on using the ACE to mark traffic as I'm fairly certain it won't do it. At least not the way I want.
However, now I've taken to marking ingress on the rserver switch ports... which has resulted in a partially sucessful solution. Problem is, "partially" successful.
You'll have a bunch of little conversations like this with no tos value full of push-acks:
10:29:53.527526 207.161.222.68.2828 > 205.200.114.228.http: P 2954:3455(501) ack 203152 win 65535 (DF)
10:29:53.527698 205.200.114.228.http > 207.161.222.68.2828: . ack 3455 win 32267
10:29:53.555271 207.161.222.68.2828 > 205.200.114.228.http: P 3455:3686(231) ack 203152 win 65535 (DF)
10:29:53.562676 205.200.114.228.http > 207.161.222.68.2828: P 203152:203784(632) ack 3686 win 32768
10:29:53.674758 207.161.222.68.2828 > 205.200.114.228.http: P 3686:4036(350) ack 203784 win 64903 (DF)
10:29:53.690853 205.200.114.228.http > 207.161.222.68.2828: P 203784:205244(1460) ack 4036 win 32768
10:29:53.690863 205.200.114.228.http > 207.161.222.68.2828: P 205244:206704(1460) ack 4036 win 32768
10:29:53.690871 205.200.114.228.http > 207.161.222.68.2828: P 206704:208164(1460) ack 4036 win 32768
10:29:53.690879 205.200.114.228.http > 207.161.222.68.2828: P 208164:209624(1460) ack 4036 win 32768
10:29:53.690887 205.200.114.228.http > 207.161.222.68.2828: P 209624:211084(1460) ack 4036 win 32768
10:29:53.690895 205.200.114.228.http > 207.161.222.68.2828: P 211084:212544(1460) ack 4036 win 32768
But then you'll see another conversation pop up with the correct markings
10:31:53.845287 205.200.114.228.http > 207.161.222.68.2828: . 32753:34213(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845298 205.200.114.228.http > 207.161.222.68.2828: . 34213:35673(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845306 205.200.114.228.http > 207.161.222.68.2828: . 35673:37133(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845313 205.200.114.228.http > 207.161.222.68.2828: . 37133:38593(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845321 205.200.114.228.http > 207.161.222.68.2828: . 38593:40053(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845328 205.200.114.228.http > 207.161.222.68.2828: . 40053:41513(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845335 205.200.114.228.http > 207.161.222.68.2828: . 41513:42973(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845343 205.200.114.228.http > 207.161.222.68.2828: . 42973:44433(1460) ack 1082 win 62808 (DF) [tos 0x48]
I think what's happening, is that the conversations full of the P-acks is the load balancer communicating directly with the client (i.e. LB pretending to be the server), whereas the marked traffic is "data only" which the load balancer isn't mangling (like it might/probably is doing with the p-acks) on it's way back to the client.
I also can't modify the configuration of the "virtual ten gig" interface that the 6500 uses as a connection to the ACE module, so can't mark traffic there either. And though I still have a couple of things to try, I don't believe I can do egress marking on a trunk from the 6500 either (connection to the firewalls).
So.... PLEASE... Anyone??? Ideas???

[UDP fast age support for ACE Module]

Hello,
I'm testing 2 ACE modules running A3.0.0 for DNS load balancing (UDP). We're testing this by using a DNS query generator that (always) seems to use the same UDP source port when originating these queries. At the moment, the ACE module is hardly doing any load-balancing.
It looks to me like, that because of this, the ACE believes it's the same session (connection) and doesn't really load-balance, so I started looking for a solution and found the fast-age udp feature. But, it seems this is not supported on my ACE modules. Can any one offer another solution and/or look at my config and see if there is another way to achieve load balancing in a testing environment when using a tool like the one I described?
(I put it that way because i believe in real life since queries come from different IP addresses and randomized udp ports, the ACE module will be just fine).
Thanks in advance!
c.

Hi Carlos,
Correct. The 3.0(0) is really misleading. You need to start with the "A" - so you really have 1.6.3a installed.
The "show version" for V2 is slightly better -
system: Version A2(1.2) [build 3.0(0)A2(1.2)
Cathy

Ace module dropping assymetric layer 2 connections

Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server. The server in question was using Transmit Load Balancing with Fault Tolerance.
The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1. The ace module is in transparent mode. When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port. Does it share some kind of layer 2 RPF check with the 6500 ?
Please note there is no routing involved here. The destination server is just on another vlan on the same subnet, on the other side of the ace.

Bryan,
As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
In your first example the flow will look like this.
client > VIP after the ACE client > rserver
the reply would be
rserver > client after the ACE VIP > rserver
In your second example using client nat it will look like this
Client > VIP After ACE Natpool > rserver.
the reply would be
rserver > Nat-pool after ACE VIP > client.
The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
Regards
Jim

Ace module in bridged mode with client nat

Could someone confirm whatever a NAT is supported for ACE-20 module, please?
Let me to explain technical details.
I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
if the configuration below is correct. ACE module should be configured in bridge mode with two
vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
"policy-map type loadbalance"
Could you check two parts of configs and advise me if the ACE config is
properly converted from CSM and will be working in the same way (especialy for NAT).
Thank you in advance.
CSM config
=======
vlan 36 client
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
gateway 10.36.3.1
vlan 436 server
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
sticky 30 netmask 255.255.255.255 address source timeout 60
probe SHAREPOINT tcp
interval 30
failed 120
open 3
port 80
probe WEBMAIL-443 tcp
interval 5
failed 60
open 2
port 443
serverfarm WEBMAIL-443
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 443
   inservice
real 10.36.3.102 443
   inservice
probe WEBMAIL-443
serverfarm WEBMAIL-80
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 80
   inservice
real 10.36.3.102 80
   inservice
probe SHAREPOINT
vserver WEBMAIL-443
virtual 10.36.3.100 tcp https
serverfarm WEBMAIL-443
sticky 60 group 30
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver WEBMAIL-80
virtual 10.36.3.100 tcp www
serverfarm WEBMAIL-80
replicate csrp connection
persistent rebalance
inservice
ACE config
=======
probe tcp WEBMAIL-443
interval 5
open 2
passdetect interval 60
port 443
probe tcp SHAREPOINT
interval 30
open 3
passdetect interval 120
port 80
serverfarm host WEBMAIL-443
predictor leastconns
probe WEBMAIL-443
rserver 10-36-3-101 443
    inservice
rserver 10-36-3-102 443
    inservice
serverfarm host WEBMAIL-80
predictor leastconns
probe SHAREPOINT
rserver 10-36-3-101 80
    inservice
rserver 10-36-3-102 80
    inservice
class-map match-all WEBMAIL-80
match virtual-address 10.36.3.100 tcp eq www
class-map match-all WEBMAIL-443
match virtual-address 10.36.3.100 tcp eq https
sticky ip-netmask 255.255.255.255 address source 30
serverfarm WEBMAIL-443
replicate sticky
timeout 60
policy-map type loadbalance first-match WEBMAIL-80
class class-default
    serverfarm WEBMAIL-80
    nat dynamic 1025 vlan 436 serverfarm primary
policy-map type loadbalance first-match WEBMAIL-443
class class-default
    sticky-serverfarm 30
    nat dynamic 1025 vlan 436 serverfarm primary
parameter-map type http HTTP_ADV_OPT
persistence-rebalance
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
interface vlan 36
bridge-group 36
service-policy input IFVLAN36-POLICY
mac-sticky enable
no shutdown
interface vlan 436
bridge-group 36
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
no shutdown
interface bvi 36
ip address 10.36.3.3 255.255.255.0
peer ip address 10.36.3.4 255.255.255.0
no shutdown

Hello F.Makarenko-
You will want to use PAT while you do nat, so change the natpool configuration to this:
   nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
You also need to apply the nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    nat dynamic 1025 vlan 436
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    nat dynamic 1025 vlan 436
If you are going to build out a lot of classes, you can instead do source nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class class-default
    nat dynamic 1025 vlan 436
Regards,
Chris Higgins

ACE module contents of disk: erased

Similar Messages

Maybe you are looking for