ACE problem - bridge mode - behind a firewall

Hello
We are having problems with one of you ACE context, this implementation was done by a supplier and I am trying to troubleshoot it.
The clients and the servers are on different subnets, there is a Nokia firewall in the middle. The firewalls are setup on a cluster.
Connecting to port 7072 is taking at least 30 seconds. If I move the server into the VLAN in front of the ACE, the connection is instant. So it does indicate a problem on the ACE.
The client IP is .99.11.
The VIP is .100.62 and the server node is .100.12.
Running the capture command I can see the following behavior:
1. The client initiates the connection to the ACE Vip
2. At the same time it looks like a second connection is initiated from the client to the server node
Please see attachment.
Is this a normal situation where the connection is duplicated?
Does this interface setup look correct?
Is the bridge mode the correct setup in this scenario?
interface vlan 10
bridge-group 2
no normalization
mac-sticky enable
access-group input PERMITALL
service-policy input VLAN10-INTER-MMPM
no shutdown
interface vlan 15
bridge-group 2
no normalization
access-group input PERMITALL
no shutdown
interface bvi 2
ip address 192.168.100.7 255.255.255.192
alias 192.168.100.6 255.255.255.192
peer ip address 192.168.100.8 255.255.255.192
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.100.1
Many thanks,
Damian

Thanks for replying James,
I am sure I configured the capture only for VLAN10 which is in the VIP side.
But you are right, it looks like is showing both VLAN10 and VLAN15. So that is one of my theories out of the window! :)
This is a new installation, still on the testing stage. So it would be good time to make changes.
Do you normally implement a routed setup behind a firewall? Rather than a bridgedâ¦.
It is quite a small setup:
â¢ Traffic is coming from a separate local subnet
â¢ Traffic is not coming from the internet so it does not required a NAT
â¢ We need 1 VIP listening on two ports
â¢ The backend servers are four Linux boxes
Thanks again,
Damian

Similar Messages

ACE dropped conns problem (Bridged mode)

Dear all,
I configured an ACE in bridged mode (inside vlan: 2012, outside vlan: 2021) and I apply the L4 policy on the 2 VLAN interface to loadbalance HTTP incoming request (Virtual IP: 172.22.22.130).
interface vlan 2112
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface vlan 2122
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
But I need also that some other server connected to the same vlan 2112 and having to send HTTP request on the same VIP but this failed and I get dropped conns.
Can anyone helps?
Regards
Abdelaziz

Hi Olivier,
This below the full config, and my need is to make a server in the inside VLAN 2112 (172.22.22.121) to open HTTPS connexion on the VIP (172.22.22.130 for rserver .131 & .132). Trafic from the outside is working well.
Thanx,
Abdealziz
Generating configuration....
access-list BPDU-Allow ethertype permit bpdu
probe tcp HTTPS
port 443
interval 15
passdetect interval 15
passdetect count 1
probe icmp PING
interval 5
rserver host CASHUB131
ip address 172.22.22.131
inservice
rserver host CASHUB132
ip address 172.22.22.132
inservice
serverfarm host SFARM-EXCAS130
probe HTTPS
rserver CASHUB131
    inservice
rserver CASHUB132
    inservice
parameter-map type connection TCP_IDLE_30min
set timeout inactivity 1800
class-map match-all CLASS-L4-VIP-EXCAS130
2 match virtual-address 172.22.22.130 any
class-map type management match-any REMOTE-ACCESS
description management ACE
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
31 match protocol https any
32 match protocol snmp any
policy-map type management first-match REMOTE-MGT
class REMOTE-ACCESS
    permit
policy-map type loadbalance first-match POLICY-L7-VIP-EXCAS130
class class-default
    serverfarm SFARM-EXCAS130
policy-map multi-match POLICY-LB-HMC-2112
class CLASS-L4-VIP-EXCAS130
    loadbalance vip inservice
    loadbalance policy POLICY-L7-VIP-EXCAS130
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
interface vlan 2112
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface vlan 2122
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface bvi 1
ip address 172.22.22.250 255.255.255.0
peer ip address 172.22.22.251 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.22.22.254

ACE in bridge mode with FWSM as gateway

our design
FWSM--vlan 7--ACE-vlan 8---servers with default gateway as FWSM
originally there were no plans of servers looking to load balance traffic when they wanted to communicate each other. now there is a need this
since ACE is in bridge mode, there are no ip address to VLAN configured on it and cant do source NAT
what we want servers in serverfarm A can contact a single ip which can be load balanced and traffic to be sent to serverfarm B. both serverfarms reside in vlan 8 and ace is in bridge. with VLAN not having IP how can we get this working. we were looking to create a policy on ACE with an ip address in vlan 8 and then do a source NAT to send the traffic to serverfarm 7.
with FWSM as the default gateway, by enabling permit intra traffic , it doesnt work because the command routes the traffic, dont think will send the traffic back to the same vlan
e.g static (inside,outside) 10.7.0.1 10.7.8.13 and allow intra traffic.
so when a machine 10.7.8.11 pings 10.7.0.1 it goes to the FWSM but fwsm doesnt look for 10.7.8.13
with ACE in bridge and FWSM doing above how to get around. can something be done on ACE in bridge mode with source NAT
Thanks

First, why don't you have an ip in your ACE vlan ?
Then, for traffic hitting a vip, we can do source nating even in bridge mode.
But if the vip is not an ip in vlan 8, your server will anyway send the traffic to the FWSM and ACE will first bridge the request.
The FWSM should then send the request back to ACE (not sure how this can be done).
So the request from the server will actually hit the vip on vlan 7 (not vlan 8).
So your policy-map with client nat must be on vlan 7.
Another option would be to configure a static route on the server to point the vip to the ACE vlan 8 ip address (which you should have configured).
In this case, the policy-map will have to be in vlan 8 with client-nat.
Gilles.

ACE in bridged mode and multicast

We have configured an ACE SM in bridge mode and have a requirement to enable multicast on one of the networks where the back-end servers are residing. Will ACE support multicast out of the box, or will we need to do any tweaking on the ACE to enable the multicast support?
Thanks..

Hi Gilles,
Is it also supported in routed mode?
The ace isn't doing multicast routing right?
Actually, the server-side vlan is being routed on the C6500 and has pim sparse-dense mode enabled.
We want to move this server-side vlan behind the ace in routed mode. What about the pim?
Any ideas?
thanks,
Dario

PBR with ACE in bridge mode

I have one ACE configured in bridge mode.
for proxy users : they have the VIP as proxy so the traffice from the client with destination the VIP
but there are some users without proxy so we used the Policy Base Routing and it is working and can see the connections on the ACE
but with destination IP of the websites so the traffice is not comming back as show below
BC-LB1/BlueCoat# sho conn | include 10.1.50.10
1782765 1 in TCP 210 10.1.50.10:52052 67.195.160.76:80 SYNSEEN
1355728 1 out TCP 210 67.195.160.76:80 10.1.50.10:52052 INIT
BC-LB1/BlueCoat#
in the PBR , we used the VIP as next hop address.
please advice what is the problem?
thanks in advance

Good afternoon,
As you mentioned, it seems the return traffic is not coming back through the ACE. You should review your PBR configuration to ensure that also the return traffic is matched and sent to the ACE
Regards
Daniel

Design question: ACE module connected to 2 different L3 engine while in bridge mode

fellow engineers,
i have been working on a design model , where the ACE mldule will provide SLB for both virtual and real servers. we have been deploying several UCS systems and the customer would like to use the ACE as our Enterprise SLB layer
configured in bridcge mode.
the msfc within the 6509 provide the L3 routing. however we may extends multiple vlans (v160-v163) via nexus switch layer (7k,5k,2k) to a FW appliance which now is the svi interface for the extended vlans. these vlans will be configured on a dedicated context.
the extension is based on the bridge mode operation as follow:
need help with the following:
1) if i have 4 bvi's configured, do i need to have default route configured?
2) my total count for vlans are: v160-v163 for server vlans, and v101 is the management vlan. the svi for this vlan is on the msfc card. the server GW are pointing to each dedicated svi's on the FW+L3 apliance.
3) if my default route on the context is pointing to the v160 svi on the FW+L3 engine, will that prevent the return traffic for other vlans ( v161-v163) from the ace toward the client?
4) is default route neccessary if you hae the ace in bridge mode.
it was brought to my attention that if you have multiple vlans configured in bridge mode pointing to another L3 engine, then each vlan would have to be configured on seperate context since you can only have one default route per context.
i appreciate any feedback on this inquiry. if you need additional information please le me know.
thanks and best regards,
raman azizian

Hi Raman,
You can have up to eight default routes in one context. What the ACE is doing with the entries is to create a ARP-entry with the name GATEWAY. If you need more then eight entries, just declare gateway as rservers. In that case the ARP-entry is stored as RSERVER instead of GATEWAY. The trick is to tell ACE to learn the MAC-address for the IP-address and store it int the ARP-table. The ACE never learn for itself a MAC-address. Don't forget mac-sticky enable on vlan's facing gateway.
I'm running one context in bridge mode and have 18 bvi's with FW and Router 6509 as gateways.
Exampel:
Interface to ROUTER 6509
interface vlan 300
bridge-group 300
no normalization
mac-sticky enable
access-group input BPDU
access-group input alla
access-group output alla
service-policy input lb-int-vlan300
no shutdown
rserver host 300GATEWAY
ip address 164.135.121.47
inservice
A#1/prod1# sho arp | i 164.135.121.47
164.135.121.47 00.08.e3.ff.fc.14 vlan300   RSERVER    4775   239 sec      up
A#1/prod1#
Interface to FIREWALL
interface vlan 802
bridge-group 802
no normalization
mac-sticky enable
access-group input BPDU
access-group input alla
access-group output alla
service-policy input lb-int-vlan802
no shutdown
rserver host 802GATEWAY
ip address 192.168.137.1
inservice
192.168.137.1   00.23.33.6a.bf.80 vlan802   RSERVER    4785   5 sec        up
Regards
Mats

ACE 4710 in bridge mode not working

I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router   (vlan 13: IP 172.16.11.254)
     |
ACE     (int gig1/2)
     |
L2 Switch
     |
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
    inservice
rserver srv2
    inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
    permit
policy-map type loadbalance first-match slb
class class-default
    sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan

" I tried trunk port also but it got disabled"   <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles.

Arris modem & AEBS in bridge mode w/ OS X server (Yosemite)

I have been using a AEBS (ac) as router in bridge mode behind an Arris cable modem (with its own wireless network setup) and have it create a wireless network. I extended it with 1xAEBS (ac) and 2x AEBS (n) to reach all corners of the house, all in "extend" and "bridge" mode. The AEBS (ac) router is using Ethernet cable to connect to Arris modem. This setup worked well for me and still does, until...
Recently, to get access to my files on the network from the Internet, I installed OS X server (4.2) on Yosemite running on a MP (have a few drives attached). I intend to use the servers VPN service, but cannot get its new reachability tool to identify any services running. After doing some searching I found tutorials on how to run the AEBS in DHCP and NAT mode, which results in a double NAT error the way my modem/provider service is setup.
I have not been able to find a tutorial how to configure the server in Internet mode behind the AEBS (ac) router in bridge mode. I do have a domain name, but the service provider does not offer Dynamic DNS service. And I did let the server install the DNS services automatically.
A server setup guide when running AEBS in bridge mode would be very helpful.
I would need some help configuring the AEBS router as well as setting up the server - thanks a lot!

I see nobody else has jumped in.. so I read this last night and thought it was a bit too hard..
But perhaps I can get you to at least clarify some stuff.
Arris cable modem (with its own wireless network setup)
What model is the arris? Since it has its own wireless it is a router.. or what is sometimes called gateway.
I have been using a AEBS (ac) as router in bridge mode
You cannot use "as router" in bridge.. they are opposites.. but I think you just mean.. AEBS is in bridge.. the mention of router is to qualify the AEBS which we know is a router.
I intend to use the servers VPN service, but cannot get its new reachability tool to identify any services running.
I do not use server and I would not have done the setup this way to get access to your files.. but the vpn service should work.
Test by using a computer on the local network running a vpn client to see if you can log in to the server. It is much easier to get things working locally before you attempt to do it remotely.
What type of vpn is it.. I can look it up but easier if you post the details.. each vpn uses different port forwarding requirements. PPTP is different to IPSEC which is different to L2TP which is different to SSL.
After doing some searching I found tutorials on how to run the AEBS in DHCP and NAT mode, which results in a double NAT error the way my modem/provider service is setup.
You cannot run two routers.. that will mess things up. The AEBS should be in bridge.. double NAT will kill your access.
I have not been able to find a tutorial how to configure the server in Internet mode behind the AEBS (ac) router in bridge mode. I do have a domain name, but the service provider does not offer Dynamic DNS service. And I did let the server install the DNS services automatically.
Some of this I have not used.. so I cannot say much.. I much prefer to do vpn using vpn routers.. it is far easier.
Anyway.. the bridged AEBS is irrelevant.. your problem is needing to setup the Arris for VPN pass through. This sometimes involves something simple like tick a box.. it can also be complicated and need port forwarding.
You can use Dynamic DNS client in the Arris.. that will be the best place to set this up.
You will need to download and read carefully the manual for your arris gateway.
Let me also suggest you run ethernet directly to the arris .. bypass the Extreme altogether.. it is not related to this setup but can cause issues.. because Apple have some inbuilt ipsec security for BTMM.
For setting up yosemite server to do vpn I recommend you post in the Server OS area of the discussions.

Cannot access DSL modem in bridge mode w/ Airport Extreme

Hi
I have the following setup:
DSL Modem: Used in bridge mode + NAT/DHCP/Firewall turned off. Static IP is set to 192.168.2.1
Airport Extreme: In PPPOE mode with Shared IP (which is selected by default): Distributes IP range 192.168.1.X with subnet 255.255.255.0. At this point, Airport Extreme's IP address is what it gets from the ISP, basically DSL Modem is passing thru' this to the AE.
Ethernet cable is running from DSL modem to AE's WAN.
In this mode, everything works fine and me and all others can use Internet fine...
But the problem is that I can't ping/ access DSL modem at all in this mode. Basically, I need to login to the DSL modem to monitor my DSL connection quality (SNR, Attenuation, etc.) but whatever I tried I could not figure out how.
Basically, I tried setting a static IP on the DSL modem as 192.168.1.3, this did not work. I read somewhere that it needs to be on a different subnet, so tried using 192.168.2.1, that did not work either.
If I connect the DSL modem to a machine directly and set that machine's IP to 192.168.2.10, it can connect to the DSL modem, but there is no way I could access this DSL modem from the setup I explained above.
I am simply out of solutions at this point and any idea would be appreciated.
Thanks a ton!

What you are asking about is generally possible but probably not with an Airport Extreme. As others have noted you SHOULD be able to access a DSL modem in bridge mode via it's "lan" IP address if you directly attach a cable to it and configure your computer with appropriate static IP settings (I'm assuming that in bridge mode the DSL modem has it's DHCP server disabled).
This approach can also be achieve through a router with sufficiently flexible configuration options (e.g. openwrt open-source firmware). Basically the router attaches its WAN port to the modem like usual. Then the router is configured to do PPPOE via the WAN port while SIMULTANEOUSLY assigning the WAN port a static IP address that can connect to the modem's LAN address. Finally the router firewall must be configured to pass traffic from the DSL modem LAN IP back to the network.
So your intuition suggesting that this should be possible is absolutely right. However; you can probably also see from the steps required why most modems simply (incorrectly) document that it isn't possible.
Here's a link with some gory details on achieving this with an openwrt-based router: https://forum.openwrt.org/viewtopic.php?id=10952

ACE30-MOD-k9 in bridge mode. Individual server in the same vlan of Real Servers not reacheable.

I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
    inservice
rserver RS_WEB2
    inservice
rserver RS_WEB3
    inservice
rserver RS_WEB4
    inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
    sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
    sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
    loadbalance vip inservice
    loadbalance policy HTTP
    loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
    loadbalance vip inservice
    loadbalance policy HTTPS
    loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
Francesco

Hi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal

ACE30_MOD-K9 in bridge mode. Individual servers in the same vlan of rserver not reach.

I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
    inservice
rserver RS_WEB2
    inservice
rserver RS_WEB3
    inservice
rserver RS_WEB4
    inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
    sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
    sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
    loadbalance vip inservice
    loadbalance policy HTTP
    loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
    loadbalance vip inservice
    loadbalance policy HTTPS
    loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
Francesco

Hi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal

Access Modem if Static IP and in Bridged Mode

i am assuming it is in bridged mode as my firewall uses the static ip. however, how do
i access the modem to change the password? do i have to plug a computer into it? i
have not been able to figure out how to access it from one of the computers on the
network. thanks.

#1 What is the brand and model of your modem?
#2 What is the brand and model of your router?
#3 Do you have a stand alone hub?
#4 Or if not to question number 3, do you have an unmanaged swtich?
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

Firewall Load Balance using bridged mode ACE

Dear Folks,
I 'd like to load balance 2 ASA using 3 ACE [ Inside,outside,dmz network zone]
I 've seen sample configuration, all of them are running the ACE in the route mode, and asa are running in route mode
Would it be possible to run the ACE in the bridge Mode, because the ip subneted problem, We don't have enough to split,,
by the way if possible,All server that install behind ACE, what is default gateway should Server Point to [ in our case we have 2 independent firewall ] should I create the VIP for both firewall ? or should I just simply set the server's gateway to BVI interface, ?
Please Help Thanks

Thank you very much Gilles,
You 're the man. ;-)
Another question in my case I try to load balance 3 interface firewall [inside,outside,dmz] in order to make the packet return the same firewall it has passed earlier,
What kind of hashing technique do I need to use and Do i need to use mac sticky command ???
I tried to find some configuration sample from cisco website , but i only found with only 2 interface with ACE running source hash and destination hash in each ends,
Thank you very much

ACE bridge mode not working

Folks,
I am trying to configure ACE in transparent mode and it is not working, i can browse to the servers directly,but when i try to hit the vip , I do not get any webpages, all keepalives are up and everything is in inservice.
hostname abc
boot system image:c6ace-t1k9-mz.3.0.0_A1_6_1.bin
access-list ANY line 8 extended permit ip any any
rserver host rs1
ip address 1.1.1.1
inservice
rserver host rs2
ip address 1.1.1.2
inservice
serverfarm host SF1
rserver rs1
inservice
rserver rs2
inservice
class-map type management match-any REMOTE_ACCESS
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
class-map match-all VIP
2 match virtual-address 1.1.1.3 any
class-map type http loadbalance match-any src1
2 match source-address 0.0.0.0 0.0.0.0
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match R-Policy
class class-defaut
serverfarm SF1
policy-map multi-match R-LB
class VIP
loadbalance vip inservice
loadbalance policy R-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise
interface vlan 3
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface vlan 4
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input R-LB
no shutdown
interface bvi 1
ip address 1.1.1.4 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 1.1.1.5

I made some progress, but still it is not working.
When the server behind the ACE module default gateway is set to the firewall, i can telnet to the vip at port 80,but i still do not see the page when i open the browser and point to the vip. here are the outputs.
hostname RBharti
boot system image:c6ace-t1k9-mz.3.0.0_A1_6_1.bin
access-list ANY line 8 extended permit ip any any
rserver host rs1
ip address 1.1.1.1
inservice
rserver host rs2
ip address 1.1.1.3
inservice
serverfarm host SF1
rserver rs1
inservice
rserver rs2
inservice
class-map type management match-any REMOTE_ACCESS
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
class-map match-all VIP
2 match virtual-address 1.1.1.5 any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match R-Policy
class class-default
serverfarm SF1
policy-map multi-match R-LB
class VIP
loadbalance vip inservice
loadbalance policy R-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise
interface vlan 3
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input R-LB
no shutdown
interface vlan 4
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface bvi 1
ip address 1.1.1.4 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 202.137.232.193
Ri/Admin# sh service-policy
Policy-map : R-LB
Status : ACTIVE
Interface: vlan 3
service-policy: R-LB
class: VIP
loadbalance:
L7 loadbalance policy: Rediff-Policy
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 54
dropped conns : 54
client pkt count : 81 , client byte count: 3888
server pkt count : 0 , server byte count: 0

Extreme running in bridge mode, can't get out past router or firewall

Hello
I have my Laptop, Mini and an older PC connected to my wireless network via my new airport extreme. I had teh system connected and got the solid green light but no internet. After putting the extreme into bridge mode everything works fine. The problem I have now is that I can't activate my web cam it says that i am blocked behind a firewall or router. I have been told that to get out from behind the router of firewall I need to be out of the bridge mode, but when I try this I loose my internet connection??? Anybody have a suggestion???

Warnercj7, Welcome to the discussion area!
I guess the AirPort Extreme base station (AEBS) is connected to a modem of some type. It appears that the modem is operating as a router.
You will need to configure the modem/router so that the appropriate ports are forwarded through the modem/router to the web cam.

ACE problem - bridge mode - behind a firewall

Similar Messages

Maybe you are looking for