Allowing Multicast to work between real servers behind the CSM??
Hi,
Just want to know if it is possible to use IP Multicast between real servers on a server subnet that is configured on the CSM. If so how could this be setup?
I've attached a copy of the our CSM config. In particular, the server subnet in question is "vlan 386 server". The Real servers belong to "serverfarm FARM-VISTA-TEST".
I suspect that maybe an interface vlan 386 needs to be created on the router, with pim sparse-mode enabled?
Any ideas?
thanks
Sheldon
the CSM does not know ip multicast, so your multicast needs to find another way to reach the servers.
You will also need a static route on the servers to point 224.x.x.x to the MSFC and keep the rest of the traffic going to the CSM.
Another solution is to use bridge mode.
Create a duplicate vlan 386 on the CSM and the MSFC.
ie:
MSFC---vlan387-----CSM-----Vlan386
On the CSM, you configure vlan387 with the same ip as vlan 386 - this will tell the CSM to bridge the 2 vlans.
Configure an ip from the same subnet on the msfc int vlan 387.
configure multicast on vlan 387.
The CSM should normally bridge all unknown traffic including multicast.
All you have to do on the servers is change the default gateway to be the MSFC instead of the CSM.
Gilles.
Similar Messages
-
Does Airport Express need to be configured to allow AirPlay to work between an iPhone 4s and an iPad2?
Also, attempting to use Airplay with iOS7 shuts off sound to the speakers while allowing sound thru the ear buds! The fix was to restart by depressing the lock switch (opposite the sound out port).Does Airport Express need to be configured to allow AirPlay to work between an iPhone 4s and an iPad2?
You need a minimum of three things for AirPlay:
An iTunes host. This can be a Mac, PC, or iOS device.
A wired or wireless network.
An AirPlay Speaker. This can be an AirPort Express, Apple TV, or a AirPlay-Ready device.
Is your goal to stream between two iOS devices? -
Cannot get Telnet to work between two servers on same subnet
I need to test if communication is open on port 8444 between two servers.
I installed telnet client on a Server 2008 R2 server and telnet server on a Server 2008 SP2 server. I also manually started the Telnet service that was set to disabled on the SP2 server. I disabled the Windows firewall on both servers. They
are both on the same subnet so they don't need to go through any routers and I can ping successfully.
When I try to telnet to the remote server by typing telnet "ip address" 8444, I get an error that says "Could not open connection to host, on port 8444: Connection failed.
I tried other ports like port 80 and got the same error.
What else is needed to get this to work?VMs have nothing to do with it, as long as there's network communication between the servers.
As I said, there must be a service or application listening on that port for it to respond. For example, try this:
C:\> telnet
When the telnet prompt opens, type in:
open mail.messaging.microsoft.com 25
If it works, you should see this:
220 CH1EHSMHS035.bigfish.com Microsoft ESMTP MAIL Service ready at Thu, 7 Feb 2013 00:57:33 +0000
That means that Microsoft's mail servers are LISTENING on port 25 and it responded. And note, telnetting to port 25 is a non-default telnet port, because port 23 is the default telnet port. When you type in a space and then a port number, you're telling
the telnet client to use that port.
That is the SAME THING if some sort of application or service is listening on port 8444 on that other server you're trying to telnet to. If there is no app or service listening, it will just time out.
And no, installing the TELNET service on that sercver will NOT answer to any port other than 23. The telnet service by default, uses TCP 23, unless you specify otherwise.
So once again, what service or app on that server is supposed to be listening on 8444?
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights. -
Hit the VIP from the server side behind the CSM in L2?
We have a CSM w/ 4.1.6 and would like our RIPS to be able to access a VIP on the same CSM they are on the same subnet but different vlans in L2 design. Any ideas to make this work?
According to DE, the SSL blade will apply its local subnet mask to the incoming packet's source IP. In your case, you had a /24 subnet mask configured on the SSL's vlan, so addresses that end with .0 or .255 would be discarded since the blade treated them as network or broadcast addresses.
The workaround is to configure the lowest subnet mask on the SSL proxy vlan where traffic is received (like a /8).
Configure ssl-proxy vlan with lowest mask to receive traffic or configure ssl-proxy vlan where traffic received to lowest mask (ie,. /8 mask) or load next maintenance release image 2.1(2) -
I need to all icmp through the ACE to servers behind the ACE
I have been trying to figure this out and I've made several attempts at a configuration that will work, but I just don't get it. Here's what I have configured. I'm trying to ping from a server outside of the ACE to a server on vlan 308. I send my ICMP it should ingress through vlan 302 and hit the server on vlan 308. Instead I get nothing and I see no traffic hits on my policy or from the show icmp statistics. I am able to ping the IP addresses on vlan 302 but nothing on the inside.
access-list icmp line 10 extended permit icmp any any
class-map match-all icmp-allow-inspect
2 match access-list icmp
policy-map multi-match icmp-allow-inspect-mmpl
class icmp-allow-inspect
inspect icmp error
interface vlan 302 --------- public facing VIPs- ingress
ip address 71.113.93.37 255.255.255.224
alias 71.113.93.36 255.255.255.224
peer ip address 71.113.93.38 255.255.255.224
service-policy input mgmt
service-policy input icmp-allow-inspect-mmpl
no shutdown
interface vlan 308 ---------- server - L2
ip address 10.60.22.130 255.255.255.192
alias 10.60.22.129 255.255.255.192
peer ip address 10.60.22.131 255.255.255.192
service-policy input icmp-allow-inspect-mmpl
no shutdownI ran a capture and I see the traffic hit the ingress interface of the ACE, but it never gets passed to the backend server vlan. The icmp is recieved and the connection is closed, but then I get 4 more packets marked PKT_XMT then the packet is dropped. The capture was done on the ingress vlan. If I do a capture on the server side vlan I get nothng at all in the capture.
0001: msg_type: PKT_RCV
ace_id: 6809 action_flag: 0x13
src_addr: 74.113.193.34 src_port: 53575
dst_addr: 10.62.222.136 dst_port: 2048
l3_protocol: 0 l4_protocol: 1
0002: msg_type: CON_CLOSE
con_id: 1345505684 out_con_id: 271763861
src_addr: 74.113.193.34 src_port: 53575
dst_addr: 10.62.222.136 dst_port: 2048
l3_protocol: 0 l4_protocol: 1
0003: msg_type: PKT_XMT
con_id: 1345505684 other_con_id: 0
0011: msg_type: PKT_XMT
con_id: 1345505684 other_con_id: 0
0019: msg_type: PKT_XMT
con_id: 1345505684 other_con_id: 0
0029: msg_type: PKT_XMT
con_id: 1345505684 other_con_id: 0
0037: msg_type: PKT_DROP
con_id: 1345505684 reason: 0
src_addr: 74.113.193.34 src_port: 53575
dst_addr: 10.62.222.136 dst_port: 2048
l3_protocol: 0 l4_protocol: 1
This is my access list and its applied globally with the access-group input ALL command. I also have my default gateway pointing back to my upstream router and there are no other routes on the ACE. I can ping the ingress interface from my upstream router and I can ping my gateway from the ACE. I can ping my backend server from the ACE, but not from anything outside the ACE. I can not ping anything behind my ACE module.
access-list ALL line 12 extended permit icmp any any
access-list ALL line 18 extended permit ip any any -
Real reason behind the non-feature of FM recording on Vision M 60 g
Hi there,
I have buyed the Vision M 30 go then for any reason, some a day it stopped freezing at the main screen and even reseting and formating the player has not make it able to work again. So I went where I had purshased it and paid the difference with the 30 go for having a 60 go using the year warantly given by Creative. Except for the very bad desagrement of loosing the AC adapter (that I paid for in the version I brought at the begining), I found also that a nice feature I was using a lot with the 30 go version was not built in the 60 go version wich is the FM recording. So here stand my real question :
Why does Creative have not brought FM recording feature to it 60 go version ?
BTW, for those who don't know it, in real fact, I'd mesured that autonomy on 60 go is less than 30 go. Size (thickness) is bigger (probably because of the 2 micro hardri've on over the other inside). Weight is bigger (don't have mesured the difference). Ver 30 go was always spinning to read data and sound was just impossible to hear, but the only way to know was to take it in your hand then look out for vibrations. Ver 60 works by caching data (probably to save electricity because making spinning 2 disk takes more juice than ) at a speed that makes it possible to hear in quiet enviroment at a level it is possible to hear in medias (such as movies) for wich there is quiet moments. Finaly, not the last, ver 30 go was fanless, but ver 60, probably because of the 2 disk, start the fan to lower temperature at a regular interval (probably faster in hot ambiant temperature and less in normal ones, but didn't test it to see).
If it were to buy again, because of the no AC adaptor, no FM recording and all those reasons, having the ONLY advantage of doubbling the HD size, I don't think I would again.
I may be a hard to convince as a consumer because I'm also an electronic/electrical engineer and my standards, expectations and observations go further than more people, but I still think you product overcome in almost every aspect of the IPOD.
At last, I'm really sad about having upgraded to 60 go, but please, at least, 60 go beeing the top lvl of its category, just build a new firmware adding this feature ! That will almost cost you any penny at all, but the image you will give to your customer will worth money in its own way. And as we say, for 0 unhappy customer, of 0 will say it to the company. Also, in 0 happy customer, will say it to other people, but for unhappy customer, 0 people will be told to DO NOT buy the product. That was one of most important thing I've learned from my marketing course when at the Uni'versity !
Sorry for bad English: as you may have observed, it is not my first language.I my own case, I was only using the radio recording feature for talk radio I was unable to listen at specific moment in the day...
I li've in Canada and I shouldn't have to pay for USA pressure groups, nor Europeans should.
That's very bad.
I wish to get an official answer from Creative on this matter.Message Edited by killerfrog on 04-4-20072:2 PM -
NAT and Servers behind CSS 11501
All,
Please forgive my asking this question again. I was injured shortly after asking the last time and out of work for a long period of time.
My problem stems from needing to allow my web servers to initiate traffic to the outside world from behind our CSS boxes.
The web servers sit behind a pair of CSS 11501 content switches in Active-Passive ASR with fate sharing. We are only interested at this time with load balancing HTTP and HTTPS.
Everything works inbound no problem.
What I need to do is setup some type of NAT for my 3 web servers to initiate HTTP/HTTPS for patches, send SMTP from the web apps, and initiate HTTPS for credit card validation.
I have setup NAT on PIX units and routers no problem, but I seem to be unable to do it on these boxes. :(
In reality something as simple as a PAT translation on the outside of the CSS boxes should be sufficient.
Is this possible with our setup? Does anyone have some code examples?
Thanks in advance.
Addresses changed to protect the innocent:
Load Balancer 1:
!*************************** GLOBAL ***************************
bridge spanning-tree disabled
sntp server 1.1.1.41 version 1
snmp community noway read-only
snmp community noway read-write
app session 1.1.1.252
app
logging subsystem netman level info-6
dns primary 2.2.2.41
dns secondary 2.2.2.42
ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
description "Connect to Primary DMZ 1 3550 Switch"
interface e2
bridge vlan 2
phy 100Mbits-FD
description "Connected to Primary LB Server Switch"
interface e8
description "Inter Switch Communication (ISC) Port"
isc-port-one
!************************** CIRCUIT **************************
circuit VLAN1
description "DMZ 1 Subnet (1.1.1.x/24)"
ip address 1.1.1.251 255.255.255.0
ip virtual-router 1 priority 254 preempt
ip redundant-interface 1 1.1.1.250
ip redundant-vip 1 1.1.1.161
ip redundant-vip 1 1.1.1.162
ip redundant-vip 1 1.1.1.70
ip redundant-vip 1 1.1.1.71
ip redundant-vip 1 1.1.1.72
ip critical-service 1 upstream_downstream
circuit VLAN2
description "Load Balanced Servers Subnet"
ip address 2.2.2.2 255.255.255.0
ip virtual-router 2 priority 254 preempt
ip redundant-interface 2 2.2.2.1
ip critical-service 2 upstream_downstream
Various Services, Owners and Content
Load Balancer 2:
!*************************** GLOBAL ***************************
bridge spanning-tree disabled
sntp server 1.1.1.41 version 1
snmp community noway read-only
snmp community noway read-write
app session 1.1.1.251
app
logging subsystem netman level info-6
dns primary 2.2.2.41
dns secondary 2.2.2.42
ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
description "Connect to Secondary DMZ 1 3550 Switch"
interface e2
bridge vlan 2
phy 100Mbits-FD
description "Connected to Secondary LB Server Switch"
interface e8
description "Inter Switch Communication (ISC) Port"
isc-port-one
!************************** CIRCUIT **************************
circuit VLAN1
description "DMZ 1 Subnet (1.1.1.x/24)"
ip address 1.1.1.252 255.255.255.0
ip virtual-router 1
ip redundant-interface 1 1.1.1.250
ip redundant-vip 1 1.1.1.161
ip redundant-vip 1 1.1.1.162
ip redundant-vip 1 1.1.1.70
ip redundant-vip 1 1.1.1.71
ip redundant-vip 1 1.1.1.72
ip critical-service 1 upstream_downstream
circuit VLAN2
description "Load Balanced Servers Subnet"
ip address 2.2.2.3 255.255.255.0
ip virtual-router 2
ip redundant-interface 2 2.2.2.1
ip critical-service 2 upstream_downstream
Various Services, Owners and Content.Gilles,
I added the following commands, and things seem to be working.
To circuit VLAN1
ip redundant-vip 1 1.1.1.80
!*************************** GROUP ***************************
group natout
vip address 1.1.1.80
add service nat_web_servers
active
service nat_web_servers
ip address 192.168.1.10 range 3
active
I do have a question about the above service commands.
I have 3 servers behind the CSS. Let's call them 192.168.1.10, 192.168.1.11 and 192.168.1.12. Am I correct in my thinking that adding range 3 then allows a match on all 3 of those servers and the CSS will then PAT these servers from the VIP address assigned to the group?
Otherwise, I think you have resolved this problem for us. Thank you. -
ACE module client and real servers on same subnet
I am working on a ACE load balancing implementation,which has following requirement? Can someone let me know if this can be implemented and how?
Configuration
test context
real server vlan 233
real server subnet - 167.6.233.x
VIP vlan - 539
VIP subnet - 167.6.238.128/25
production context
real server vlan 232
real server subnet - 167.6.232.x
VIP vlan - 538
VIP subnet - 167.6.238.0/25
Load balancing is coinfigured in routed mode with ACE as gateway for test and prod real sever subnets (233 and 232 subnets).
Test and production servers are mixed in these subnets. So we need to configure source NAT to access the test servers in the production subnet (232) and vis versa.
Here are the scenarios and questions
1. clients need to access the real servers in prod subnet (232) through VIP configured in test context (vlan 539) - this is done by SNAT at vlan 539 and working.
2. real servers in test subnet (233) needs to access real servers in same subnet (233) through VIP configured in test context (vlan 539) - this is done by SNAT at vlan 233 and working
3. real servers in prod subnet (232) need to access the real servers in test subnet (233) through VIP configured in test context (vlan 539) - this appears to be working fine without any additional configuration
4. real servers in test subnet (233) needs to access another real servers in prod subnet (232) through VIP configured in test context (539) - this is not working
5. real servers in test subnet (233) needs to access another real server which is not on one of the subnet (167.6.56.x) behind ace - this is not working.
Can we implement the scenarios 4 and 5?Hi Suresh,
I see it's a bit complex and we do not have the config at hand.
However for the scenario 4 if you apply the policy already applied on vlan 539 on the interface vlan233 then the ACE should catch the packets and apply the policy (i.e. forward the packets to the serverfarm you want)
Alessandro
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
PAT with a single public IP and several servers behind firewall
Hi,
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
Single static public IP: 16.2.3.4
Need to PAT several ports to three separate servers behind firewall
One server houses email, pptp server, ftp server and web services: 10.1.20.91
One server houses drac management (port 445): 10.1.20.92
One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505.
Here is what I have. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?
ASA Version 8.4(4)1
hostname kaa-pix
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.20.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 16.2.3.4 255.255.255.0
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network server_smtp
host 10.1.20.91
object service Port_25
service tcp source eq smtp
object service Port_3389
service tcp source eq 3389
object service Port_1723
service tcp source eq pptp
object service Port_21
service tcp source eq ftp
object service Port_443
service tcp source eq https
object service Port_444
service tcp source eq 444
object network drac
host 10.1.20.92
object service Port_445
service tcp source eq 445
access-list acl-out extended permit icmp any any echo-reply
access-list acl-out extended permit icmp any any
access-list acl-out extended permit tcp any interface outside eq pptp
access-list acl-out extended permit tcp any object server_smtp eq smtp
access-list acl-out extended permit tcp any object server_smtp eq pptp
access-list acl-out extended permit tcp any object server_smtp eq 3389
access-list acl-out extended permit tcp any object server_smtp eq ftp
access-list acl-out extended permit tcp any object server_smtp eq https
access-list acl-out extended permit tcp any object server_smtp eq 444
access-list acl-out extended permit tcp any object drac eq 445
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static server_smtp interface service Port_25 Port_25
nat (inside,outside) source static server_smtp interface service Port_3389 Port_
3389
nat (inside,outside) source static server_smtp interface service Port_1723 Port_
1723
nat (inside,outside) source static server_smtp interface service Port_21 Port_21
nat (inside,outside) source static server_smtp interface service Port_443 Port_4
43
nat (inside,outside) source static server_smtp interface service Port_444 Port_4
44
nat (inside,outside) source static drac interface service Port_445 Port_445
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 16.2.3.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
no call-home reporting anonymousThanks Lcambron...I got PPTP to work. Everything else works fine. I can access email, access my web server, FTP server, and PPTP server. However, from the above configuration, I cannot access my DRAC over the internet..The DRAC runs on a different internal server, and over port 445. So I have th following lines:
object network drac
host 10.1.20.92
object service Port_445
service tcp source eq 445
access-list acl-out extended permit tcp any object drac eq 445
nat (inside,outside) source static drac interface service Port_445 Port_445
Am I missing something here? Internally, i can telnet to port 445 on 10.1.20.92, so I know it is listening. However, externally, i cannot telnet to my external ip address of the ASA through port 445.
Thanks -
Two servers (serverSocket) behind the SAME firewal !?l
Hello !
I dont know if this is the right forum for this qusetion,
and maybe the question is really stupid, but ...
I made a little client/server application, just to
play around with sockets and serverSockets.
It works fine, but now i ask myself:
What happens, if there are two of my servers running on two
different computers in the SAME LAN behind the SAME
firewall/internetgateway, and both are listening on the SAME
port ?
F.e. if the extern IP of this LAN/(its gateway) is
204.556.234.123, and a client in the internet is connecting
to it on the port, on which the two servers behind the firewall
are listening, WHO'S ANSWERING ?
(If this port is set to "open and forward" in the firewall)
The one with the shorter patch-cable ? ;)
How is it possible for the client to differenciate
this two servers in that LAN?
The only logical solution i found is that this two servers
have to listen on different ports,
but i think there has to be another explanation and/or solution.
Do i have to take care about situations like that in my
server-application ?
I have the feeling that i have to...somehow.
OK, you see i dont know much about this...
i would be very thankful for every hint and explanation.
Thank you very much,
greetings,
huni.F.e. if the extern IP of this LAN/(its gateway) is
204.556.234.123, and a client in the internet is
connecting
to it on the port, on which the two servers behind the
firewall
are listening, WHO'S ANSWERING ?
(If this port is set to "open and forward" in the
firewall)Whichever one the firewall is told to forward it to!
The two computers running your server have unique addresses on the internal network. The firewall will forward incoming connections to one of those addresses. Maybe it can do some simple "load balancing" by forwarding some connections to one server and some to the other, but still, any particular connection will only go to one server. -
I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
inservice
rserver RS_WEB2
inservice
rserver RS_WEB3
inservice
rserver RS_WEB4
inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
loadbalance vip inservice
loadbalance policy HTTP
loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
FrancescoHi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal -
ACE 4710 Probes on other servers than the real server
Hi,
I wanted to know if there is a means to configure a probe that is independent of the real servers.
The aim is to configure a probe a real server but also probe another intermediate server which is not in the server farm.
The objective is to declare the real server down if its probe fails but also the probe to an intermediate server fails as well as a or condition.
From the document, there is no mention of it.
But is there a means to do it.
Thanks.Hi Ashley,
i see it is not mentioned anywhere in document but i think ou should be able to bind two probes with real server of which one probe is actually probing another server.
I would configure one probe let's say TCP based and bind it with serverfarm. Then i would configure another probe TCP based and define IP address in that probe (the other server IP which we need to probe) and bind this probe with same serverfarm. Serverfarm will not have this rserver added. And then i would configure "fail-on-all" and test if that works for you.
i know you can set probe on redirect server/serverfarm which actually probes another real server so logically should work for normal host rserver as well. But i have never tested it myself.
Regards,
Kanwal -
How e-mail is routed between two servers
Hi ,
Please anybody tell me how e-mail is routed between two servers , from the software point of view as well as hardware point of view .
And how Java mail API related to that .
Thanks,
KizIf you're looking for a simple answer there isn't one. Here's a place to start.
http://community.roxen.com/developers/idocs/rfc/rfc974.html -
[ACE] Real servers and VIP in the same VLAN
Hello.
I´m facing an issue because the real servers and the VIP address are in the same VLAN, when a request comes from an external client to the VIP (crossing an ASA firewall) , the ACK gets back using the IP of one of the real servers instead of the VIP so this traffic is blocked by our WAN firewall probably due the inspection rules.
My question is if there is some way make the VIP the address who ACK´s that requests? Creating a new VLAN would be complicated because there are other services already running on those real servers.
Thanks a lot,
MiquelHi Miquel,
Please do source nat on ACE so that return traffic gets sent to ACE and not FW. Pasting an example for you.
==========================================================================
One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
==========================================================================
login timeout 0
access-list ANYONE line 10 extended permit ip any any
rserver host SERVER_01
ip address 192.168.1.11
inservice
rserver host SERVER_02
ip address 192.168.1.12
inservice
rserver host SERVER_03
ip address 192.168.1.13
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01
inservice
rserver SERVER_02
inservice
rserver SERVER_03
inservice
class-map match-all VIP-30
2 match virtual-address 192.168.1.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGT
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match SLB_LOGIC
class class-default
serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
class VIP-30
loadbalance vip inservice
loadbalance policy SLB_LOGIC
loadbalance vip icmp-reply active
nat dynamic 1 vlan 451
interface vlan 451
description Servers vlan
ip address 192.168.1.2 255.255.255.0
access-group input ANYONE
service-policy input CLIENT_VIPS
nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Let me know if you have any question.
Regards,
Kanwal -
IMessage is not working between the computer and the iPhone 4S?
My I message is no longer working between my computer and my iphone 4s, how do i fix it? It has been working but stopped communicating with each other. I have osx 10.9.3 on Mac and 7.1.1 on the phone.
imessages have never ever been able to work between devices that use the same appleID
Maybe you are looking for
-
Planning Information in SAP R/3 and BW
Hi all, How to Establish clear understanding of what planning information is stored and used in SAP R/3 and which should be extracted to SAP BW for use in reporting in one particular client. Thanks in advance S VR
-
IPhoto does not show connected devices.
We have 2 iMac 27", 3 MacBookPro 17" 2X15", 3MacBookAir in our home. All have ML. In all of them iPhoto shows devices when an iPhone is connected except in one of the iMacs. I looked everywhere for a solution like this one: http://www.jasoncoleman.ne
-
I am trying to use my Samsung Syncmaster (1680x1050x120hz) with my newly bought t420s. For that i need a DVI-D Output which i thought could be managed by buying a dockingstation, but its not working. I can only use it with 60hz or lower, but i need t
-
Itunes, wherefore art thou?
Some how I've 'lost' my itunes page and icon...how do I retrieve them?
-
E71: error: SIP "profiles in same realm must have ...
I have a E71-1 with the latest 110.07.127 firmware. I am trying to create a second SIP profile, but I cannot save it as I get the error message "Unable to save. Profiles in same realm must have same user name" From what I understand, one creates a Vo