cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
953
Views
0
Helpful
7
Replies

ACE dropped conns with New Vip

wowsersusa
Level 1
Level 1

I have been load balancing our mail servers for quite sometime without an issue however I have been using a dynamic Nat statement. This however causes our mail team to have problems with logging. I then created a whole new vlan and ace context for the mail servers to use. This is where my dilemma is.

I now have dropped connections going to my vip but only from one server which is our Anti-span / Antivirus server which filters the mail from the internet and then passes it on to these other mail servers.

I can send mail just fine if I don't use the VIP I created.

Also if I use a Nat statement the mail sends fine but obviously I don't want to use that anymore.

The only thing I see that the ACE is not doing is closing the connections. So if every five minutes I do a clear conn all, I won't get any dropped connections for at least 10 to 15 minutes but I am not going to be doing this. Right now I have a server with a script that logs into the ace and then clears the connection but this is a band aid problem.

Here is my config. This is the only thing on this context. All 6 of my other contexts do not have this issue.

access-list ALL line 10 extended permit ip any any

access-list ALL line 18 extended permit icmp any any

probe smtp SMTP_Probe

interval 15

passdetect interval 30

expect status 210 250

parameter-map type connection TCP_Mail_TO

slowstart

set timeout inactivity 2

set tcp timeout half-closed 15

set tcp ack-delay 300

tcp-options timestamp allow

rserver host hub2

ip address *.*.*.*.*.*

inservice

serverfarm host Mail_Hub_Servers_SF

probe SMTP_Probe

rserver hub2 25

inservice

class-map match-all Mail_Hub_VIP

2 match virtual-address *.*.*.*.*.* tcp eq smtp

class-map type management match-any Remote_Management

2 match protocol http any

3 match protocol icmp any

4 match protocol telnet any

5 match protocol ssh any

policy-map type management first-match rmt_mgt_policy

class Remote_Management

permit

policy-map type loadbalance first-match Mail_Hub_VIP-l7slb

class class-default

serverfarm Mail_Hub_Servers_SF

policy-map multi-match int7

class Mail_Hub_VIP

loadbalance vip inservice

loadbalance policy Mail_Hub_VIP-l7slb

loadbalance vip icmp-reply active

loadbalance vip advertise active

connection advanced-options TCP_Mail_TO

access-group input ALL

interface vlan 108

ip address *.*.*.*.

alias *.*.*.*

peer ip address *.*.*.*.

no normalization

no icmp-guard

service-policy input rmt_mgt_policy

service-policy input int7

no shutdown

ip route 0.0.0.0 0.0.0.0 *.*.*.*

7 Replies 7

Since you are using one-arm mode you need to make sure that the return traffic (from mail servers) shouldnt bypass ACE.

This is normally achieved using Source NAT or PBR. I dont see source NAt in your config, are you using Policy based routing?

Since you are trying to avoid NAT and you are playing with your VLANS, why dont you use routed mode in this ACE context. With routed mode your VIPs will listen on one vlan (separate address space)and reals will reside in a different vlan (address space).

This way ACE will do the destination address translation and you will be able to preserve Source addresses hitting the mail servers.

Syed Iftekhar Ahmed

I would like to avoid trying routed mode for this just right now because we haven't had a good experience in routed mode here. I can try creating a new context in routed mode because I cannot experiment with production mail. Also I have this scenario working fine on 3 other contexts with 0 Connections being dropped. The other thing is I am not dropping all connections its dropping about 2-8%. of the connections. I have been playing around with connection limits.

Interface: vlan 108

service-policy: int7

class: Mail_Hub_VIP

loadbalance:

L7 loadbalance policy: Mail_Hub_VIP-l7slb

VIP Route Metric : 77

VIP Route Advertise : ENABLED-WHEN-ACTIVE

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 1 , hit count : 12052

dropped conns : 839

client pkt count : 385190 , client byte count: 375718706

server pkt count : 133814 , server byte count: 11089648

conn-rate-limit : 50 , drop-count : 0

bandwidth-rate-limit : - , drop-count : -

Parameter-map(s):

TCP_Mail_TO

I am sorry I looked back through my notes and it was not policy based Routing which caused a whole network issue. It was creating BVI interfaces. I am going to work on PBR and read up on it and see what I need to do. If you have any whole configuration examples on setting it up that would be great.. I know the commands but I don't want to mess this up if I don't have an example to follow.

Well I did do the PBR and it made no difference.

The following are the commands I ran.

access-list 100 permit tcp host 172.16.7.67 eq smtp any

route-map 7_Subnet permit 10

match ip address 100

set ip next-hop 172.16.7.254 <-- This is my ACE Default Gateway.

!

interface Vlan108

ip address 172.16.7.2 255.255.255.0

ip policy route-map 7_Subnet

glbp 108 ip 172.16.7.1

glbp 108 load-balancing host-dependent

glbp 108 authentication text ****

litrenta
Level 3
Level 3

With the current configuration your connections are asymetric, if you do not do source nat then you will need PBR to get return traffic back through the ace.

What you have right now has ace handling client to server traffic and server to client traffic going around the ace. This is being allowed right now because you have no normalization on the interface.

In my scenario (one-armed mode), I am using SNAT for requests originating from server vlan hitting its own VIP. This resolved the self-hit issue.

However, I am unable to get a successful response from the Rserver after mapping the public IP to the VIP on ACE. Would I need Source NAT for Client to Server traffic originated from outside network - internet.

Static translation on ASA and ACL hits are showing correct statistics. I am able to ping the VIP via public IP (icmp is also load balanced on ACE) but the http request fails. The http requests from all other inside networks is successful.

Any suggestions.

Regards.

With two armed mode shouldn't the ACe know how to get the traffic back to me without using PBR?

Two Armed Mode - This topology is used when the device that makes the connection to the VIP enters the ACE on a different VLAN than that on which the servers reside. If the servers have the default gateway set to the ACE, there is no need for source NAT. The reply traffic returns to the ACE before it is sent back to the client.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: