ACE routed mode design issue

Similar Messages

• Ace routing mode desging issue

  need some assistance in configuring an application using routing mode on cisco ace
          clients ---asa--3750--cisco ace--- servers behind vip
                                                              |
                                                            visa card transaction servers
  i am able to setup a vip on ace using routing mode on ACE,as the  servers need to see the client ip ,so we are not  performing SNAT,this  part is working fine
  when a request comes from the client ,it goes to the vip and to one of the backend servers ,and the request will be forwaded back to the ace ,as the default gateway on the servers is pointing to the server vlan on ace.
  but if the transaction from the servers need to go to the visa card transaction servers ,how can we acheive this ,and after fetching the data from visa servers,does the reply will be fwd to the ACE or ASAs directly
  Or do we need to have static routes defined on the visa servers to point to ASA
  please advise me on this

  Clint
  No they are completely in a different network ,
  When a client hits the VIP ,the request goes to the ASA
  ASA fwd the  vip traffic to the ACE (VIP) interface  ,and from there it fwd the traffic to the (server vlan) interface and to the appropriate backend servers.
  Backend server responds back to the (server vlan ) interface and the traffic fwd back to the ASA.
  But when  visa card transaction need to take place ( farm servers ) need to route the traffic to the visa servers which will be in different subnet range .
  Do the farm serevrs send the request back to the ASA and can we configure static routes on ASA to point to the visa servers.
  Are on the farm servers can we have static routes for the visa servers
  Or can I defind static routes on ACEs for the visa servers.

• Sharing a VLAN between FWSM and ACE (Routed Mode)

  Anybody in here with experience on sharing a Vlan between an ACE and a FWSM module?
  I have a transfer network between the ACE and the FWSM in the same chassis. FWSM gets several vlans and ACE gets some Vlans.
  I wanted to configure it like this.
  firewall vlan group 10 <FWSM only vlans>
  firewall vlan group 20 <shared FWSM and ACE vlan>
  or
  svclc vlan group 20 <shared FWSM and ACE vlan>
  svclc vlan group 30 <ACE only vlans>
  The design hides the client side network and the server side network for the ACE behind the FWSM module.
  Layout:
  |-- Clients <--> MSFC <--> FWSM <--> ACE <--> Server --|
  So allocation on the 65xx would be like this.
  firewall module n vlan-group 10,20
  svclc module n vlan-group 20,30
  Any obvious issues with this design if you share the vlan(s) referred in group 20 with both modules?
  FWSM and ACE will be in routed mode.
  Thanks for reading...
  Roble

  Never mind...
  Just found the perfect answer for this in a another posting from Syed.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=SNA%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddee0b/0#selected_message
  Roble

• Can VIP and Rservers be in the same subnet in ACE Routed Mode

  Good Day,
  Sorry for the lengthy post.
  Currently I have a 6509s running in VSS mode with ACE30 in each chassis.
  I have 5 vlans, which the VSS is the L3 interface for each. 1 Vlan is for management, the others are the data vlans for the servers.
  The ACE is configured in bridge mode, with all VLANs going to a specific context (non Admin).
  Some of the Host on each VLANs are not utilized for load-balancing. The default gateway for each VLAN is configured on the VSS.
  I would like to setup the ACE in the routed mode, without having to change the IP address of each servers on different VLANs.
  Basically I want to turn off the SVIs on VSS and move the L3 interface on the ACE Context, and let it perform the local routing for all the hosts.
  I was going to add a new /30 L3 interface between the VSS and ACE to be utilized for default route traffic coming from the ACE Context, and static routes from VSS to ACE for traffic destined to host that are being load-balanced and not being load-balanced. Basically force the traffic through the load-balancer in/out.
  For future deployment, I was planning on using different IP address for the VIPs, and Real servers (most likely RFC 1918).
  From most of the examples I have seen the VIP and Rservers are in different Subnets. But because I am trying to not change the IP address of the rservers and VIP, I wanted to know if the VIP and Rservers can be configured to be in the same subnet where the ACE is in routed mode.
  Unfortunately I don't have a spare ACE to test scenario.
  As always any help would greatly be appreciated.
  Regards,
  Raman

  Link-local addresses are usually the self assigned IP address that a device will set when a DHCP server cannot be found. These are the addresses with 169.254.x.x subnet.
  If the router is assigning IP addresses for your network, then they will usually have a different IP subnet, possibly 192.168.0 for D-Link. And this subnet would be for the wired and wireless connections. So it would be more a case of bridging the two network topolgies rather than routing them.
  The network host is busy message could be more to do with the driver and the IP protocol selected when creating the queue than the connection being broken between the Mac and printer. If you were to open Network Utility and select the Ping tab, enter the IP address of the HP and set the pings to 4, pressing the Ping button will soon show if there is a path through the wireless to the printer.
  If you get a response to the ping you could then open Safari and type the ip address as the URL. This would then connect to the internal web page of the printer and possibly let you enable an IP protocol like LPR so that you can use LPD on the Mac instead of Bonjour to connect to the printer.
  As for the driver, you could look at using a Gutenprint driver instead of the HP driver or the hpijs package to get past the limitations that some printer drivers have with network connections.

• ACE routed mode

                Two  ACEs LoadBalancers    are setup as active standby    in routed mode.
  serverfarm host s1
    predictor leastconns
    probe PROBE_HTTP
    rserver app1
      inservice
    rserver app2
      inservice
  class-map match-all s1_CLASS
    2 match virtual-address 10.12.7.11 tcp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match s1_POLICY
    class class-default
      serverfarm s1
  policy-map multi-match POLICY
    class s1_CLASS
      loadbalance vip inservice
      loadbalance policy s1_POLICY
      loadbalance vip icmp-reply active
  we had one connection  from client to app2 server
  performed a code upgrade  on LB2 ,did a swithover to make LB2 active,.the client connection was still on app2 server
  when LB1 was upgraded  and made it primary , the connection was still on app2 .
  but after couple mins was seeing the connection on app1 ,instead of app2 .
  please help me on this
  when
  when

  Hi,
  What you saw it is totally expected behavior.
  What happens is that the ACE will keep the connections active and they will be served until the either the connection is closed by the client( by closing the browser) or times out due to inactivity, then if you switchover to another ACE then all "NEW" connections will be handled by the new master ACE since there´s no reason to send the traffic to the previous master ACE because it is not longer the Primary.
  Again, this is expected.
  Hope this helps
  Jorge

• ACE Routed mode - cannot see serverside network

  Hi all,
  I'm having a problem with the first context I've set up in pure routed mode without NAT. Taking advice from this forum I've defined the interface for the serverside VLAN only in the ACE context. Trouble is this doesn't seem to have propagted into the routing table.
  The ACE can see the servers - they are in the ARP cache and can be PINGed from the context.
  A show IP route on the 6500 doesn't find the serverside subnet in the routing table.
  Am I missing something obvious. I've attached the config if that helps.
  Thank you
  Cathy

  I am not sure what your question is
  Are you not seeing the VIPs in 6500 routing table? If its about vip the RHI (Route health injection (loadbalance vip advertise) should take care of it.
  Or you want to see the Server vlan in the routing table of 6500?.
  If thats the case then that is not going to happen. You will have to add static routes and redistribute them in the network (on upstream router).
  Syed Iftekhar Ahmed

• Route Reflectors Design issue

  Hi,
  I am having this design issue with route reflectors and could use some help.
  I have 18 routers fully meshed in an MP-iBGP session and i am going to introduce route reflectors into the network to minimize the total number of TCP sessions
  My problem is that some of these routers have outboud policies with one another. for example i have a route map on router 1 affecting only router 2 and would like to keep it this way
  is there any way to do that through route reflectors ?
  Thank you
  Hadi

  Hi Riccardo,
  I have 18 routers in a full MP-iBGP mesh topology. Some pairs of these routers have the following policy :
  I have a route-map matching on Route Targets and i am setting the next hop to be different from the rest of the RT for that site.
  This way, the prefixes originating from site A for example will reach site B with different next hops depending on how i set it in my route-map.
  These policies are only between pairs of routers i.e. router#1 needs only to affect router#2
  How can i achieve this using RRs
  Thank you
  Hadi

• Example Config ACE routed mode with NAT

  Hi all,
  i have a two-arm loadbalancer (routed mode).
  client ->vlan100->[VIP]Loadbalancer[NAT] ->vlan200-> serverfarm
  But i have my problems to configure the NAT. Can anybody show me a example configuration of a two-arm loadbalancer with NAT?
  Especially the access-list, class-map, policy-map and on which interface the NAT-Policy must be added.
  BR
  Dominik

  Hi Dominik,
  Something like this:
  access-list ANYONE line 10 extended permit ip any any
  rserver host SERVER_01
    ip address 10.198.16.2
    inservice
  rserver host SERVER_02
    ip address 10.198.16.3
    inservice
  rserver host SERVER_03
    ip address 10.198.16.4
    inservice
  serverfarm host REAL_SERVERS
    rserver SERVER_01
      inservice
    rserver SERVER_02
      inservice
    rserver SERVER_03
      inservice
  class-map match-all VIP-30
    2 match virtual-address 192.168.1.30 tcp eq www
  class-map type management match-any REMOTE_ACCESS
    description remote-access-traffic-match
    2 match protocol telnet any
    3 match protocol ssh any
    4 match protocol icmp any
  policy-map type management first-match REMOTE_MGT
    class REMOTE_ACCESS
      permit
  policy-map type loadbalance first-match SLB_LOGIC
    class class-default
      serverfarm REAL_SERVERS
  policy-map multi-match CLIENT_VIPS
    class VIP-30
      loadbalance vip inservice
      loadbalance policy SLB_LOGIC
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 452
  interface vlan 451
      ip address 192.168.1.2 255.255.255.0
    access-group input ANYONE
    service-policy input CLIENT_VIPS
    no shutdown
  interface vlan 452
    description Servers vlan
    ip address 10.198.16.1 255.255.255.0
    access-group input ANYONE
    nat-pool 1 10.198.16.5 10.198.16.5 netmask 255.255.255.0 pat
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.1.1
  Cesar R
  ANS Team

• ASA Class C IP addressing, routing subnet design issue, brainstorming, comments welcome!

  I am carving up an internet Class C for customer. This class C is used by 3 distinct QA, Corporate and Production firewalls. I want to carve up IP space so there is a /26 for each environment. The issue I have is the firewalls may need communication with each other via the public IP space. Currently I don’t have any L3 switches in between the firewalls and the edge internet router. So with subnetting, it would seem I need to push everything through the internet router for the intra-firewall communication.
  I would rather not push this traffic through the edge router, so I came up with an idea to allocate all firewall outside interface IP’s in the 4th (last remaining) /26. That way, I can allow firewalls to communicate over the primary interface IP’s, which will all be in the same subnet – without going through a routing “engine”/device.
  For the actual environment subnets (NAT's on respective firewalls), I create a static route on the edge router pointing to each of the firewall’s primary IP’s for the respective environment routes (the first 3 - /26’s).
  This is still a beta design, but I have done this before on small scale when ISP gave me 2 subnets for example, assuming I was going to put a router in between the customer firewall and ISP. I would use the “routed subnet” on the ASA interface, and then pull the NAT’s from the other subnet. The ISP would have to add a static route directing the NAT subnet to the “routed subnet” correct IP - which would be the firewall outside interface primary IP.
  I recently found out that with ASA OS 8.4.3 and up, ASA will not proxy arp for IP’s not in its local interface subnet. This means the ISP/router will have to assign static ARP entries on the edge router. This can get messy after the first few NAT entries. So I am debating the design now. I think this kind of stuff going forward won’t be worthwhile with newer ASA 8.4.3 code.
  Any ideas on how to communicate between different ASA’s, while still carving up the Class C into usable smaller subnets? The primary reason for doing this in the first place is to support routing on the edge router. I am thinking it might be time to ask for another Class C to do the routing functions, and keep the firewalls all at Layer 2 in one /24 - Class C?

  I recently found out that with ASA OS 8.4.3 and up, ASA will not proxy arp for IP’s not in its local interface subnet.      
  That is a surprise especially as using a different subnet than the one used to connect the ASA to the router for NAT is quite a common setup.
  Anyway as we are brainstorming here are a couple of options that spring to mind. Please feel free to shoot them down
  For both solutions you still have 4 x 26, the first 3 for each firewall to use as NAT and then the last /26 for the firewall interfaces + the ISP internal interface.
  Option 1 
  ======
  when you allocate the IP to the firewall outside interfaces and the ISP internal interface they come out of the last /26 range but you use a /24 subnet mask.  The router will arp out for all addresses within the /24 subnet but the firewalls should only answer via proxy arp for any statically mapped NAT entries that they have. They will answer because the /26 they use for NAT are within the range of their outside interface IP because that is using a /24.
  Obviously because the interfaces are in the same /24 range they will be able to talk to each other wihout bouncing off the router.
  Option 2
  =======
  pretty much the same as option 1 except the ISP router uses a /26 subnet and has routes for easch /26 NAT subnet pointing to the relevant firewall. This way you don't have as many arps being sent by the ISP router. The firewalls still have to use a /24 mask to enable them to talk with each other. And the firewalls and router still need to have IPs from the last /26.
  Both would need testing and i may have missed something but i would have thought both would work.
  Jon

• ACE Routed Mode - Servers

  Is it possible in a routed setup for clients to talk to the servers in the Server Farm directly? IE - Not through the VIP. IE - I want to ping the real server or access a file share, etc.
  As you know, in a routed setup, the server gateway is the ACE. It appears that when I try to talk to the server directly, the server talks back to the ACE and traffic is dropped/lost.
  I ask because our servers run many applications. I need to load balance to just one of the applications (WWW) but not to the other several apps that are running.

  Yes it is possible.
  You need to have an ACL applied to ACE that allows traffic to the real servers.
  Yourd upstream routers should be configured such that they route the traffic destined to he real servers to the ACE.
  Syed Iftekhar Ahmed

• ACE in routed mode

  My first question, can anyone recommend some very heavy reading discussing the ACE modules and associated traffic flows and order of operations?  Not just how-to scenarios.
  And the primary question that brings me here:
  I've got an ACE module in a 6500 chassis that's configured for routed mode.  For the purpose of this question we'll say that on the ACE I have a single VLAN for vIPs and a single VLAN for rservers.  vIP VLAN is 12 and rserver VLAN is 101.  I have a pair of App servers being load balanced, and a pair of Web servers being load balanced.
  When user devices send traffic to the Web servers vIP, traffic hits the SVI for VLAN 12 and the service-policy is applied manipulating that traffic and sending it to the VLAN 101 SVI and on down to an rserver.  The same if user devices are sending traffic to the App servers vIP.
  When a Web server tries to send over to the App servers vIP, I get no response.  In fact, from the Web server I can't even ping my gateway (SVI for VLAN 101).  How do I get the Web server to send traffic loadbalanced across the App servers?
  Here's an example ACE config:
  access-list ALL line 8 extended permit ip any any
  probe tcp 5555
    port 5555
    interval 5
    passdetect interval 30
  probe http HTTP
    interval 5
    passdetect interval 30
    expect status 200 200
  rserver host APP01
    description App Server 1
    ip address 10.10.101.15
    probe 5555
    inservice
  rserver host APP02
    description App Server 2
    ip address 10.10.101.16
    probe 5555
    inservice
  rserver host WEB01
    description Web Server 1
    ip address 10.10.101.17
    probe HTTP
    inservice
  rserver host WEB02
    description Web Server 2
    ip address 10.10.101.18
    probe HTTP
    inservice
  serverfarm host APP-SERVERS
    predictor leastconns
    rserver APP01
      inservice
    rserver APP02
      inservice
  serverfarm host WEB-SERVERS
    predictor leastconns
    rserver WEB01
      inservice
    rserver WEB02
      inservice
  sticky ip-netmask 255.255.255.255 address both WEB-STICKY
    replicate sticky
    serverfarm WEB-SERVERS
  sticky ip-netmask 255.255.255.255 address both APP-STICKY
    replicate sticky
    serverfarm APP-SERVERS
  class-map match-any APP-VIP
    description App Servers VIP
    2 match virtual-address 10.10.12.21 tcp eq 5555
  class-map match-any WEB-VIP
    description Web Servers VIP
    2 match virtual-address 10.10.12.20 tcp eq https
    3 match virtual-address 10.10.12.20 tcp eq www
  policy-map type loadbalance first-match L7-APP-SERVERS
    class class-default
      sticky-serverfarm APP-STICKY
  policy-map type loadbalance first-match L7-WEB-SERVERS
    class class-default
      sticky-serverfarm WEB-STICKY
  policy-map multi-match L4-CONTEXT-A-VLAN
    class WEB-VIP
      loadbalance vip inservice
      loadbalance policy L7-WEB-SERVERS
      loadbalance vip icmp-reply
    class APP-VIP
      loadbalance vip inservice
      loadbalance policy L7-APP-SERVERS
      loadbalance vip icmp-reply
  interface vlan 12
    description ACE-CONTEXT-A-vIPs
    ip address 10.10.12.5 255.255.252.0
    alias 10.10.12.4 255.255.252.0
    peer ip address 10.10.12.6 255.255.252.0
    access-group input ALL
    service-policy input MGMT-ACCESS
    service-policy input L4-CONTEXT-A-VLAN
    no shutdown
  interface vlan 101
    description ACE-CONTEXT-A-SERVERS
    ip address 10.10.101.2 255.255.255.0
    alias 10.10.101.1 255.255.255.0
    peer ip address 10.10.101.3 255.255.255.0
    access-group input ALL
    no shutdown

  Hi Adam,
  You can check Gilles'  DC t-shooting guides that should give you a very good overwiew about packet processing on the ACE; also you can check
  the Cisco wiki site where you find the scenarios plus a detailed explanation for traffic management.
  Now going back to your issue, you problem can be splitted in two parts.
  1. Web server not able to ping VLAN 101 ACE's SVI.
  ACE is a closed device, meaning that access to each Interface/VLAN needs to be explicitly configured; you need to apply the management policy
  to the 101 SVI to allow ICMP or any other management protocol. You can apply the same (service-policy input MGMT-ACCESS) or create a new
  one just for ICMP, that's up to you.
  2. Web servers not able to communicate with APP servers thorugh VIP.(vise-versa)
  Problem here is that servers are trying to communicate through SVI 101 but no VIPs are applied to it so the ACE will simply discard the packets
  for 10.10.12.20/10.10.12.21 on that interface, servers have the ARP and everything to reach those VIPs but the ACE has not been instructed to do
  load balancing for clients reaching it out through VLAN 101.
  In order to do load balancing between APP & Web Servers you need to configure  L4-CONTEXT-A-VLAN on SVI 101 as well.
  Also since your servers are sitting all in the same VLAN you're going to need client NAT to prevent assymetric routing on server-to-server communications.
  I've attached a sample with NAT based on your config.
  HTH
  Pablo

• Reg:FWSM router mode issue

  Hi,
  I have a Cisco FWSM installed on Cisco 7613 router,the topology is like mentioned below,
          7613+{FWSM}------3560---------3560----[10.220.0.0/29,10.220.1.0/29,10.220.2.0/29] 
  Here  we created a p2p link between 7613 gig port and switch3560 gig port  (say 10.220.1.252/29) and then there ia a trunk between both 3560 switches  ,We wish to run FWSM in router mode and configured vlan groups 10(101,102)and 20(200,201),assigned both these groups to firewall module on router on vlan 200 ip add 192.168.2.1/24 has been given, while on fwsm on int vl 200, 192.168.2.2 ip has been given,although the interfaces are up and pinging their individual ip ads they are not pinging each other(both ip ads appear in sh arp though.Kindly help in resolving this issue.
  Also i configured inside vlan 201as inside its also up and visible in arp of router but not pinging others kindly help in the resolution of this issue.
  We need to put this firewall in front of the router which has a serial line to another 7600 router,how would i take traffic to fwsm ,pls suggest what else do i need to do ,as i m new to FWSM .
  router config:
  Router#sh firewall module
  Module Vlan-groups
    04   1,2
  Router#sh firewall vlan-group
  Display vlan-groups created by both ACE module and FWSM
  Group    Created by      vlans
      1           ACE      100-101,200-202
      2                    <empty>
  Router#sh arp
  Protocol  Address          Age (min)  Hardware Addr   Type   Interface
  Internet  10.225.62.145           -   001d.a156.9300  ARPA   GigabitEthernet10/1
  Internet  10.225.62.146         107   001d.a1a5.fbc1  ARPA   GigabitEthernet10/1
  Internet  192.168.2.1             -   001d.a156.9300  ARPA   Vlan200
  Internet  192.168.2.2             7   0007.0e5c.3d00  ARPA   Vlan200
  Internet  192.168.3.1             4   0007.0e5c.3d00  ARPA   Vlan201
  Internet  192.168.3.2             -   001d.a156.9300  ARPA   Vlan201
  Fwsm config:
  hostname FWSM
  interface Vlan200
  nameif outside
  security-level 0
  ip address 192.168.2.2 255.255.255.0
  interface Vlan201
  nameif inside
  security-level 100
  ip address 192.168.3.1 255.255.255.0
  passwd 2KFQnbNIdI.2KYOU encrypted
  ftp mode passive
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  no failover
  no asdm history enable
  arp timeout 14400
  route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
  timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
  timeout sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect smtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:4e3eadb1a489f3b696d0c6da8b1b20b9
  : end
  FWSM#
  FWSM# sh arp
          outside 192.168.2.1 001d.a156.9300
          inside 192.168.3.2 001d.a156.9300
          eobc 127.0.0.81 0000.1800.0000
  FWSM# sh int
  Interface Vlan200 "outside", is up, line protocol is up
    Hardware is EtherSVI
          MAC address 0007.0e5c.3d00, MTU 1500
          IP address 192.168.2.2, subnet mask 255.255.255.0
    Traffic Statistics for "outside":
          6 packets input, 658 bytes
          12 packets output, 1316 bytes
          474 packets dropped
  Interface Vlan201 "inside", is up, line protocol is up
    Hardware is EtherSVI
          MAC address 0007.0e5c.3d00, MTU 1500
          IP address 192.168.3.1, subnet mask 255.255.255.0
    Traffic Statistics for "inside":
          6 packets input, 658 bytes
          7 packets output, 726 bytes
          107 packets dropped

  hi,
  thanks for being so helpful,there is a little issue thats arisen, i can not ping inside address configured on fwsm(192.168.3.1)where as i can ping 192.168.3.2 on router interface.i cannot telnet fwsm using its outside interface ip 192.168.2.2 either,hereis my FWSM config ,kindly suggest if there is any mistake .
  thanks.
  Also i tried to ping inside fwsm interface from my client 10.220.2.2 and enabled debug,to get these ,
  FWSM# debug icmp trace 255
  debug icmp trace enabled at level 255
  FWSM# ICMP echo request (len 50 id 2 seq 34642) 10.220.2.2 > 192.168.2.2
  ICMP echo reply (len 50 id 2 seq 34642) 192.168.2.2 > 10.220.2.2
  ICMP echo request (len 50 id 2 seq 34898) 10.220.2.2 > 192.168.3.1
  ICMP echo reply (len 50 id 2 seq 34898) 192.168.3.1 > 10.220.2.2
  ICMP echo request (len 32 id 2 seq 35154) 10.220.2.2 > 192.168.3.1
  ICMP echo reply (len 32 id 2 seq 35154) 192.168.3.1 > 10.220.2.2
  ICMP echo request (len 32 id 2 seq 43602) 10.220.2.2 > 192.168.3.1
  ICMP echo reply (len 32 id 2 seq 43602) 192.168.3.1 > 10.220.2.2
  ICMP echo request (len 32 id 2 seq 49746) 10.220.2.2 > 192.168.3.1
  ICMP echo reply (len 32 id 2 seq 49746) 192.168.3.1 > 10.220.2.2
  ICMP echo request (len 32 id 2 seq 55634) 10.220.2.2 > 192.168.3.1
  ICMP echo reply (len 32 id 2 seq 55634) 192.168.3.1 > 10.220.2.2
  ICMP echo request (len 50 id 2 seq 25683) 10.220.2.2 > 192.168.2.2
  ICMP echo reply (len 50 id 2 seq 25683) 192.168.2.2 > 10.220.2.2
  ICMP echo request (len 50 id 2 seq 25939) 10.220.2.2 > 192.168.3.1
  ICMP echo reply (len 50 id 2 seq 25939) 192.168.3.1 > 10.220.2.2
  Kindly suggest what could be done.
  thanks.

• ACE bridge mode , FWSM routed mode

  i have the following senario:
  MSFC ---vlan 777----FWSM----vlan160---ACE----VLAN180
  FWSM is working in routed mode and vlan 777 is shared between the MSFC and FWSM
  ACE is working in bridged mode and vlan 160 is shared between the FWSM and ACE
  vlan 180 is the server side vlan
  i want he FWSM ip address to be the Server gateway while ACE module in
  bridge mode
  i create bvi interface but i can't ping from ACE to FWSM or from FWSM to
  ACE
  if i change ACE to routed mode , i can ping to FWSM
  any body can help me in this issue?

  The config looks good.
  I would look at the arp table on FWSM and ACE when the ping fails and also capture a sniffer trace of ACE tengig interface and see if the ping request goes out - on which vlan - and if we get a response.
  Is evertyhing else working ?
  Like ping through the ACE module ?
  Your config does not show a 'no shutdown' on the vlan interface, but I assume you fixed that already.
  Gilles.

• ACE 4710 - 'reverse proxy' infront of serverfarm - fail-over/sorry server design issue

  Hi All,
  I'm working on a specific config and have an issue in the backup farm/fail-over/sorry server area.
  The customer wants the following:
  They have an existing serverfarm with X web servers, they want a single server to act as a reverse-proxy in front of the farm.
  So that all traffic goes trough that server, that server then forwards the request to the original serverfarm.
  The problem in my design is in the fail-over, if i configure the reverse-proxy server in a new serverfarm and use the original (web servers) farm as backup it has fail-over, but if the reverse-proxy AND the original serverfarm fail, there is no nice way to get the users on a sorry server.
  I could give the original serverfarms rservers a 'backup standby' server but that won't give the desired effect either.
  For maintance they first take 50% of the servers offline and switch to the other 50% after that, so then users would see a sorry page even if there where operational servers in the farm left.
  The 4710's are running routed mode, and the farms use Sticky Cookie, and also some http URL & Cookie matching is done.
  Anyone have an idea how to build this?

  Hi,
  It need additional testing but as per my understanding if you put the back up in this order then the last backup server will be choosen first.
  In your case it will be like " RSERVER1 >> backup sorry server >> backup web content
  As per the below example:
  I put test 2 as first backup server and test1 as second backup server but if you look at the first part it took rserver test1 as first backup.
  serverfarm host 1313-GIN-GWAP-SDC-80
    rserver RSERVER1
      backup-rserver test1
      inservice
    rserver test1
      inservice standby
    rserver test2
      inservice standby
  regards,
  Ajay Kumar

• ACE in a routed mode

  Guys,
  Should the ACE be the gateway for the load balanced servers in a routed mode scenario ? If yes then why ?
  Sent from Cisco Technical Support iPad App

  yes ACE interface on server vlan should be gateway. routed mode implies layer 2 adjacency of servers and ace. If ace is not the gateway and you are not doing source nat on ace then servers would respond around the ace to client via it's gateway. unless specifically configured for direct server return client would be seing response from server address rather than vip resulting in failure.