04-06-2010 02:31 AM
Hi,
I have configured ACL on CSS 11506 with software version 07.50.1_03.0 .After configuring we observed in show keepalive-summary all Server serivce are up except the App server service where keepalive type TCP & Port is configured we tried by removing keepalive configuration from App server afterwhich it is working fine does any specfic port needs to be allowed in ACL for Keepalive.Below is the conifguration which is done CSS.
acl enable
acl log enable
acl 1
clause 1 permit tcp any destination any eq 8080
clause 2 permit tcp any destination any eq 80
clause 3 permit tcp any destination any eq 443
clause 4 permit any any destination 224.0.0.18
clause 5 permit icmp any destination any
apply all
service WEBSERVER 1
ip address 1.1.1.11
redundant-index 1
protocol tcp
port 80
active
service WEBSERVER 2
ip address 1.1.1.12
redundant-index 2
protocol tcp
port 80
active
service APP1
ip address 1.1.2.11
redundant-index 10
Keepalive type tcp
Keepalive port 8080
active
service APP2
ip address 1.1.2.12
redundant-index 11
Keepalive type tcp
Keepalive port 8080
active
04-06-2010 05:56 AM
Hi,
Pl. help to troubleshoot the issue & let me know if it could be IOS bug.
04-06-2010 07:28 AM
Hi,
can you do a telnet to 1.1.2.11 and 1.1.2.12 on port 8080
Dos-prompt => telnet 1.1.2.11 8080
Dos-prompt => telnet 1.1.2.12 8080
When you sniff on your server, do you see incoming TCP SYN packets from the CSS?
HTH,
Dario
04-07-2010 12:22 AM
Hi,
Thanks for the reply.
Yes i can do a telnet to 1.1.2.11 and 1.1.2.12 on port 8080 & can see incoming TCP SYN packets from the CSS. But pl. let me know if ICMP is allowed in ACL then the same should work but still we are stuck .
Pl. help for troubleshooting the same.
04-07-2010 12:32 AM
Hi,
Normally the keepalive should work without the ACL.
Can you post the output of show keepalive.
HTH,
Dario
04-07-2010 01:01 AM
Hi,
Thanks for reply kindly find the below required output & let me your views.
CSS11506_Backup# sh keepalive-sum
Keepalives:
AUTO_nexthop00001 State: Alive 1.1.3.1
AUTO_nexthop00002 State: Alive 1.1.3.1
AUTO_SEZ-WEBSERVER-03 State: Down 1.1.1.11
AUTO_SEZ-WEBSERVER-04 State: Down 1.1.1.12
AUTO_WEBSERVER-01 State: Alive 1.1.4.6
AUTO_WEBSERVER-02 State: Alive 1.1.4.7
AUTO_chk-con-pix103 State: Alive 1.1.3.4
AUTO_chk-con-pix225 State: Alive 1.1.3.17
AUTO_chk-con-web104 State: Alive 1.1.4.5
AUTO_chk-con-web224 State: Alive 1.1.1.18
AUTO_chk-con-pix227 State: Alive 1.1.4.4
AUTO_chk-con-app226 State: Alive 1.1.2.4
AUTO_SEZAPP1 State: Down 1.1.2.11
AUTO_SEZAPP2 State: Dying 1.1.2.12
AUTO_nexthop00005 State: Alive 1.1.4.1
CSS11506_Backup# sh keepalive-sum
Keepalives:
AUTO_nexthop00001 State: Alive 1.1.3.1
AUTO_nexthop00002 State: Alive 1.1.3.1
AUTO_SEZ-WEBSERVER-03 State: Down 1.1.1.11
AUTO_SEZ-WEBSERVER-04 State: Down 1.1.1.12
AUTO_WEBSERVER-01 State: Alive 1.1.4.6
AUTO_WEBSERVER-02 State: Alive 1.1.4.7
AUTO_chk-con-pix103 State: Alive 1.1.3.4
AUTO_chk-con-pix225 State: Alive 1.1.3.17
AUTO_chk-con-web104 State: Alive 1.1.4.5
AUTO_chk-con-web224 State: Alive 1.1.1.18
AUTO_chk-con-pix227 State: Alive 1.1.4.4
AUTO_chk-con-app226 State: Alive 1.1.2.4
AUTO_SEZAPP1 State: Down 1.1.2.11
AUTO_SEZAPP2 State: Down 1.1.2.12
AUTO_nexthop00005 State: Alive 1.1.4.1
CSS11506_Backup# sh keepalive
Keepalives:
Name: AUTO_nexthop00001 Index: 0 State: Alive
Description: Auto generated for service nexthop00001
Address: 1.1.3.1 Port: Any
Type: ICMP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
nexthop00001
Name: AUTO_nexthop00002 Index: 1 State: Alive
Description: Auto generated for service nexthop00002
Address: 1.1.3.1 Port: Any
Type: ICMP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
nexthop00002
Name: AUTO_-WEBSERVER-03 Index: 2 State: Down
Description: Auto generated for service -WEBSERVER-03
Address: 1.1.1.11 Port: 80
Type: TCP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
-WEBSERVER-03
Name: AUTO_-WEBSERVER-04 Index: 3 State: Down
Description: Auto generated for service -WEBSERVER-04
Address: 1.1.1.12 Port: 80
Type: TCP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
-WEBSERVER-04
Name: AUTO_WEBSERVER-01 Index: 4 State: Alive
Description: Auto generated for service WEBSERVER-01
Address: 1.1.4.6 Port: 80
Type: ICMP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
WEBSERVER-01
Name: AUTO_WEBSERVER-02 Index: 5 State: Alive
Description: Auto generated for service WEBSERVER-02
Address: 1.1.4.7 Port: 80
Type: ICMP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
WEBSERVER-02
Name: AUTO_chk-con-pix103 Index: 6 State: Alive
Description: Auto generated for service chk-con-pix103
Address: 1.1.3.4 Port: Any
Type: SCRIPT ap-kal-pinglist
Script Arguments: "1.1.3.4"
Script Error: None
Script Run Time: 0 seconds
Script Using Output parsing: No
Encryption: Disabled
Frequency: 2
Max Failures: 2
Retry Frequency: 2
Dependent Services:
chk-con-pix103
Name: AUTO_chk-con-pix225 Index: 7 State: Alive
Description: Auto generated for service chk-con-pix225
Address: 1.1.3.17 Port: Any
Type: SCRIPT ap-kal-pinglist
Script Arguments: "1.1.3.17"
Script Error: None
Script Run Time: 0 seconds
Script Using Output parsing: No
Encryption: Disabled
Frequency: 2
Max Failures: 2
Retry Frequency: 2
Dependent Services:
chk-con-pix225
Name: AUTO_chk-con-web104 Index: 8 State: Alive
Description: Auto generated for service chk-con-web104
Address: 1.1.4.5 Port: Any
Type: SCRIPT ap-kal-pinglist
Script Arguments: "1.1.4.5"
Script Error: None
Script Run Time: 0 seconds
Script Using Output parsing: No
Encryption: Disabled
Frequency: 2
Max Failures: 2
Retry Frequency: 2
Dependent Services:
chk-con-web104
Name: AUTO_chk-con-web224 Index: 9 State: Alive
Description: Auto generated for service chk-con-web224
Address: 1.1.1.18 Port: Any
Type: SCRIPT ap-kal-pinglist
Script Arguments: "1.1.1.18"
Script Error: None
Script Run Time: 0 seconds
Script Using Output parsing: No
Encryption: Disabled
Frequency: 2
Max Failures: 2
Retry Frequency: 2
Dependent Services:
chk-con-web224
Name: AUTO_chk-con-pix227 Index: 10 State: Alive
Description: Auto generated for service chk-con-pix227
Address: 1.1.4.4 Port: Any
Type: SCRIPT ap-kal-pinglist
Script Arguments: "1.1.4.4"
Script Error: None
Script Run Time: 0 seconds
Script Using Output parsing: No
Encryption: Disabled
Frequency: 2
Max Failures: 2
Retry Frequency: 2
Dependent Services:
chk-con-pix227
Name: AUTO_chk-con-app226 Index: 11 State: Alive
Description: Auto generated for service chk-con-app226
Address: 1.1.2.4 Port: Any
Type: SCRIPT ap-kal-pinglist
Script Arguments: "1.1.2.4"
Script Error: None
Script Run Time: 0 seconds
Script Using Output parsing: No
Encryption: Disabled
Frequency: 2
Max Failures: 2
Retry Frequency: 2
Dependent Services:
chk-con-app226
Name: AUTO_APP1 Index: 12 State: Down
Description: Auto generated for service APP1
Address: 1.1.2.11 Port: 8080
Type: TCP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
APP1
Name: AUTO_APP2 Index: 13 State: Down
Description: Auto generated for service APP2
Address: 1.1.2.12 Port: 8080
Type: TCP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
APP2
Name: AUTO_nexthop00005 Index: 14 State: Alive
Description: Auto generated for service nexthop00005
Address: 1.1.4.1 Port: Any
Type: ICMP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
04-07-2010 01:18 AM
The ACLs are applied on inbound traffic.
So you deny everything except traffic sent to CSS port 8080.
You need to permit traffic coming back from the server as well or configure a permit all for everything coming from the server interface.
Gilles.
04-07-2010 01:24 AM
Hi Gilies,
ACL is applied on all VLAN below is the config done on CSS
acl 1
clause 1 permit tcp any destination any eq 8080
clause 2 permit tcp any destination any eq 80
clause 3 permit tcp any destination any eq 443
clause 4 permit any any destination 224.0.0.18
clause 5 permit icmp any destination any
apply all
OR else can we configure the following ACL on CSS as we want only port 80 & 8080 communcatiion
acl 1
clause 1 deny ip host 1.1.4.7 destination host 1.1.1.11
clause 2 deny ip host 1.1.4.7 destination host 1.1.1.12
clause 3 deny ip host 1.1.4.7 destination host 1.1.2.11
clause 4 deny ip host 1.1.4.7 destination host 1.1.2.12
clause 5 deny ip host 1.1.4.7 destination host 1.1.2.21
clause 6 deny ip host 1.1.4.7 destination host 1.1.2.22
clause 7 deny ip host 1.1.4.6 destination host 1.1.1.11
clause 8 deny ip host 1.1.4.6 destination host 1.1.1.12
clause 9 deny ip host 1.1.4.6 destination host 1.1.2.11
clause 10 deny ip host 1.1.4.6 destination host 1.1.2.12
clause 11 deny ip host 1.1.4.6 destination host 1.1.2.21
clause 12 deny ip host 1.1.4.6 destination host 1.1.2.22
clause 13 deny ip host 1.1.1.11 destination host 1.1.2.21
clause 14 deny ip host 1.1.1.11 destination host 1.1.2.22
clause 15 deny ip host 1.1.1.12 destination host 1.1.2.21
clause 16 deny ip host 1.1.1.12 destination host 1.1.2.22
clause 17 deny tcp host 1.1.1.11 destination host 1.1.2.11 range 0 - 8079
clause 18 deny tcp host 1.1.1.11 destination host 1.1.2.11 range 8081 - 65534
clause 19 deny tcp host 1.1.1.11 destination host 1.1.2.12 range 0 - 8079
clause 20 deny tcp host 1.1.1.11 destination host 1.1.2.12 range 8081 - 65534
clause 21 deny tcp host 1.1.1.12 destination host 1.1.2.11 range 0 - 8079
clause 22 deny tcp host 1.1.1.12 destination host 1.1.2.11 range 8081 - 65534
clause 23 deny tcp host 1.1.1.12 destination host 1.1.2.12 range 0 - 8079
clause 24 deny tcp host 1.1.1.12 destination host 1.1.2.12 range 8081 - 65534
clause 25 permit ip any destination any
apply all
04-07-2010 01:43 AM
clause 1 permit tcp any destination any eq 8080
clause 2 permit tcp any destination any eq 80
clause 3 permit tcp any destination any eq 443
clause 4 permit any any destination 224.0.0.18
clause 5 permit icmp any destination any
There is no clause in the ACL above to permit traffic from the server back to the CSS.
For example, for a tcp probe sent to port 8080, the response from the server will be
SRC: Server
DST: CSS
Proto: TCP
SRC_PORT: 8080
DST_PORT: unknown
Since there is no permit clause matching this traffic, it is dropped !!!!
As I said, configure a permit all for the server interface.
Or add a clause to permit the server responses.
For example :
clause 6 permit tcp any eq 8080 destination any
Gilles.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: