I have ACE as SSL termination device and load balancer. It listens on VIP 192.168.1.20 port 443 and load balances (using cookies for stickyness) to two www servers 172.16.1.1 and 172.16.1.2 port 8795. The ACE is behind our firewall which does the NAT of the external IP to the VIP (192.168.1.20).
We have seen that sometimes the firewall drops packets because first packet isn't syn and the source of the packet is the real server IP and the destination IP is the real IP of the client.
So on the firewall I see the message 172.16.1.1 port 7791 to 126.96.36.199 dropped because first packet isn't syn. That means that ACE didn't replace the real server IP with the VIP. (we see the incoming connection is made ok). This doesn't happen always, but happens.
Any ideas why this is happenning?
Any help is appreciated
only possible explanation is that the connection was deleted from ACE and you have normalization turn off.
So when the server sends a packet to the client after the connection was removed, ACE does not know it should be nated to the vip.
Normally, with normalization on, the packet should be dropped. But if you have it turned off, the packet is forwarded.
Re-enable normalization to block this traffic before it gets to the firewall.
Then start sniffing your traffic to see why the connection got removed from ACE.
Could be a time out ? or a RESET from client or firewall.