08-27-2008 08:05 PM - edited 03-11-2019 06:36 AM
I have a Catalyst 6500 with an ACE and Firewall Service Module (FWSM) installed. See Diagram.
The server sits in VLAN 10 which is configured in both ACE and FWSM. The server load balancing is configured in DSR mode (Direct Server Return) which means that the request from the client goes through the VIP configured in the ACE but the server's default gateway point to the FWSM. The purpose is to avoid high volume return traffic from the server through the ACE. The client sits in VLAN 14. I am able to ping the VIP address. By pinging VIP I mean load balancing ICMP (not "loadbalance vip icmp-reply"). However SSL or SSH to the VIP does not work. I suspect this may be an issue with the FWSM but not sure. Any suggestions?
08-28-2008 08:13 AM
Hi Anik,
Since the FWSM is a stateful firewall, it will drop this return traffic from the Server to the Client because it never saw the initial connection. This is also referred to as asymmetric routing.
In the example of SSH to the Server, the Client will send the initial SYN to the VIP to open up the TCP connection. The Server will receive this SYN through the ACE module and reply with a SYN-ACK back to the Client. However, the Server is sending this to the FWSM, rather than back through the ACE. Since the FWSM never saw the initial SYN and built a subsequent TCP connection, the FWSM will drop this SYN-ACK and the connection cannot be established. If you observe syslogs at level 6 during a time when you are trying to establish this connection, you will see message 106015 indicating that the packets are being dropped because no existing connection exists.
The problem you are running into here is that the firewall only sees half of the traffic for the connection, thus it cannot effectively firewall the connection and so the traffic is dropped. Typically, you would want to resolve this so that the FWSM can see and firewall all traffic. A common way to do this is with the following topology:
[Client]---vlan10---[FWSM]---vlan11---[ACE]---vlan12---[Server]
With this topology, the FWSM and the ACE module are in-line with each other. So, packets will pass through both devices and the FWSM will see both sides of the connection.
If this is not possible for you, you can enable a feature called TCP State Bypass. When this is enabled, the FWSM will not enforce stateful checks on matching TCP sessions. In other words, the FWSM will not care that it never saw the initial SYN of the SSH session and simply allow the SYN-ACK to pass through and arrive at your client. Enabling this for SSH sessions between the Client and Server might look something like this:
!An ACL to match interesting traffic
access-list bypass permit tcp host
!A class-map to match this ACL
class-map bypass-class
match access-list bypass
!Tie the class-map to a policy-map
policy-map bypass-policy
class bypass-class
set connection advanced-options tcp-state-bypass
!Enable the policy-map with a service-policy
service-policy bypass-policy
However, keep in mind that this will disable all stateful checks for traffic matching the bypass ACL.
Here is a link to the TCP State Bypass documentation as well:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/protct_f.html#wp1059879
Hope that helps.
-Mike
08-28-2008 08:58 AM
WOW ! The tcp state bypass solved my problem. Changing the topplogy wasn't an option however.
Thanks a ton.
08-28-2008 09:05 AM
Hi Anik,
I'm glad to hear the workaround was a success for you.
Take care,
-Mike
08-29-2008 10:48 AM
Excellent answer there Mike, a five from me :)
Regards
Farrukh
08-31-2008 06:34 AM
Mike realy great analysis
5 from me as well :)
08-31-2008 03:46 PM
Mike,
Any idea how to make the bypass policy work on an ASA? The commands do not seem to be applicable on an ASA.
- Anik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide