Customer has an ACE installed as attached. With the server set with a DG of the ACE and traffic directed at the servers real IP address (ping, for example), we never seem to receive a response. I've configured the VLAN interfaces on both sides of the ACE with "permit ip any any" ACLs.
Should I expect the ACE to act like a router in this instance (and not care) or is it trying to act like a stateful device i.e. it should see the echo request first?
In this case ICMP packets were discarded by the ACE because of security checks added by the stateful ICMP feature. These ICMP packets are discarded for any of the following reasons:
1. If you have asymmetric routing such that the ACE never sees the ICMP Echo Request, but does see the ICMP Echo Reply, the packet will be
2. If the ICMP Echo Reply is seen after the two second inactivity timer for ICMP traffic, the session will have been aged out, and
therefore the packet will be dropped.
3. ICMP error messages are received that are not related to any TCP, UDP, or ICMP session already established in the ACE.
Please disable the ICMP guard feature on your interfaces and let us know if the ping still fails.
ACE4710/Admin(config)# interface vlan X
ACE4710/Admin(config-if)# no icmp-guard
Hope this helps.