ACE mtu, mss size and normalization

Martin Kyrc · ‎02-28-2007

hi,

I have a problem with MTU size (I got ICMP fragmentation needed from router, required MTU size is 1545bytes).

ok, I did some packet traces and configuration changes:

1.

I tried change MTU size on ACE interfaces (routed mode) - without success, MTU size in packet trace was without change.

2.

I tried change MSS on ace ifaces, because mss size between server and ace is too high (segment size 1460bytes). ok, it works (syn/syn-ack/ack phase)! but packet trace shows, that size of segments(and packets) is without change. I got always ICMP fragmentation needed.

3.

ok, last chance is clear don't fragmetn bit in the packet ('ip df clear'). it works and communication between server and client is successful!

it may seem, that problem is solved. it is, but it works only with disabled normalization ('no normalization') and it's not acceptable.

my question is:

where can I search a problem?

with normalization enabled, packet trace on server side shows only syn/syn-ack/ack and fin/... in the same time. client side shows only client's packets, no packets from ace module.

thx for any tips

martin

Gilles Dufour · ‎02-28-2007

there are a serie of issues related to the MSS.

If you do not have A1(4) yet, I would suggest to upgrade.

Then open a service request with the TAC so we can clearly identify the problem.

CSCse63993: ACE: Same MSS value stored in both legs of L7 conn if server MSS

CSCsh39042: syn-cookie encoded MSS value is used for both legs of connection

CSCsh56158: TCP Segment larger than MSS from client when normalization off w

Gilles.

pedro.quezada · ‎03-01-2007

add a parameter map to the policy

Martin Kyrc · ‎03-02-2007

If you think parameter-map I have it:

parameter-map type connection TCPIP_PARAM_MAP

set tcp mss min 0 max 1300 <<<<<

serverfarm host FEND

predictor leastconns

probe TCP

retcode 200 200 check count

retcode 400 420 check count

retcode 500 520 check count

rserver fend-2

rserver fend-4

inservice

class-map match-any TCP_CLASS

2 match destination-address 0.0.0.0 0.0.0.0

class-map match-all VIP-FEND-CLASS

2 match virtual-address 10.10.188.10 tcp eq 81

policy-map type loadbalance first-match FEND-POLICY

class class-default

serverfarm FEND

policy-map multi-match CLIENT-VIPS

class VIP-FEND-CLASS

loadbalance vip inservice

loadbalance policy FEND-POLICY

loadbalance vip icmp-reply

nat dynamic 1 vlan 17

connection advanced-options TCPIP_PARAM_MAP <<<<<

policy-map multi-match TCPIP_POLICY

class TCP_CLASS

connection advanced-options TCPIP_PARAM_MAP <<<<<

interface vlan 17

description Server side

ip address 10.5.17.21 255.255.255.0

ip df clear

alias 10.5.17.20 255.255.255.0

peer ip address 10.5.17.22 255.255.255.0

mtu 1400

no normalization

nat-pool 1 10.5.17.23 10.5.17.32 netmask 255.255.255.0 pat

service-policy input TCPIP_POLICY <<<<<

no shutdown

interface vlan 188

description Client side

ip address 10.10.188.11 255.255.255.0

ip df clear

peer ip address 10.10.188.12 255.255.255.0

mtu 1400

no normalization

access-group input client-side

service-policy input CLIENT-VIPS <<<<<

no shutdown

Roble Mumin · ‎03-02-2007

Try to apply the parameter map in a service policy global. I had some issue with the tcp idle time. It only worked the way i wanted if the policy was assigned globally.

If you assign it to the loadbalancing policy it will only hit for the connections to the vip.

Try following:

access-list TCP line 10 extended permit tcp any any

class-map match-any TCP_TRAFFIC_CLASS

2 match access-list TCP

policy-map multi-match TCP-POLICY

class TCP_TRAFFIC_CLASS

connection advanced-options TCPIP_PARAM_MAP

service-policy input TCP-POLICY

I used it for the TCP idle timer after applying the policy it should work for every new connection. So if you are unsure if it works try a "clear conn all".

Roble