cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
603
Views
0
Helpful
4
Replies

Cannot get to secondary interface on server due to ACE Blade.

MICHAEL CICCONE
Level 1
Level 1

Hello,

I'm in the process of setting up my ACE blade. I have a server with two NICs one is in vlan 3 and the other is in vlan 4. When I try to ping vlan 4 I cannot and get the following message in my syslog:

Jun 15 15:46:41 10.10.200.2 %ACE-4-313004: Denied ICMP type=0, from laddr 10.11.6.1 on interface vlan30 to 10.10.2.6: no matching session

The IP of vlan 4 is the 10.11.6.1 and vlan 3 10.10.6.1. I also found the definition of this error:

Explanation ICMP packets were discarded by the ACE because of security checks added by the stateful ICMP feature. These ICMP packets are discarded for any of the following reasons:

?ICMP echo replies are received without a valid echo request already passed across the ACE

?ICMP error messages are received that are not related to any TCP, UDP, or ICMP session already established in the ACE

So, does anyone know what I need to do to my ace blade to get this to work.

Thanks in advance

Mike C.

4 Replies 4

harrjd222
Level 1
Level 1

do you have an acl to allow the traffic, be default the ace module blocks all traffic.

Yes, I do... I have permit ip any any... then I even added icmp any any...but that didn't help either.

Gilles Dufour
Cisco Employee
Cisco Employee

you try to ping from where ? The ACE blade itself ?

Could you share the interface config ?

Is this server the only one showing the problem ? Are you able to ping other devices on vlan 4 ?

BTW, if you tried to ping from 10.10.2.6 and the message that we see corresponds to the icmp reply, your problem might be asymetric routing. ACE didn't see the first packet from 10.10.2.6 to your server.

You should sniff the traffic to see what's going on.

If you just want to make this work, you can try 'no icmp-guard' and 'no normali' on your interfaces.

But you will disable some good security features so you should probably fix your routing first.

Thanks,

Gilles.

Hello Gilles,

Thanks for the repsonse. I've decided to try routed mode on the ACE instead of brdige mode. Bridge mode adds more configuration steps which could lead to more problems.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: