02-28-2007 03:50 AM
hi,
I have a problem with MTU size (I got ICMP fragmentation needed from router, required MTU size is 1545bytes).
ok, I did some packet traces and configuration changes:
1.
I tried change MTU size on ACE interfaces (routed mode) - without success, MTU size in packet trace was without change.
2.
I tried change MSS on ace ifaces, because mss size between server and ace is too high (segment size 1460bytes). ok, it works (syn/syn-ack/ack phase)! but packet trace shows, that size of segments(and packets) is without change. I got always ICMP fragmentation needed.
3.
ok, last chance is clear don't fragmetn bit in the packet ('ip df clear'). it works and communication between server and client is successful!
it may seem, that problem is solved. it is, but it works only with disabled normalization ('no normalization') and it's not acceptable.
my question is:
where can I search a problem?
with normalization enabled, packet trace on server side shows only syn/syn-ack/ack and fin/... in the same time. client side shows only client's packets, no packets from ace module.
thx for any tips
martin
02-28-2007 06:54 AM
there are a serie of issues related to the MSS.
If you do not have A1(4) yet, I would suggest to upgrade.
Then open a service request with the TAC so we can clearly identify the problem.
CSCse63993: ACE: Same MSS value stored in both legs of L7 conn if server MSS
CSCsh39042: syn-cookie encoded MSS value is used for both legs of connection
CSCsh56158: TCP Segment larger than MSS from client when normalization off w
Gilles.
03-01-2007 09:00 PM
add a parameter map to the policy
03-02-2007 06:11 AM
If you think parameter-map I have it:
parameter-map type connection TCPIP_PARAM_MAP
set tcp mss min 0 max 1300 <<<<<
serverfarm host FEND
predictor leastconns
probe TCP
retcode 200 200 check count
retcode 400 420 check count
retcode 500 520 check count
rserver fend-2
rserver fend-4
inservice
class-map match-any TCP_CLASS
2 match destination-address 0.0.0.0 0.0.0.0
class-map match-all VIP-FEND-CLASS
2 match virtual-address 10.10.188.10 tcp eq 81
policy-map type loadbalance first-match FEND-POLICY
class class-default
serverfarm FEND
policy-map multi-match CLIENT-VIPS
class VIP-FEND-CLASS
loadbalance vip inservice
loadbalance policy FEND-POLICY
loadbalance vip icmp-reply
nat dynamic 1 vlan 17
connection advanced-options TCPIP_PARAM_MAP <<<<<
policy-map multi-match TCPIP_POLICY
class TCP_CLASS
connection advanced-options TCPIP_PARAM_MAP <<<<<
interface vlan 17
description Server side
ip address 10.5.17.21 255.255.255.0
ip df clear
alias 10.5.17.20 255.255.255.0
peer ip address 10.5.17.22 255.255.255.0
mtu 1400
no normalization
nat-pool 1 10.5.17.23 10.5.17.32 netmask 255.255.255.0 pat
service-policy input TCPIP_POLICY <<<<<
no shutdown
interface vlan 188
description Client side
ip address 10.10.188.11 255.255.255.0
ip df clear
peer ip address 10.10.188.12 255.255.255.0
mtu 1400
no normalization
access-group input client-side
service-policy input CLIENT-VIPS <<<<<
no shutdown
03-02-2007 06:22 AM
Try to apply the parameter map in a service policy global. I had some issue with the tcp idle time. It only worked the way i wanted if the policy was assigned globally.
If you assign it to the loadbalancing policy it will only hit for the connections to the vip.
Try following:
access-list TCP line 10 extended permit tcp any any
class-map match-any TCP_TRAFFIC_CLASS
2 match access-list TCP
policy-map multi-match TCP-POLICY
class TCP_TRAFFIC_CLASS
connection advanced-options TCPIP_PARAM_MAP
service-policy input TCP-POLICY
I used it for the TCP idle timer after applying the policy it should work for every new connection. So if you are unsure if it works try a "clear conn all".
Roble
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: