ACE Module and FWSM problem

Unanswered Question
Aug 27th, 2008
User Badges:

I have a Catalyst 6500 with an ACE and Firewall Service Module (FWSM) installed. See Diagram.

The server sits in VLAN 10 which is configured in both ACE and FWSM. The server load balancing is configured in DSR mode (Direct Server Return) which means that the request from the client goes through the VIP configured in the ACE but the server's default gateway point to the FWSM. The purpose is to avoid high volume return traffic from the server through the ACE. The client sits in VLAN 14. I am able to ping the VIP address. By pinging VIP I mean load balancing ICMP (not "loadbalance vip icmp-reply"). However SSL or SSH to the VIP does not work. I suspect this may be an issue with the FWSM but not sure. Any suggestions?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Syed Iftekhar Ahmed Thu, 08/28/2008 - 10:00
User Badges:
  • Blue, 1500 points or more

FWSM is dropping it as it has not seen the initial packets (Assymetric traffic). You will need to disable stateful inspection on FWSM to make it work.

Syed Iftekhar Ahmed


This Discussion