ACE - need help implementing basic parameter map

Unanswered Question
May 21st, 2008

Hi,

I'm trying to implement a connection parameter on an ACE module that sumply sets the TCP timeout to 0.

I can get this to work fine if I permit all TCP traffic in the class-map, but it doesn't work if I use an ACL;

>>Match all TCP;

parameter-map type connection TCP-Timeout

set timeout inactivity 0

class-map match-all TCP-Timeout-Out-Class

2 match port tcp any

class-map match-all TCP-Timeout-in-Class

2 match port tcp any

policy-map multi-match TCP-Timeout-Out-Policy

class TCP-Timeout-Out-Class

connection advanced-options TCP-Timeout

policy-map multi-match TCP-Timeout-in-Policy

class TCP-Timeout-in-Class

connection advanced-options TCP-Timeout

Interface vlan 920

....

service-policy input TCP-Timeout-in-Policy

Interface vlan 923

....

service-policy input TCP-Timeout-Out-Policy

>>Match ACL;

access-list TCP-Timeout-Group-Out line 10 extended permit ip 10.221.178.0 0.0.0.255 any

access-list TCP-Timeout-Group-in line 10 extended permit ip any 10.221.178.0 0.0.0.255

parameter-map type connection TCP-Timeout

set timeout inactivity 0

class-map match-all TCP-Timeout-Out-Class

match access-list TCP-Timeout-Group-Out

class-map match-all TCP-Timeout-in-Class

match access-list TCP-Timeout-Group-in

policy-map multi-match TCP-Timeout-Out-Policy

class TCP-Timeout-Out-Class

connection advanced-options TCP-Timeout

policy-map multi-match TCP-Timeout-in-Policy

class TCP-Timeout-in-Class

connection advanced-options TCP-Timeout

Interface vlan 320

....

service-policy input TCP-Timeout-in-Policy

Interface vlan 323

....

service-policy input TCP-Timeout-Out-Policy

Any ideas?

Many Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Roble Mumin Wed, 05/21/2008 - 07:49

Try changing the class-map from "type match-all" to "type match-any". Match all implies both statments need to be true. The match-any is probably what you want. Either of the ACL statements can be true.

Also try to apply the policy globally instead of the interfaces, simplifying the config might help as well.

e.g.:

access-list TCP-Timeout-Group line 10 extended permit ip 10.221.178.0 0.0.0.255 any

access-list TCP-Timeout-Group line 20 extended permit ip any 10.221.178.0 0.0.0.255

class-map match-any TCP-Timeout-Class

match access-list TCP-Timeout-Group

parameter-map type connection TCP-Parameter-Map

set timeout inactivity 0

policy-map multi-match TCP-Timeout-Out-Policy

class TCP-Timeout-Out-Class

connection advanced-options TCP-Parameter-Map

service policy input TCP-Timeout-Out-Policy <- apply it globally

Hope it helps.

Roble

tj.mitchell Wed, 05/21/2008 - 10:19

Agreed, you should use the match-any as the match-all will need to match both ACL's. Apply it globally and is if works then apply it to the interfaces.

Also, I would change the 2nd ACL to a different name since the traffic is in reverse of the first ACL.

Hope it works..

HTH

d-fillmore Thu, 05/22/2008 - 00:17

Thanks for your comments guys, but the ACLs are both named differently, so the match all should only be matching one ACL at a time.

I agree with the point the the service policy could be applied globally though

Actions

This Discussion