Delay in ping through ACE

new_networker · ‎10-24-2008

Hi,

Topology:

HOST1 <- ACE <- MSFC -> FWSM -> HOST2

When I ping HOST1 from HOST2, I 'sometimes' experience delay in starting the ping. However, once the ping starts it continues without a problem. The issue is only while starting the ping i.e. its goes into a halt for 3,5,10, 15 seconds and then starts getting echo-responses.

Now, HOST1 is on the Server Vlan of the ACE module. So it is bridged the client vlan which is defined on MSFC.

Would you know of any reason why the start of the ping responds late. And this does not happen everytime.

Could it be ARP related problem.

Thanks.

new_networker · ‎10-24-2008

Well, I did a test which confirms the delay due to the ACE.

Test:

I moved the server vlan port into client vlan which directly connects to MSFC. And the delay in starting the ping disappeared. But when I moved it back to the server vlan, the delay is noticed again.

Please assist.

Syed Iftekhar Ahmed · ‎10-24-2008

IS ACe is in bridge mode and FWSM is in routed mode?

What is the default gateway on servers behind ACE? Is it FWSM or MSFC?

Do you see ARP entry on the Server for its defaullt gateway?

Syed Iftekhar Ahmed

new_networker · ‎10-24-2008

I made an error in my previous explanation/topology. Once again

HOST1 < ACE < (Inside) FWSM (DMZ) > HOST2

so MSFC need not be considered in this scenario. Both the hosts are eventually on FWSM. Ping from HOST2 to HOST1 experiences a delayed start.

- ACE is in bridged mode.

- FWSM is in routed mode.

- Default gatway of the servers behind ACE is the FWSM interface.

- Yes, I can see the arp entry on the server for its default gateway.

Thank you.

Syed Iftekhar Ahmed · ‎10-24-2008

Try to add a dummy rserver on ACE with FWSM interface IP. This will ensure that ARP entry for FWSM interface never times out on ACE (AS ACE constantly do ARP for its rservers) and see if it make difference.

Syed Iftekhar Ahmed

new_networker · ‎10-24-2008

Ok.

I will try that. But as a quick one, I checked the ARP table on ACE and I can find the FWSM Interface IP in the ARP table.

new_networker · ‎10-24-2008

Ok.

I tried out defining an rserver on ACE with FWSM interface IP i.e. default gateway for HOST1, but the delay is still there. I can also see the delay going up to couple of minutes.

Please assist.

Thanks

new_networker · ‎10-24-2008

I also noticed that if I were to contiuously break and start a new ping, it is successful for approx 1 minute and then breaks for approx 1 minute and then comes back.

Does it have something to do with bridge-group BVI on the ACE.

The HOST1 ip is not a VIP and a local host ip.

Syed Iftekhar Ahmed · ‎10-24-2008

BVI has nothing to do with it.

Do you have a failover setup? Is it possible that ping response is actually going through the different ACE module?

You will need to trace the failed packet.

Is it the request that is failing or the response.Where is it failing etc..

It needs detail inspection. I would recommend opening a TAC case.

Syed Iftekhar Ahmed

new_networker · ‎10-24-2008

Yes, it is in a failover setup. Only one active/standby context.

I was trying to do debug all and it returned debug all is disabled.

Would you know how to enable debug all.

new_networker · ‎10-24-2008

In addition to the above, in my topology I have an independent ACE module for front end servers and a separate ACE for the back end servers which is behind FWSM.

Now, the front end ACE (without FWSM) has configurations similar to back end ACE but the stated ping problem cannot be noticed on the front end ACE.

So, it can be concluded that the issue is with ACE behind FWSM. Do you think so it is something to do ACE's specific deployment with FWSM.

Syed Iftekhar Ahmed · ‎10-24-2008

Since you are running redundant pair of ACE's in bridge mode, I would like

you to check the following items

1. Have you disabled BPDU guard & Loopgurad on cat

You should have following configured on cat6k

no spanning-tree portfast bpduguard default

no spanning-tree loopguard default

2. Are you allowing BPDUs to pass through ACE

It can be done using an ethertype ACL to permit BPDUs and this

ACL should be applied to both bridged vlan interfaces.

acccess-list xyz ethertype permit bpdu

----

To capture packets passing through ACE, you will need to do the following.

Type 'monitor session 10 source interface port-channel 2xy both'

Where 2xy is 256 + slot number of ACE.

3. Type 'monitor session 10 destination interface fastEthernet a/b'

Where a/b is a port that you plug your PC in on the cat

4. Run Ethereal on your PC

Syed Iftekhar Ahmed

new_networker · ‎10-24-2008

Seems like the problem is fixed.

Details:

When I did show failover on FWSM both active and standby showed all of its interfaces in 'Normal (Waiting)' mode. And the secondary FWSM was shown as failed.

I did a resync which brought back the secondary and all the interfaces on both FWSM came back to 'Normal'. Here after, the delay in ping starts vanished. Strange... I believe FWSM interface in 'Normal (Waiting)' should continue to forward traffic as usual.

Probably, ACE behind FWSM in 'Normal (Waiting)' state creates such an issue. ???

I got bit confused on your previous post. Are you saying

- bpduguard should be enabled if it is in disabled state.

- portfast should be enabled if it is in disabled state.

Syed Iftekhar Ahmed · ‎10-24-2008

What I meant was that bpdu guard & loopguard must be disabled for ACE's 10Gig interface.

In order to disable these you need

following configured on cat6k

no spanning-tree portfast bpduguard default

no spanning-tree loopguard default

Syed Iftekhar Ahmed

new_networker · ‎10-27-2008

Hi,

From your previous post, could you please explain

1. Can I just use the server active port instead of the Port Channel.

2. What is 2xy. If the ACE slot is 1, will the 2xy be equivalent to 257.

Quote

Type 'monitor session 10 source interface port-channel 2xy both'

Where 2xy is 256 + slot number of ACE.

Unquote