02-17-2011 12:15 PM
I have a pair of ADX1000's running L3PREM in a HA setup. (active-active)
Our primary deployment is to use the ADX's in a 'one-arm' configuration utilizing DSR. So far so good. We have the ADX's doing nearly everything perfectly.
The concept and design is simple. The ADX's are uplinked to via two LACP links to it's upstream switch. We are using multiple VLAN's to service the various server LAN's we need to load balance.
First stumbling block was that we had to put IP's on each VE so that the ADX could do health checks to the real servers. This was not a problem. After doing so we found that the load balacing, VIP's, all worked perfectly as expected and using DSR the real servers knew exactly where to send their traffic and to which gateway based on the subnet they were on/configured for.
The problem now is the ADX VIP's responding to pings from client hosts. This is mainly because there are literally no routes on the ADX. The ADX had a directly connected management network and it sees each one of the server subnets as directly connected router-interfaces (VE)'s.
The servers know their routes because of the DSR design.
So now here is the problem... how do we fix the ADX so that VIP's return traffic to the proper gateway. Remember, which VLAN has it's own subnet and own gateway for their respected set of real servers.. so a simple single default route will not work as traffic would not be sent to the proper upstream router.
In the lab we DID set a default route for one of the subnets routers, and the VIP's started answering pings correctly, but only for that subnet.
We were told to try two things....
Setting the "next-hop" under the VIP. This did not work.
Setting up a policy-based route. For whatever reason, this did not work either. Doing a wireshark dump on the uplinks shows the ICMP request hit the ADX, but we never see anything in return.... ONLY if we set a default route.
Suggestions on what to try and what to look for? Below are snipets from one of the ADX's running 12.2... DSR load balancing works fine... answers for VIP's do not: