Cannot get to secondary interface on server due to ACE Blade.

Unanswered Question
Jun 15th, 2007
User Badges:


I'm in the process of setting up my ACE blade. I have a server with two NICs one is in vlan 3 and the other is in vlan 4. When I try to ping vlan 4 I cannot and get the following message in my syslog:

Jun 15 15:46:41 %ACE-4-313004: Denied ICMP type=0, from laddr on interface vlan30 to no matching session

The IP of vlan 4 is the and vlan 3 I also found the definition of this error:

Explanation ICMP packets were discarded by the ACE because of security checks added by the stateful ICMP feature. These ICMP packets are discarded for any of the following reasons:

?ICMP echo replies are received without a valid echo request already passed across the ACE

?ICMP error messages are received that are not related to any TCP, UDP, or ICMP session already established in the ACE

So, does anyone know what I need to do to my ace blade to get this to work.

Thanks in advance

Mike C.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
harrjd222 Fri, 06/15/2007 - 17:23
User Badges:

do you have an acl to allow the traffic, be default the ace module blocks all traffic.

MICHAEL CICCONE Sat, 06/16/2007 - 08:59
User Badges:

Yes, I do... I have permit ip any any... then I even added icmp any any...but that didn't help either.

Gilles Dufour Sun, 06/17/2007 - 00:20
User Badges:
  • Cisco Employee,

you try to ping from where ? The ACE blade itself ?

Could you share the interface config ?

Is this server the only one showing the problem ? Are you able to ping other devices on vlan 4 ?

BTW, if you tried to ping from and the message that we see corresponds to the icmp reply, your problem might be asymetric routing. ACE didn't see the first packet from to your server.

You should sniff the traffic to see what's going on.

If you just want to make this work, you can try 'no icmp-guard' and 'no normali' on your interfaces.

But you will disable some good security features so you should probably fix your routing first.



MICHAEL CICCONE Mon, 06/18/2007 - 07:50
User Badges:

Hello Gilles,

Thanks for the repsonse. I've decided to try routed mode on the ACE instead of brdige mode. Bridge mode adds more configuration steps which could lead to more problems.



This Discussion