ACE VIPs not advertising or visible
Hi,
The VIPs on my ACE configuration are not advertising themselves. They don't show up in the ARP table in the upstream router/firewall.
The VIPs are configured to be "Inservice". I have probes that are successful. I can access the real servers behind the ACE successfully via pings, ssh, http, etc.
Here's part of my config:
policy-map multi-match int204-n2
class SMTP_Inbound_LB
loadbalance vip inservice
loadbalance policy SMTP_Inbound_LB-l7slb
loadbalance vip icmp-reply active
Is there anything else I need to add? The VIPs aren't responding to pings. The VIPs aren't showing up in the arp table of the upstream router/firewall.
I know there used to be a "loadbalance vip advertise" command, but that command is no longer valid or available.
I am running code version A1.8(0) on the ACE 4710 appliance.
I have this ACE also configured as a bridge. Is there something special I need to add to make the VIPs advertise themselves, respond to pings, etc.?
Any help would be appreciated.
Thank you.
Hi Gilles,
Yes, the policy is assigned to both VLAN interfaces of the bridge-group.
Yes, all VIPs show INSERVICE when I run the command "show service-policy int204-n2"
None of the VIPs are responding to pings or showing up in arp table of the upstream router/firewall.
The VIPs are part of the local subnet. I can't ping the local interface (BVI interface) of the bridge-group from the upstream firewall/router.
Yes, the ACE has an arp entry for the upstream router/firewall. The upstream firewall is also the ACE's default-gateway for this context.
Thanks,
Herman
Similar Messages
-
ACE VIP not accessible from client
i have clint vlan configured with vlan 30
and servers vlan with vlan 100..
i have 2 real servers in server vlan 172.16.100.20 and 172.16.100.30
ACE VIP is active and serverfarm is OPERATIONAL
from client and Serve i am able to ping to VIP.
but when i try to browse http://VIP from client its not working.
could any one help me to identify the issue why i am not abl to access http://VIP or https://VIP from cientHi ssivanan,
I need more information to asnwer for your question. Can you pls put your configuration ?
Here are some points I like to check.
+ Are you able to browse the contents locally, specifying own ip address on the one of servers ?
+ Do those servers have a route to vlan 30 ?
+ How does the browsing not working ? Can you elaborate ?
+ What do you see in "show conn" when it fails ?
Great documents on CCO. Worth checking.
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide%2C_Release_A2%28x%29_--_Troubleshooting_Connectivity
- Kim -
Cisco ACE VIP not responding to Pings
I've searched..... I cannot figure out why my VIPs do not ping. I have two vlans that both replay to a ping on the interface IPs. And I'm new at this, thanks in advace.
GKEL2-ACE1/35568059-Axia# show run
Generating configuration....
no ft auto-sync startup-config
logging enable
logging timestamp
logging trap 5
logging host 10.85.242.100 udp/514
login timeout 60
crypto chaingroup walnut-wcrt100
cert .dom.cer
cert wcrt100.pem
crypto chaingroup .dom-wcrt100
cert .dom.cer
cert wcrt100.pem
crypto csr-params .dom
country CA
state AB
organization-unit IT
common-name .dom
serial-number 1000
email support
crypto csr-params .dom
country CA
state AB
organization-unit IT
common-name .dom
serial-number 1001
email support
access-list ANYONE line 10 extended permit ip any any
access-list ANYONE line 20 extended permit icmp any any
access-list All line 1 extended permit ip any any
probe http HTTP1025
port 1025
interval 2
faildetect 2
passdetect interval 2
request method get url /Login.css
open 1
probe icmp PING
interval 2
faildetect 2
passdetect interval 60
probe tcp PROBE-TCP
interval 2
faildetect 2
passdetect interval 10
passdetect count 2
open 1
rserver redirect REDIRECT-HTTPS
webhost-redirection https://%h%p 302
inservice
rserver host WL1
ip address 10.205.70.100
inservice
rserver host WL2
ip address 10.205.70.101
inservice
rserver host WLDev1
ip address 10.205.71.202
inservice
rserver host WLDev2
ip address 10.205.71.203
inservice
rserver host WLTest1
ip address 10.205.71.150
inservice
rserver host WLTest2
ip address 10.205.71.151
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-HTTPS
inservice
serverfarm host WEBLOGIC-7433
predictor leastconns
probe PING
rserver WL1 7433
inservice
rserver WL2 7433
inservice
serverfarm host WEBLOGIC-PROD
predictor leastconns
probe PING
rserver WL1 1025
inservice
rserver WL2 1026
inservice
serverfarm host WEBLOGIC-TEST-SSH
predictor leastconns
rserver WLTest1 22
inservice
rserver WLTest2 22
inservice
sticky http-cookie acecookie STICKY-INSERT-COOKIE
cookie insert
serverfarm WEBLOGIC-PROD
action-list type modify http REWRITE
header insert response Via header-value "1.1 web:%ps (ace10-8/a2)value"
header insert request Via header-value "1.1 web:%ps (ace10-8/a2)value"
header insert request X-Forwarded-Proto header-value "%pd"
ssl url rewrite location "*.*"
ssl header-insert session Id
ssl-proxy service ssl-client
ssl-proxy service ssl-proxy
key netcracker.cal.dom.key
cert netcracker.cal.dom.cer
chaingroup netcracker.cal.dom-wcrt100
class-map match-any L4VIPCLASS
2 match virtual-address 10.205.70.80 any
class-map type http loadbalance match-any L7-URL
2 match http url /*.*
class-map type http loadbalance match-all L7SLBCLASS
2 match http url /*
class-map type management match-any REMOTE-MANAGEMENT
2 match protocol telnet any
3 match protocol icmp any
4 match protocol ssh any
5 match protocol snmp any
6 match protocol http any
7 match protocol https any
class-map match-any SSH_Test
2 match virtual-address 10.205.71.80 tcp eq 22
class-map match-any weblogic-7433
2 match virtual-address 10.205.70.80 tcp eq 7433
class-map match-any weblogic-http
2 match virtual-address 10.205.70.80 tcp eq www
class-map match-any weblogic-https
2 match virtual-address 10.205.70.80 tcp eq https
policy-map type management first-match REMOTE-MANAGEMENT
class REMOTE-MANAGEMENT
permit
policy-map type loadbalance first-match L7SLBPOLICY
class L7SLBCLASS
ssl-proxy client ssl-client
policy-map type loadbalance first-match SSH_Test_Policy
class class-default
serverfarm WEBLOGIC-TEST-SSH
policy-map type loadbalance first-match weblogic-7433-policy
class class-default
serverfarm WEBLOGIC-7433
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-http-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-https-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE
class class-default
serverfarm WEBLOGIC-PROD
action REWRITE
ssl-proxy client ssl-proxy
policy-map multi-match L4LSBPOLICY
class L4VIPCLASS
loadbalance policy L7SLBPOLICY
policy-map multi-match LB-VIP
class weblogic-http
loadbalance vip inservice
loadbalance policy weblogic-http-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
class weblogic-https
loadbalance vip inservice
loadbalance policy weblogic-https-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
class weblogic-7433
loadbalance vip inservice
loadbalance policy weblogic-7433-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
policy-map multi-match LB-VIP-Test
class SSH_Test
loadbalance vip inservice
loadbalance policy SSH_Test_Policy
loadbalance vip icmp-reply
interface vlan 3440
description Internal Production
ip address 10.205.70.250 255.255.255.0
access-group input All
access-group output All
nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP
service-policy input L4LSBPOLICY
no shutdown
interface vlan 3516
description Internal Test/Dev
ip address 10.205.71.250 255.255.255.0
access-group input All
access-group output All
nat-pool 2 10.205.71.249 10.205.71.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP-Test
no shutdown
interface vlan 3520
description LB
ip address 10.205.72.1 255.255.255.0
access-group input All
access-group output All
no shutdown
ip route 0.0.0.0 0.0.0.0 10.205.70.253
username admin password 5 $1$r2r0NmEH$z8S0RxYdhwOE4RGXQ41 role Admin domain default-domain
username cust_admin password 5 $1$/tOIIfUK$yigE519cqLq1IFgX. role Admin domain default-domainI have removed that service policy completely. It was from some knowledgebase article when I was trying to get http redirection working.
There is no more L4LSBPOLICY nor L4VIPCLASS, Thanks a lot for looking at this...
GKEL2-ACE1/35568059-Axia# show service-policy summary
service-policy: LB-VIP
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
weblogic-http 10.205.70.80 tcp eq 80 1,3440 IN-SRVC 0 50773 53
weblogic-https 10.205.70.80 tcp eq 443 1,3440 IN-SRVC 0 7406 112
weblogic-7433 10.205.70.80 tcp eq 7433 1,3440 IN-SRVC 0 145321 30
service-policy: LB-VIP-Dev
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
weblogic-http-dev 10.205.71.90 tcp eq 80 1,3516 IN-SRVC 0 0 0
weblogic-https-dev 10.205.71.90 tcp eq 443 1,3516 IN-SRVC 0 0 0
weblogic-7433-dev 10.205.71.90 tcp eq 7433 1,3516 IN-SRVC 0 0 0
service-policy: LB-VIP-Test
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
SSH_Test 10.205.71.80 tcp eq 22 1,3516 IN-SRVC 0 29 24
weblogic-http-test 10.205.71.80 tcp eq 80 1,3516 IN-SRVC 0 117 40
weblogic-https-test 10.205.71.80 tcp eq 443 1,3516 IN-SRVC 0 161 61
weblogic-7433-test 10.205.71.80 tcp eq 7433 1,3516 IN-SRVC 0 27 11
class-map type http loadbalance match-any L7-URL
2 match http url /*.*
class-map type http loadbalance match-all L7SLBCLASS
2 match http url /*
class-map type management match-any REMOTE-MANAGEMENT
2 match protocol telnet any
3 match protocol icmp any
4 match protocol ssh any
5 match protocol snmp any
6 match protocol http any
7 match protocol https any
class-map match-any SSH_Test
2 match virtual-address 10.205.71.80 tcp eq 22
class-map match-any weblogic-7433
2 match virtual-address 10.205.70.80 tcp eq 7433
class-map match-any weblogic-7433-dev
2 match virtual-address 10.205.71.90 tcp eq 7433
class-map match-any weblogic-7433-test
2 match virtual-address 10.205.71.80 tcp eq 7433
class-map match-any weblogic-http
2 match virtual-address 10.205.70.80 tcp eq www
class-map match-any weblogic-http-dev
2 match virtual-address 10.205.71.90 tcp eq www
class-map match-any weblogic-http-test
2 match virtual-address 10.205.71.80 tcp eq www
class-map match-any weblogic-https
2 match virtual-address 10.205.70.80 tcp eq https
class-map match-any weblogic-https-dev
2 match virtual-address 10.205.71.90 tcp eq https
class-map match-any weblogic-https-test
2 match virtual-address 10.205.71.80 tcp eq https
policy-map type management first-match REMOTE-MANAGEMENT
class REMOTE-MANAGEMENT
permit
policy-map type loadbalance first-match L7SLBPOLICY
class L7SLBCLASS
ssl-proxy client ssl-client
policy-map type loadbalance first-match SSH_Test_Policy
class class-default
serverfarm WEBLOGIC-TEST-SSH
policy-map type loadbalance first-match weblogic-7433-dev-policy
class class-default
serverfarm WEBLOGIC-7433-Dev
policy-map type loadbalance first-match weblogic-7433-policy
class class-default
serverfarm WEBLOGIC-7433
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-7433-test-policy
class class-default
serverfarm WEBLOGIC-7433-Test
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-http-dev-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-http-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-http-test-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-https-dev-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE-DEV
class class-default
serverfarm WEBLOGIC-DEV
action REWRITE
policy-map type loadbalance first-match weblogic-https-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE
class class-default
serverfarm WEBLOGIC-PROD
action REWRITE
ssl-proxy client ssl-proxy
policy-map type loadbalance first-match weblogic-https-test-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE-TEST
class class-default
serverfarm WEBLOGIC-TEST
action REWRITE
ssl-proxy client ssl-proxy-nctest
policy-map multi-match LB-VIP
class weblogic-http
loadbalance vip inservice
loadbalance policy weblogic-http-policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 3440
class weblogic-https
loadbalance vip inservice
loadbalance policy weblogic-https-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
class weblogic-7433
loadbalance vip inservice
loadbalance policy weblogic-7433-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
policy-map multi-match LB-VIP-Dev
class weblogic-http-dev
loadbalance vip inservice
loadbalance policy weblogic-http-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-https-dev
loadbalance vip inservice
loadbalance policy weblogic-https-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-7433-dev
loadbalance vip inservice
loadbalance policy weblogic-7433-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
policy-map multi-match LB-VIP-Test
class SSH_Test
loadbalance vip inservice
loadbalance policy SSH_Test_Policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-http-test
loadbalance vip inservice
loadbalance policy weblogic-http-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-https-test
loadbalance vip inservice
loadbalance policy weblogic-https-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
ssl-proxy server ssl-proxy-nctest
class weblogic-7433-test
loadbalance vip inservice
loadbalance policy weblogic-7433-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
ssl-proxy server ssl-proxy-nctest
interface vlan 3440
description Internal Production
ip address 10.205.70.250 255.255.255.0
mac-sticky enable
access-group input All
access-group output All
nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP
no shutdown
interface vlan 3516
description Internal Test/Dev
ip address 10.205.71.250 255.255.255.0
mac-sticky enable
access-group input All
access-group output All
nat-pool 1 10.205.71.240 10.205.71.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP-Test
service-policy input LB-VIP-Dev
no shutdown
interface vlan 3520
description LB
ip address 10.205.72.1 255.255.255.0
access-group input All
access-group output All
no shutdown
ip route 0.0.0.0 0.0.0.0 10.205.70.253 -
ACE VIP not Responding to Ping and cant Connect
Hello All,
I recently deployed an ACE 4710 Appliance. Configs seems right but clients cant Ping the VIP and acnt also connect to the VIP. Also VIP Dosent show in 'sh arp'.
Pls HELP!!!
See the configs!!
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.10.11 10:48:14 =~=~=~=~=~=~=~=~=~=~=~=
sh runGenerating configuration....
boot system image:c4710ace-mz.A4_2_0.bin
hostname STERLING-ACE
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 10,200,205,210,215
no shutdown
--More--
access-list INBOUND line 10 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
access-list INBOUND line 24 extended permit icmp any any echo
probe http BANK-APP
interval 2
faildetect 2
passdetect interval 2
expect status 200 200
open 1
probe icmp PING
description ***simple ping monitor***
interval 10
passdetect interval 60
passdetect count 2
receive 1
probe tcp TCP80
interval 10
passdetect interval 10
passdetect count 2
--More--
receive 1
open 5
rserver host BANK-APP-SERVER1
description ***GUI SERVER 1***
ip address 172.20.1.50
probe PING
inservice
rserver host BANK-APP-SERVER2
description ***GUI SERVER 2***
ip address 172.20.1.51
probe PING
inservice
rserver host BANK-APP-SERVER3
description ***GUI SERVER 3***
ip address 172.20.1.52
probe PING
inservice
rserver host BANK-APP-SERVER4
description ***GUI SERVER 4***
ip address 172.20.1.53
probe PING
--More--
inservice
rserver host THIN-CLIENT1
description ***CLI SERVER 1***
ip address 172.20.1.34
probe PING
inservice
rserver host THIN-CLIENT2
description ***CLI SERVER 2***
ip address 172.20.1.35
probe PING
inservice
rserver host THIN-CLIENT3
description ***CLI SERVER 3***
ip address 172.20.1.36
probe PING
inservice
rserver host THIN-CLIENT4
description ***CLI SERVER 4***
ip address 172.20.1.37
probe PING
inservice
--More--
serverfarm host CLI-GROUP
predictor leastconns
probe TCP80
rserver THIN-CLIENT1
inservice
rserver THIN-CLIENT2
inservice
rserver THIN-CLIENT3
inservice
rserver THIN-CLIENT4
inservice
serverfarm host GUI-GROUP
predictor leastconns
probe TCP80
rserver BANK-APP-SERVER1
inservice
rserver BANK-APP-SERVER2
inservice
rserver BANK-APP-SERVER3
inservice
rserver BANK-APP-SERVER4
inservice
--More--
parameter-map type connection TCP-PARAM-MAP
set timeout inactivity 360000
class-map type management match-any REMOTEACCESS
description remote access traffic match
2 match protocol ssh any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol xml-https any
6 match protocol http any
7 match protocol https any
class-map match-all TCP-CLASS
description TCP CONNECTION TIMER
2 match any
class-map match-all VS_WEB1
2 match virtual-address 10.0.0.115 any
class-map match-all VS_WEB2
2 match virtual-address 10.0.0.113 any
policy-map type management first-match REMOTEPOLICY
--More--
class REMOTEACCESS
permit
policy-map type loadbalance first-match HTTP_LB1
class class-default
serverfarm CLI-GROUP
policy-map type loadbalance first-match HTTP_LB2
class class-default
serverfarm GUI-GROUP
policy-map multi-match HTTP_MULTI_MATCH1
class VS_WEB1
loadbalance vip inservice
loadbalance policy HTTP_LB1
loadbalance vip icmp-reply
policy-map multi-match HTTP_MULTI_MATCH2
class VS_WEB2
loadbalance vip inservice
loadbalance policy HTTP_LB2
loadbalance vip icmp-reply
policy-map multi-match TCPIP-POLICY
class TCP-CLASS
connection advanced-options TCP-PARAM-MAP
service-policy input REMOTEPOLICY
service-policy input TCPIP-POLICY
interface vlan 10
description ***LAN LEG***
ip address 10.0.0.66 255.255.255.0
no icmp-guard
access-group input INBOUND
no shutdown
interface vlan 200
description ***THIN CLIENT VLAN****
ip address 172.20.1.33 255.255.255.240
no icmp-guard
access-group input INBOUND
service-policy input HTTP_MULTI_MATCH1
no shutdown
interface vlan 210
description ***BANK APP SERVER VLAN****
ip address 172.20.1.49 255.255.255.240
no icmp-guard
--More--
access-group input INBOUND
service-policy input HTTP_MULTI_MATCH2
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.0.200
username admin password 5 $1$ouG5.Okh$jwBoWkMiWstoTPwb9K9ku1 role Admin domain
default-domain
username www password 5 $1$M31zwdiF$iY8Y5e9nV2sMM2HxwrQI7/ role Admin domain de
fault-domain
STERLING-ACE/Admin#
Thanks!!Hi Joshua,
class-map match-all VS_WEB1
2 match virtual-address 10.0.0.115 any
class-map match-all VS_WEB2
2 match virtual-address 10.0.0.113 any
You have applied
"service-policy input HTTP_MULTI_MATCH1" in VLAN 200 and 210 but as per the config I believe it should be applied to VLAN10.
interface vlan 10
description ***LAN LEG***
ip address 10.0.0.66 255.255.255.0
no icmp-guard
access-group input INBOUND
no shutdown
Can you apply the service policy in VLAN 10 and let me know the result. -
ACE VIP OK HTTP, NOK other TCP port
Hi,
we are having issues in configuring load balancing for a TCP port. For HTTP it's working without issues and we have the ACE also balancing for other TCP ports.
Here goes the relevant config:
probe http PROBE-HTTP
interval 5
passdetect interval 2
passdetect count 1
request method get url /idc/
expect status 200 200
probe tcp PROBE-TCP
port 4444
interval 5
passdetect interval 10
rserver host PRD1
ip address 10.10.10.1
inservice
rserver host PRD2
ip address 10.10.10.2
inservice
serverfarm host SF-HTTP
probe PROBE-HTTP
rserver PRD1 80
inservice
rserver PRD2 80
inservice
serverfarm host SF-TCP
probe PROBE-TCP
rserver PRD1 4444
inservice
rserver PRD2 4444
inservice
sticky ip-netmask 255.255.255.255 address source SC-IP-PRD-HTTP
timeout 10
serverfarm SF-HTTP
class-map match-all NAT-VIP-HTTP
2 match virtual-address 10.10.35.1 any
class-map match-all NAT-VIP-TCP
2 match virtual-address 10.10.35.1 tcp eq 4444
policy-map type loadbalance first-match LB-VIP-HTTP
class class-default
sticky-serverfarm SC-IP-PRD-HTTP
insert-http x-forward header-value "%is"
policy-map type loadbalance first-match LB-NAT-VIP-TCP
class class-default
serverfarm SF-TCP
policy-map multi-match POLICY-RSERVER-VIP
class NAT-VIP-TCP
loadbalance vip inservice
loadbalance policy LB-NAT-VIP-TCP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
class NAT-VIP-HTTP
loadbalance vip inservice
loadbalance policy LB-VIP-HTTP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
interface vlan 200
description SERVER-SIDE
ip address 10.10.14.2 255.255.255.0
alias 10.10.14.1 255.255.255.0
peer ip address 10.10.14.3 255.255.255.0
access-group input EVERYONE
nat-pool 1 10.10.4.6 10.10.4.6 netmask 255.255.255.255 pat
service-policy input AllowICMP
service-policy input POLICY-RSERVER-VIP
no shutdown
The probe are OK, but nothing seems to get to the VIP:
ACE/CTX# show probe PROBE-TCP
probe : PROBE-TCP
type : TCP
state : ACTIVE
port : 4444 address : 0.0.0.0 addr type : -
interval : 5 pass intvl : 10 pass count : 3
fail count: 3 recv timeout: 10
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
serverfarm : SF-TCP
real : PRD1[4444]
10.10.10.1 8853 1 8852 SUCCESS
real : PRD2[4444]
10.10.10.2 8853 1 8852 SUCCESS
ACE/CTX# show serverfarm SF-TCP detail
serverfarm : SF-TCP, type: HOST
total rservers : 2
active rservers: 2
description : -
state : ACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 1
total conn-dropcount : 0
Probe(s) :
PROBE-TCP, type = TCP
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: PRD1
10.10.10.1:4444 8 OPERATIONAL 0 0 0
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: PRD2
10.10.10.2:4444 8 OPERATIONAL 0 0 0
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
ACE/CTX# show service-policy POLICY-RSERVER-VIP
Status : ACTIVE
Interface: vlan 1 200
service-policy: POLICY-RSERVER-VIP
class: NAT-VIP-TCP
nat:
nat dynamic 1 vlan 200
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: LB-NAT-VIP-TCP
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
I see a lot of this messages in the logging of the ACE:
show logging | i 4444
22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
show logging | i 4444
22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
The client request it's going trough an ASA, in the ASA side I see that the TCP connection it' half-open with SAaB flags. It seems that the VIP never replies with SYN+ACK to the ASA...
Thank you.
Best regardsHi Norberto,
The log messages you are getting are most probably the probe connections and not a failure, looking to them you will see your ACE is establishing TCP connection on 4444 then it will teardown the connection with FIN which is expected since you are using TCP keepalives.
I would recommend to go back and define the problem exactly, what are you exteriancing when you try to telnet on port 4444 toward the VIP from the client?
Run sniffing software on the client, the server and enable capture on ACE and ASA will give you exact idea what you are experiencing.
Note: The ASA and the ACE has great capture feature which will show you exactly the packet flows.
Note: Since you are applying NAT on the client requests, you should see the NATed IP address on the server capture.
Note: With L4 load balancing the ACE is not spoofing the clients' request, it just forward the SYN, SYN+ACK and ACK between the server and the client.
Let me know if you have any other questions.
Best regards,
Ahmad -
Upgraded to os7 and done my updates on the apps as they appear.. Any function to do with the iBook store is not working or visible. The purchase at the end of a sample book doesn't work either. Anyone have a solution?
Upgraded to os7 and done my updates on the apps as they appear.. Any function to do with the iBook store is not working or visible. The purchase at the end of a sample book doesn't work either. Anyone have a solution?
-
BGP: Customer network announcing error (not advertised)
Hi to all.
Our company - is small business ISP. We have two BGP upstreams, and some customers who connect with us via BGP. Day ago, our customer opened a case that we don't announce his network to the "global network". I can see, that he announce me his network, and BGP add this prefix to the routing table. But when i open prefix detail - i see that prefix not advertised to any peer.
Here is sh run :
router bgp xxx
bgp router-id xx.xx.xx.xx
bgp log-neighbor-changes
neighbor xx.xx.xx.xx remote-as xxxx
neighbor xx.xx.xx.xx description Customer
neighbor yy.yy.yy.yy remote-as yyyy
neighbor yy.yy.yy.yy description Uplink
address-family ipv4
neighbor xx.xx.xx.xx activate
neighbor xx.xx.xx.xx default-originate
neighbor xx.xx.xx.xx soft-reconfiguration inbound
neighbor xx.xx.xx.xx prefix-list DEFAULT out
neighbor xx.xx.xx.xx prefix-list Deny-Default in
neighbor yy.yy.yy.yy activate
neighbor yy.yy.yy.yy prefix-list BizTel out
neighbor yy.yy.yy.yy filter-list 1 out
exit-address-family
ip as-path access-list 1 permit ^$
ip as-path access-list 1 permit ^xxxx$
ip prefix-list DEFAULT seq 5 permit 0.0.0.0/0
ip prefix-list Deny-Default seq 10 deny 0.0.0.0/32
ip prefix-list Deny-Default seq 15 permit 0.0.0.0/0 le 32
sh ip bgp neighbors xx.xx.xx.xx received-routes:
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 xx.xx.xx.xx 0 xxxx xxxx yyyy i
*> zz.zz.zz.zz/24 xx.xx.xx.xx 0 0 xxxx xxxx i
sh ip bgp neigh xx.xx.xx.xx adv routes:
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 xx.xx.xx.xx 0 xxxx xxxx yyyy i
sh ip bgp zz.zz.zz.zz /24:
BGP routing table entry for zz.zz.zz.zz/24, version 6503140
Paths: (3 available, best #1, table default)
Not advertised to any peer
xxxx xxxx, (received & used)
xx.xx.xx.xx from xx.xx.xx.xx (cc.cc.cc.cc)
Origin IGP, metric 0, localpref 100, valid, external, best
Can somebody help me with this question?The outputs are very confusing ie.
sh ip bgp neighbors xx.xx.xx.xx received-routes:
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 xx.xx.xx.xx 0 xxxx xxxx yyyy i
*> zz.zz.zz.zz/24 xx.xx.xx.xx 0 0 xxxx xxxx i
presumably these are the routes received from the customer ? If so -
1) why are you receiving a default from the customer with yyyy in the AS PATH ?
2) why are there two instances of xxxx in AS PATH for both routes in the AS PATH ?
also -
sh ip bgp neigh xx.xx.xx.xx adv routes:
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 xx.xx.xx.xx 0 xxxx xxxx yyyy i
if you are looking at routes advertised upstream why are you looking at advertised routes to the customer ?
It is difficult to say what is happening because you have blanked out all the information.
Finally you have -
neighbor yy.yy.yy.yy prefix-list BizTel out
but there is no such prefix list in the config you posted
Can you clarify by answering the above and perhaps explain how this is all setup ie. is x.x.x.x the customer and y.y.y.y your upstream provider.
The more information you can give the more we can help.
Jon -
I have two routers with BGP configured:
C2921:
router bgp 65014
bgp router-id 192.168.54.190
bgp log-neighbor-change
neighbor 192.168.54.150 remote-as 65011
neighbor 192.168.54.150 description Loud backup
neighbor 192.168.54.150 route-map Backup out
C1841:
router bgp 65011
no synchronization
bgp router-id 10.10.35.1
bgp log-neighbor-changes
neighbor 192.168.54.149 remote-as 65014
neighbor 192.168.54.149 description Cubus backup
neighbor 192.168.54.149 prefix-list Loudenia out
neighbor 192.168.54.149 route-map Backup out
ip prefix-list Loudenia seq 5 permit 10.10.35.0/24 le 32
ip prefix-list Loudenia seq 10 permit 192.168.111.0/24 le 32
ip prefix-list Loudenia seq 15 permit 10.25.15.0/24 le 32
ip prefix-list Loudenia seq 20 permit 192.168.44.0/24 le 32
ip prefix-list Loudenia seq 25 permit 192.168.45.0/24 le 32
ip prefix-list Loudenia seq 30 permit 192.168.46.0/28 le 32
ip prefix-list Loudenia seq 35 permit 192.168.49.196/30 le 32
ip prefix-list Loudenia seq 40 permit 192.168.49.225/32
ip prefix-list Loudenia seq 45 permit 192.168.49.229/32
route-map Backup permit 10
set as-path prepend 65011 65011
I have added:
ip prefix-list Loudenia seq 50 permit 192.168.48.225/32
made:
clear ip bgp 192.168.54.149 soft
but nothing changed route to 192.168.48.225 not advertised:
C1841-Loudenia#show ip bgp neighbors 192.168.54.149 advertised-routes
BGP table version is 137998, local router ID is 10.10.35.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.10.35.0/24 0.0.0.0 0 32768 i
*> 10.25.15.0/24 192.168.111.10 0 32768 i
*> 192.168.44.0 192.168.49.26 0 65005 i
*> 192.168.45.0 192.168.49.26 0 65005 i
*> 192.168.46.0/28 192.168.49.26 0 65005 i
*> 192.168.49.196/30
192.168.49.26 0 65005 i
*> 192.168.49.225/32
192.168.49.26 0 0 65005 i
*> 192.168.49.229/32
192.168.49.26 0 65005 i
*> 192.168.111.0 0.0.0.0 0 32768 i
C1841 knows 192.168.48.225/32 via bgp
* 192.168.48.225/32
192.168.49.58 0 65005 65005 65005 65006 65013 i
*> 192.168.49.26 0 65005 65006 65013 i
I will be grateful for your adviceHello, thanks for reply.
The route is on the route table
C1841-Loudenia#show ip route | i 192.168.48.225
B 192.168.48.225/32 [20/0] via 192.168.49.26, 3w6d
C1841-Loudenia#show ip bgp | i 192.168.48.225
* 192.168.48.225/32
192.168.49.58 0 65005 65005 65005 65006 65013 i
*> 192.168.49.26 0 65005 65006 65013 i -
I have two routers with BGP configured:
C2921:
router bgp 65014
bgp router-id 192.168.54.190
bgp log-neighbor-change
neighbor 192.168.54.150 remote-as 65011
neighbor 192.168.54.150 description Loud backup
neighbor 192.168.54.150 route-map Backup out
C1841:
router bgp 65011
no synchronization
bgp router-id 10.10.35.1
bgp log-neighbor-changes
neighbor 192.168.54.149 remote-as 65014
neighbor 192.168.54.149 description Cubus backup
neighbor 192.168.54.149 prefix-list Loudenia out
neighbor 192.168.54.149 route-map Backup out
ip prefix-list Loudenia seq 5 permit 10.10.35.0/24 le 32
ip prefix-list Loudenia seq 10 permit 192.168.111.0/24 le 32
ip prefix-list Loudenia seq 15 permit 10.25.15.0/24 le 32
ip prefix-list Loudenia seq 20 permit 192.168.44.0/24 le 32
ip prefix-list Loudenia seq 25 permit 192.168.45.0/24 le 32
ip prefix-list Loudenia seq 30 permit 192.168.46.0/28 le 32
ip prefix-list Loudenia seq 35 permit 192.168.49.196/30 le 32
ip prefix-list Loudenia seq 40 permit 192.168.49.225/32
ip prefix-list Loudenia seq 45 permit 192.168.49.229/32
route-map Backup permit 10
set as-path prepend 65011 65011
I have added:
ip prefix-list Loudenia seq 50 permit 192.168.48.225/32
made:
clear ip bgp 192.168.54.149 soft
but nothing changed route to 192.168.48.225 not advertised:
C1841-Loudenia#show ip bgp neighbors 192.168.54.149 advertised-routes
BGP table version is 137998, local router ID is 10.10.35.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.10.35.0/24 0.0.0.0 0 32768 i
*> 10.25.15.0/24 192.168.111.10 0 32768 i
*> 192.168.44.0 192.168.49.26 0 65005 i
*> 192.168.45.0 192.168.49.26 0 65005 i
*> 192.168.46.0/28 192.168.49.26 0 65005 i
*> 192.168.49.196/30
192.168.49.26 0 65005 i
*> 192.168.49.225/32
192.168.49.26 0 0 65005 i
*> 192.168.49.229/32
192.168.49.26 0 65005 i
*> 192.168.111.0 0.0.0.0 0 32768 i
C1841 knows 192.168.48.225/32 via bgp
* 192.168.48.225/32
192.168.49.58 0 65005 65005 65005 65006 65013 i
*> 192.168.49.26 0 65005 65006 65013 i
I will be grateful for your adviceThat is you mean?
C1841 knows 192.168.48.225/32 via bgp
* 192.168.48.225/32
192.168.49.58 0 65005 65005 65005 65006 65013 i
*> 192.168.49.26 0 65005 65006 65013 i -
What needs to be done to get the my primary network to not advertise?
I've configured my Airport Extreme and Express (for extra range) and created two networks. The idea being one would be private and one guest (both require a security key). I don't mind my guest advertising. I'd like my private network to not advertise. I'm about to add a second Airport Express as I need the extra range. Since I'm going to need to configure that anyway, now would be the time to address the advertising issue around my private network - any suggestions?
thanksI can understand why some Apple users want to "hide" their networks since Apple's default settings include the name of the user. For example.....
John Smith's Wireless Network
Personally, I could care less that my neighbors see the name of my network.......TWNDB.
It is true that "hiding" the name of the network might keep a few honest neighbors from seeing the name of the network. But, those are probably not the guys that you need to worry about.
In a way, "hiding" your network just creates a larger attraction for the bad guys. They reason that since you are trying to hide your network, there must be more to discover there....and they target you first. -
It is not advertising. I really doubt if the service is good.
Alquian have
service with them. If it is really good. Whoever has the
service. How good
is the service. It really is good is the service.
My english not good
Http://www.hostmonster.com/
http://www.ixwebhosting.com/index.php/v2/pages.planBusinessPlus
http://www.top10webhosting.com/cpanel.php
Http://www.webhosting-top10.com/host52/
The only bad thing is the limitation database
That opinion. One translator.hello sir,
i want to your help
i was installed fresh windows 7 via cd rom and then after installed all software.
and now after 1 day customer complained me that cd rom not read any cd and i m also check when i insurt cd so its not read and when i am double click on cd rom icon its eject so what i do for that please reply on my email address.
[text removed for privacy]
VIMAL -
ACE 4710 VIP not pingable even with "always" selected.
Hello, I have a somewhat complicated setup in order to allow one particular VIP to answer for the same serverfarm on two different ports (this was a previous question here.) Here is the scrubbed config below. The setup works, but the issue is that the VIP does not reply to pings. We use both the servers and the vip for monitoring internally. It is still operational on the ports it is balancing, but no setting for ping seems to work (Active, Primary, or Always.) What am I doing wrong here? The other sites I use stickys with respond for their VIPs. I'm assuming this one does not due to the more complicated policy map.
probe http HTML-Site-Up_200
description This probe is to verify HTTP operation via site-up.html check
port 80
interval 5
faildetect 2
passdetect interval 10
request method get url /site-up.html
expect status 200 200
open 2
probe icmp ICMP-Ping
interval 5
faildetect 2
passdetect interval 10
probe tcp RAW-TCP-81
port 81
interval 10
faildetect 2
passdetect interval 20
connection term forced
open 1
rserver host psc-us-EQUIPprd1
description EQUIP Prod, server 1
ip address 10.1.1.84
inservice
rserver host psc-us-EQUIPprd2
description EQUIP Prod, server 2
ip address 10.1.1.85
inservice
serverfarm host EQUIPPROD
description EQUIP Prod Server Pool
predictor leastconns
probe HTML-Site-Up_200
probe ICMP-Ping
probe RAW-TCP-81
rserver psc-us-EQUIPprd1
probe ICMP-Ping
probe HTML-Site-Up_200
probe RAW-TCP-81
inservice
rserver psc-us-EQUIPprd2
probe ICMP-Ping
probe HTML-Site-Up_200
probe RAW-TCP-81
inservice
serverfarm host EQUIPPROD-CUSTOMER-81
description EQUIP Customer Site Server Pool, port 81
predictor leastconns
probe RAW-TCP-81
rserver psc-us-EQUIPprd1 81
probe RAW-TCP-81
inservice
rserver psc-us-EQUIPprd2 81
probe RAW-TCP-81
inservice
sticky ip-netmask 255.255.255.255 address source Sticky_EQUIPPROD
timeout 180
replicate sticky
serverfarm EQUIPPROD
class-map type http loadbalance match-all EQUIP_81_Redirect
2 match http header Host header-value ".*equiponline.com"
class-map type http loadbalance match-all EQUIP_81_Redirect_Full
2 match http header Host header-value ".*www.equiponline.com"
class-map match-all VIP-EQUIPPROD
2 match virtual-address 10.1.1.97 any
policy-map type loadbalance first-match VIP-EQUIPPROD-l7slb
class EQUIP_81_Redirect
serverfarm EQUIPPROD-CUSTOMER-81
class EQUIP_81_Redirect_Full
serverfarm EQUIPPROD-CUSTOMER-81
class class-default
sticky-serverfarm Sticky_EQUIPPROD
policy-map multi-match global
class VIP-EQUIPPROD
loadbalance vip inservice
loadbalance policy VIP-EQUIPPROD-l7slb
loadbalance vip icmp-reply
nat dynamic 13 vlan 1000
interface vlan 1000
nat-pool 13 10.1.1.97 10.1.1.97 netmask 255.255.255.0 patOutput from that class from the show service-policy command. And no, it doesn't appear to be pingable from the ACE.
class: VIP-EQUIPPROD
nat:
nat dynamic 13 vlan 1000
curr conns : 361 , hit count : 116690
dropped conns : 5
client pkt count : 4815293 , client byte count: 739114009
server pkt count : 7281612 , server byte count: 8753101386
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
VIP Address: Protocol: Port:
10.1.1.97 any
loadbalance:
L7 loadbalance policy: VIP-EQUIPPROD-l7slb
Regex dnld status : SUCCESSFUL
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 392 , hit count : 134300
dropped conns : 431
client pkt count : 4869950 , client byte count: 741545220
server pkt count : 7281612 , server byte count: 8753101386
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : VIP-EQUIPPROD-l7slb
class/match : EQUIP_81_Redirect
LB action :
primary serverfarm: EQUIPPROD-CUSTOMER-81
state: UP
backup serverfarm : -
hit count : 12602
dropped conns : 0
compression : off
class/match : EQUIP_81_Redirect_Full
LB action :
primary serverfarm: EQUIPPROD-CUSTOMER-81
state: UP
backup serverfarm : -
hit count : 0
dropped conns : 0
compression : off
class/match : class-default
LB action: :
sticky group: Sticky_EQUIPPROD
primary serverfarm: EQUIPPROD
state:UP
backup serverfarm : -
hit count : 107831
dropped conns : 5
compression : off
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
pscaceinside01/Prod# ping 10.1.1.97
Pinging 10.51.221.97 with timeout = 2, count = 5, size = 100 ....
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
5 packet sent, 0 responses received, 100% packet loss
For what it's worth, none of my VIP's are pingable from the ACE. I think that has to do with me being in one-arm configuration, and using the NAT addresses per VIP. But all other VIPs are pingable from other sources on the subnet. With the exception of this VIP. -
Hi All,
I am not able to connect to a virtual IP address of ACE 4710 and either i am able to ping it. Kindly let me know if anything wrong here.
Regards,
Neha.Hi Yahb/Neha,
Please try and confirm this:-
1) See if you have permited the traffic:-
access-list ALL line 8 extended permit ip any any
class-map match-all L4_VIP_ADDRESS_CLASS
2 match virtual-address 1.1.1.1 any
class-map type management match-any REMOTE_ACCESS
201 match protocol ssh any
202 match protocol icmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY
class class-default
serverfarm SFARM1
policy-map multi-match L4_LB_VIP_POLICY
class L4_VIP_ADDRESS_CLASS
loadbalance vip inservice
loadbalance policy L7_VIP_LB_ORDER_POLICY
loadbalance vip icmp-reply
2)
Apply the ACL on to the correct vlan:-
interface vlan 20
description Server-side Interface
ip address 2.2.2.2 255.255.255.0
access-group input ALL --->make sure you have applied the ACL.
service-policy input L4_LB_VIP_POLICY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface vlan 30
description Client side connectivity
ip address 3.3.3.3. 255.255.255.0
access-group input ALL
service-policy input L4_LB_VIP_POLICY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 x.x.x.x
Let us know if you have done this.
Regards
Shariff -
ACE is not recieving any traffic on VIP
Hi,
I have multiple vips running scenario, of which one vip is not functioning at all. I have bridged mode scenario. The probes for the rservers are showing as success and when i am trying to find the active connections using "show conn", i cant see any connection reaching ACE on that VIP. I can ping the VIP but unable to see any traffic on that VIP. When i telnet on the VIP on the port 8080 i can telnet, but on the browser its showing as Content Server error.
Attached is the ace configuration.
Thanks
AmitJust to add in above post, from command prompt iam able to telnet on the VIP ip address (192.168.3.145) on port 8080 and from the web browser i cant.
Thanks
Amit -
We have a ACE redirect configured on 3 physically seperate ACE modules with the following config. It works on one ACE Module and not on the other 2.
Capture on the ACE and sniffer gives this error.R [bad tcp cksum 2d41!] ACE sends resets to the client. Anyone run into this issue?
The software version is system: Version A2(1.0a) [build 3.0(0)A2(1.0a)
rserver redirect Test
webhost-redirection http://www.test.com
inservice
serverfarm redirect Test
rserver Test
inservice
class-map match-any Test
2 match virtual-address 192.168.10.10 tcp eq www
policy-map type loadbalance first-match Test
class class-default
serverfarm Test
class Test
loadbalance vip inservice
loadbalance policy Test
loadbalance vip icmp-reply activeSorry maybe I didn't explain what I was getting at good enough...
I guess I'm basically asking if there's potential for asymmetry at the site that's not working.
For example.
Say I have a load balanced server. It has two interfaces a "front end" and a "back end". I manage the server on the backend from my laptop, for which the server has a route. Now if I try to hit the public VIP of the LB, traffic is routed to the VIP, then to the server, but because the server already has a route to my laptop via the backend, it bypasses the load balancer on the return and replies directly to me, thus putting the flow out of sync and never completing the connection...
Not saying that's it, but I've had so many asymmetry issues that are tough to figure out that It's usually one of the first things I rule out...
It's possible if the site that's not working is local to you and the others aren't, this may be a potential issue??
Maybe you are looking for
-
I'm trying to create a subVI from a VI in which most of the controls and indicators (that will become the terminals of the subVI) reside in loops. I then connect the resulting subVI into a wrapper VI. One boolean control within a while loop in the su
-
Problem running SQL PLUS in Oracle 8i and 9i on Windows XP
I've tried installing both Oracle 8.17 Personal Edition and also 9i in Windows XP Professional (each on a different occassion). I have run into the same problem each time. The installation itself goes fine in both cases, but when I run SQL PLUS, the
-
Running 10.1.2 and 10.1.3 on same machine
Is it possible to run both 10.1.2 and 10.1.3 on the same machine? I do not want to have to purchase another machine to run BPEL, so would like to run the two concurrently. Any issues in doing this? Port conflicts? Pete
-
Contacts Merge roll-back?
I set up a new/ different Apple ID and account for my wife and after the IOS 5 update wanted to get Photo Stream going on her Phone but a couple problems came up right off the bat, My wife's iPhone 4 not only merged ( I hope) all my 1500 work contact
-
Well anyone who has found a way to do this? cause I sure hasn't! I'm annoyed with the well, and almost perfectly designed interface on the Ipod Touch 2g. Annoyed because you can't choose to disable Coverflow. I personally, never use it, and the only