Cannot get to secondary interface on server due to ACE Blade.

Unanswered Question
Jun 15th, 2007

Hello,

I'm in the process of setting up my ACE blade. I have a server with two NICs one is in vlan 3 and the other is in vlan 4. When I try to ping vlan 4 I cannot and get the following message in my syslog:

Jun 15 15:46:41 10.10.200.2 %ACE-4-313004: Denied ICMP type=0, from laddr 10.11.6.1 on interface vlan30 to 10.10.2.6: no matching session

The IP of vlan 4 is the 10.11.6.1 and vlan 3 10.10.6.1. I also found the definition of this error:

Explanation ICMP packets were discarded by the ACE because of security checks added by the stateful ICMP feature. These ICMP packets are discarded for any of the following reasons:

?ICMP echo replies are received without a valid echo request already passed across the ACE

?ICMP error messages are received that are not related to any TCP, UDP, or ICMP session already established in the ACE

So, does anyone know what I need to do to my ace blade to get this to work.

Thanks in advance

Mike C.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
harrjd222 Fri, 06/15/2007 - 17:23

do you have an acl to allow the traffic, be default the ace module blocks all traffic.

MICHAEL CICCONE Sat, 06/16/2007 - 08:59

Yes, I do... I have permit ip any any... then I even added icmp any any...but that didn't help either.

Gilles Dufour Sun, 06/17/2007 - 00:20

you try to ping from where ? The ACE blade itself ?

Could you share the interface config ?

Is this server the only one showing the problem ? Are you able to ping other devices on vlan 4 ?

BTW, if you tried to ping from 10.10.2.6 and the message that we see corresponds to the icmp reply, your problem might be asymetric routing. ACE didn't see the first packet from 10.10.2.6 to your server.

You should sniff the traffic to see what's going on.

If you just want to make this work, you can try 'no icmp-guard' and 'no normali' on your interfaces.

But you will disable some good security features so you should probably fix your routing first.

Thanks,

Gilles.

MICHAEL CICCONE Mon, 06/18/2007 - 07:50

Hello Gilles,

Thanks for the repsonse. I've decided to try routed mode on the ACE instead of brdige mode. Bridge mode adds more configuration steps which could lead to more problems.

Thanks

Actions

This Discussion