ACL not Working with Keepalive Configuration

Unanswered Question
Apr 6th, 2010

Hi,

I have configured ACL on CSS 11506 with software version 07.50.1_03.0 .After configuring we observed in show keepalive-summary all Server serivce are up except the App server service where keepalive type TCP & Port is configured we tried by removing keepalive configuration from App server afterwhich it is working fine does any specfic port needs to be allowed in ACL for Keepalive.Below is the conifguration which is done CSS.

acl enable

acl log enable

acl 1

clause 1 permit tcp any destination any eq 8080

clause 2 permit tcp any destination any eq 80

clause 3 permit tcp any destination any eq 443

clause 4 permit any any destination 224.0.0.18

clause 5 permit icmp any destination any

apply all

service WEBSERVER 1

ip address 1.1.1.11

redundant-index 1

protocol tcp

port 80

active

service WEBSERVER 2

ip address 1.1.1.12

redundant-index 2

protocol tcp

port 80

active

 

service APP1

ip address 1.1.2.11

redundant-index 10

Keepalive type tcp

Keepalive port 8080

active

service APP2

ip address 1.1.2.12

redundant-index 11

Keepalive type tcp

Keepalive port 8080

active

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Dulal Ray Tue, 04/06/2010 - 05:56

Hi,

Pl. help to troubleshoot the issue & let me know if it could be IOS bug.

dario.didio Tue, 04/06/2010 - 07:28

Hi,

can you do a telnet to 1.1.2.11 and 1.1.2.12 on port 8080

Dos-prompt => telnet 1.1.2.11 8080

Dos-prompt => telnet 1.1.2.12 8080

When you sniff on your server, do you see incoming TCP SYN packets from the CSS?

HTH,

Dario

Dulal Ray Wed, 04/07/2010 - 00:22

Hi,

Thanks for the reply.

Yes i can do a telnet to 1.1.2.11 and 1.1.2.12 on port 8080 & can see incoming TCP SYN packets from the CSS. But pl. let me know if ICMP is allowed in ACL then the same should work but still we are stuck .

Pl. help for troubleshooting the same.

dario.didio Wed, 04/07/2010 - 00:32

Hi,

Normally the keepalive should work without the ACL.

Can you post the output of show keepalive.

HTH,

Dario

Dulal Ray Wed, 04/07/2010 - 01:01

Hi,

Thanks for reply kindly find the below required output & let me your views.

CSS11506_Backup# sh keepalive-sum

Keepalives:

AUTO_nexthop00001 State: Alive 1.1.3.1

AUTO_nexthop00002 State: Alive 1.1.3.1

AUTO_SEZ-WEBSERVER-03 State: Down 1.1.1.11

AUTO_SEZ-WEBSERVER-04 State: Down 1.1.1.12

AUTO_WEBSERVER-01 State: Alive 1.1.4.6

AUTO_WEBSERVER-02 State: Alive 1.1.4.7

AUTO_chk-con-pix103 State: Alive 1.1.3.4

AUTO_chk-con-pix225 State: Alive 1.1.3.17

AUTO_chk-con-web104 State: Alive 1.1.4.5

AUTO_chk-con-web224 State: Alive 1.1.1.18

AUTO_chk-con-pix227 State: Alive 1.1.4.4

AUTO_chk-con-app226 State: Alive 1.1.2.4

AUTO_SEZAPP1 State: Down 1.1.2.11

AUTO_SEZAPP2 State: Dying 1.1.2.12

AUTO_nexthop00005 State: Alive 1.1.4.1

 

 

CSS11506_Backup# sh keepalive-sum

Keepalives:

AUTO_nexthop00001 State: Alive 1.1.3.1

AUTO_nexthop00002 State: Alive 1.1.3.1

AUTO_SEZ-WEBSERVER-03 State: Down 1.1.1.11

AUTO_SEZ-WEBSERVER-04 State: Down 1.1.1.12

AUTO_WEBSERVER-01 State: Alive 1.1.4.6

AUTO_WEBSERVER-02 State: Alive 1.1.4.7

AUTO_chk-con-pix103 State: Alive 1.1.3.4

AUTO_chk-con-pix225 State: Alive 1.1.3.17

AUTO_chk-con-web104 State: Alive 1.1.4.5

AUTO_chk-con-web224 State: Alive 1.1.1.18

AUTO_chk-con-pix227 State: Alive 1.1.4.4

AUTO_chk-con-app226 State: Alive 1.1.2.4

AUTO_SEZAPP1 State: Down 1.1.2.11

AUTO_SEZAPP2 State: Down 1.1.2.12

AUTO_nexthop00005 State: Alive 1.1.4.1

CSS11506_Backup# sh keepalive

Keepalives:

 

 

Name: AUTO_nexthop00001 Index: 0 State: Alive

Description: Auto generated for service nexthop00001

Address: 1.1.3.1 Port: Any

Type: ICMP

Encryption: Disabled

Frequency: 5

Max Failures: 3

Retry Frequency: 5

Dependent Services:

nexthop00001

 

 

Name: AUTO_nexthop00002 Index: 1 State: Alive

Description: Auto generated for service nexthop00002

Address: 1.1.3.1 Port: Any

Type: ICMP

Encryption: Disabled

Frequency: 5

Max Failures: 3

Retry Frequency: 5

Dependent Services:

nexthop00002

 

 

Name: AUTO_-WEBSERVER-03 Index: 2 State: Down

Description: Auto generated for service -WEBSERVER-03

Address: 1.1.1.11 Port: 80

Type: TCP

Encryption: Disabled

Frequency: 5

Max Failures: 3

Retry Frequency: 5

Dependent Services:

-WEBSERVER-03

Name: AUTO_-WEBSERVER-04 Index: 3 State: Down

Description: Auto generated for service -WEBSERVER-04

Address: 1.1.1.12 Port: 80

Type: TCP

Encryption: Disabled

Frequency: 5

Max Failures: 3

Retry Frequency: 5

Dependent Services:

-WEBSERVER-04

Name: AUTO_WEBSERVER-01 Index: 4 State: Alive

Description: Auto generated for service WEBSERVER-01

Address: 1.1.4.6 Port: 80

Type: ICMP

Encryption: Disabled

Frequency: 5

Max Failures: 3

Retry Frequency: 5

Dependent Services:

WEBSERVER-01

Name: AUTO_WEBSERVER-02 Index: 5 State: Alive

Description: Auto generated for service WEBSERVER-02

Address: 1.1.4.7 Port: 80

Type: ICMP

Encryption: Disabled

Frequency: 5

Max Failures: 3

Retry Frequency: 5

Dependent Services:

WEBSERVER-02

Name: AUTO_chk-con-pix103 Index: 6 State: Alive

Description: Auto generated for service chk-con-pix103

Address: 1.1.3.4 Port: Any

Type: SCRIPT ap-kal-pinglist

Script Arguments: "1.1.3.4"

Script Error: None

Script Run Time: 0 seconds

Script Using Output parsing: No

Encryption: Disabled

Frequency: 2

Max Failures: 2

Retry Frequency: 2

Dependent Services:

chk-con-pix103

Name: AUTO_chk-con-pix225 Index: 7 State: Alive

Description: Auto generated for service chk-con-pix225

Address: 1.1.3.17 Port: Any

Type: SCRIPT ap-kal-pinglist

Script Arguments: "1.1.3.17"

Script Error: None

Script Run Time: 0 seconds

Script Using Output parsing: No

Encryption: Disabled

Frequency: 2

Max Failures: 2

Retry Frequency: 2

Dependent Services:

chk-con-pix225

Name: AUTO_chk-con-web104 Index: 8 State: Alive

Description: Auto generated for service chk-con-web104

Address: 1.1.4.5 Port: Any

Type: SCRIPT ap-kal-pinglist

Script Arguments: "1.1.4.5"

Script Error: None

Script Run Time: 0 seconds

Script Using Output parsing: No

Encryption: Disabled

Frequency: 2

Max Failures: 2

Retry Frequency: 2

Dependent Services:

chk-con-web104

Name: AUTO_chk-con-web224 Index: 9 State: Alive

Description: Auto generated for service chk-con-web224

Address: 1.1.1.18 Port: Any

Type: SCRIPT ap-kal-pinglist

Script Arguments: "1.1.1.18"

Script Error: None

Script Run Time: 0 seconds

Script Using Output parsing: No

Encryption: Disabled

Frequency: 2

Max Failures: 2

Retry Frequency: 2

Dependent Services:

chk-con-web224

Name: AUTO_chk-con-pix227 Index: 10 State: Alive

Description: Auto generated for service chk-con-pix227

Address: 1.1.4.4 Port: Any

Type: SCRIPT ap-kal-pinglist

Script Arguments: "1.1.4.4"

Script Error: None

Script Run Time: 0 seconds

Script Using Output parsing: No

Encryption: Disabled

Frequency: 2

Max Failures: 2

Retry Frequency: 2

Dependent Services:

chk-con-pix227

Name: AUTO_chk-con-app226 Index: 11 State: Alive

Description: Auto generated for service chk-con-app226

Address: 1.1.2.4 Port: Any

Type: SCRIPT ap-kal-pinglist

Script Arguments: "1.1.2.4"

Script Error: None

Script Run Time: 0 seconds

Script Using Output parsing: No

Encryption: Disabled

Frequency: 2

Max Failures: 2

Retry Frequency: 2

Dependent Services:

chk-con-app226

Name: AUTO_APP1 Index: 12 State: Down

Description: Auto generated for service APP1

Address: 1.1.2.11 Port: 8080

Type: TCP

Encryption: Disabled

Frequency: 5

Max Failures: 3

Retry Frequency: 5

Dependent Services:

APP1

Name: AUTO_APP2 Index: 13 State: Down

Description: Auto generated for service APP2

Address: 1.1.2.12 Port: 8080

Type: TCP

Encryption: Disabled

Frequency: 5

Max Failures: 3

Retry Frequency: 5

Dependent Services:

APP2

Name: AUTO_nexthop00005 Index: 14 State: Alive

Description: Auto generated for service nexthop00005

Address: 1.1.4.1 Port: Any

Type: ICMP

Encryption: Disabled

Frequency: 5

Max Failures: 3

Retry Frequency: 5

Dependent Services:

 

 

 

 

Gilles Dufour Wed, 04/07/2010 - 01:18

The ACLs are applied on inbound traffic.

So you deny everything except traffic sent to CSS port 8080.

You need to permit traffic coming back from the server as well or configure a permit all for everything coming from the server interface.

Gilles.

Dulal Ray Wed, 04/07/2010 - 01:24

Hi Gilies,

ACL is applied on all VLAN below is the config done on CSS

acl 1
  clause 1 permit tcp any destination any eq 8080
  clause 2 permit tcp any destination any eq 80
  clause 3 permit tcp any destination any eq 443
  clause 4 permit any any destination 224.0.0.18
  clause 5 permit icmp any destination any
  apply all

OR else can we configure the following ACL on CSS as we want only port 80 & 8080 communcatiion

acl 1

clause 1 deny ip host 1.1.4.7 destination host 1.1.1.11

clause 2 deny ip host 1.1.4.7 destination host 1.1.1.12

clause 3 deny ip host 1.1.4.7 destination host 1.1.2.11

clause 4 deny ip host 1.1.4.7 destination host 1.1.2.12

clause 5 deny ip host 1.1.4.7 destination host 1.1.2.21

clause 6 deny ip host 1.1.4.7 destination host 1.1.2.22

 

clause 7 deny ip host 1.1.4.6 destination host 1.1.1.11

clause 8 deny ip host 1.1.4.6 destination host 1.1.1.12

clause 9 deny ip host 1.1.4.6 destination host 1.1.2.11

clause 10 deny ip host 1.1.4.6 destination host 1.1.2.12

clause 11 deny ip host 1.1.4.6 destination host 1.1.2.21

clause 12 deny ip host 1.1.4.6 destination host 1.1.2.22

clause 13 deny ip host 1.1.1.11 destination host 1.1.2.21

clause 14 deny ip host 1.1.1.11 destination host 1.1.2.22

clause 15 deny ip host 1.1.1.12 destination host 1.1.2.21

clause 16 deny ip host 1.1.1.12 destination host 1.1.2.22

clause 17 deny tcp host 1.1.1.11 destination host 1.1.2.11 range 0 - 8079

clause 18 deny tcp host 1.1.1.11 destination host 1.1.2.11 range 8081 - 65534

clause 19 deny tcp host 1.1.1.11 destination host 1.1.2.12 range 0 - 8079

clause 20 deny tcp host 1.1.1.11 destination host 1.1.2.12 range 8081 - 65534

clause 21 deny tcp host 1.1.1.12 destination host 1.1.2.11 range 0 - 8079

clause 22 deny tcp host 1.1.1.12 destination host 1.1.2.11 range 8081 - 65534

clause 23 deny tcp host 1.1.1.12 destination host 1.1.2.12 range 0 - 8079

clause 24 deny tcp host 1.1.1.12 destination host 1.1.2.12 range 8081 - 65534

clause 25 permit ip any destination any

apply all

Gilles Dufour Wed, 04/07/2010 - 01:43

  clause 1 permit tcp any destination any eq 8080
  clause 2 permit  tcp any destination any eq 80
  clause 3 permit tcp any destination  any eq 443
  clause 4 permit any any destination 224.0.0.18
   clause 5 permit icmp any destination any

There is no clause in the ACL above to permit traffic from the server back to the CSS.

For example, for a tcp probe sent to port 8080, the response from the server will be

SRC:  Server

DST: CSS

Proto: TCP

SRC_PORT: 8080

DST_PORT: unknown

Since there is no permit clause matching this traffic, it is dropped !!!!

As I said, configure a permit all for the server interface.

Or add a clause to permit the server responses.

For example :

clause 6 permit tcp any eq 8080 destination any

Gilles.

Actions

This Discussion