ACE server initiating traffic issue

Unanswered Question
Mar 12th, 2010


I'm trying to establish a session between one of my real servers behind the ace and some external network without any NAT. According to the documentation I should only configure correct ACL on both the client and server vlan and it should works. Unfortunately, although I see hits in the ACL configured on the outside direction for client vlan the traffic is not passing the ACE.

When I configure the capture I can see traffic only in the server vlan. There is no traffic in the client vlan.

Does anybody know what else should I configure ?

Thank you in advance



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dario.didio Fri, 03/12/2010 - 06:56


Make sure that the routers in your network know the path to the subnet behind the ACE. You can do this by configuring a static route on your upstream router connected to the ACE, and redistribute this static route in your routing protocol.

The static route on your upstream router should have the alias address (in case of HA) or the physical address of the ACE as next hop.



lukaszkhalil Mon, 03/15/2010 - 00:09


I did it. Finally I found that the packets were living the ACE but I could not see them in the capture. I captured them by using span port on the ACE client vlan.

Is seems that the ACE does not show the outgoing traffic in the capture. At least in the A2(1.5) version.



aljaloudi Mon, 03/15/2010 - 22:37

are trying to initiate a traffic using the server IP or the VIP ip?

aljaloudi Tue, 03/16/2010 - 00:36

if you are natting server ip to the ACE VIP, you may switch to DSR which allow the servers to source packets using the VIP IP.

aljaloudi Tue, 03/16/2010 - 00:39

but if you want the rserver to send traffic without any NAT or using the VIP IP,

make sure you apply your access list to the inbout interfaces and static route from the ACE to the next hop MSFC

dario.didio Tue, 03/16/2010 - 01:46


the capture feature on the ACE only works in the input direction:

The packet capture function enables access-control lists (ACLs) to control which packets are captured by the ACE on the input interface.

Is your problem resolved now or does this still not work?

If so, what do you see in the capture?




This Discussion