08-05-2011 12:24 PM
I have been trying to figure this out and I've made several attempts at a configuration that will work, but I just don't get it. Here's what I have configured. I'm trying to ping from a server outside of the ACE to a server on vlan 308. I send my ICMP it should ingress through vlan 302 and hit the server on vlan 308. Instead I get nothing and I see no traffic hits on my policy or from the show icmp statistics. I am able to ping the IP addresses on vlan 302 but nothing on the inside.
access-list icmp line 10 extended permit icmp any any
class-map match-all icmp-allow-inspect
2 match access-list icmp
policy-map multi-match icmp-allow-inspect-mmpl
class icmp-allow-inspect
inspect icmp error
interface vlan 302 --------- public facing VIPs- ingress
ip address 71.113.93.37 255.255.255.224
alias 71.113.93.36 255.255.255.224
peer ip address 71.113.93.38 255.255.255.224
service-policy input mgmt
service-policy input icmp-allow-inspect-mmpl
no shutdown
interface vlan 308 ---------- server - L2
ip address 10.60.22.130 255.255.255.192
alias 10.60.22.129 255.255.255.192
peer ip address 10.60.22.131 255.255.255.192
service-policy input icmp-allow-inspect-mmpl
no shutdown
08-05-2011 12:31 PM
If this ICMP traffic is just being routed by the ACE could you try appling an access-list to each interface that allows ICMP
traffic?
Sample:
access-list anyone extended permit ip any any
Interface vlan 308
access-group input anyone
interface vlan 302
access-group input anyone
Regards
Jim
08-05-2011 12:34 PM
I tried that already, that was my original configuration
08-05-2011 12:45 PM
I have a few additional questions.
Do you have a layer 3 interface other than the ACE on vlan 302?
If you do not have any other layer 3 interface do you have a route pointing to the ACE on vlan 308 as the next hop to get to the server?
What gateway does the server you are trying to ping on vlan 302 use?
Jim
08-05-2011 12:50 PM
question 1 - not from the outside. All other vlans are layer 2
question 2 - I do have a route on my upstream router to vlan 308 via the alias address on vlan 302.
question 3 - the gateway on all the servers on vlan 302 is the alias address.
I also tried to ping the ip address on int vlan 308 and I can't ping that either.
08-07-2011 04:52 AM
If you have the proper routing to get traffic to the client side of the ACE, and the servers use the server vlan as the default gateway all you should need is the following to allow a ping to route through the ACE.
An ACL allowing traffic into the interfaces, and a default route so the ACE knows how to forward the reply traffic back to the client.
If you have the ACL applied and a default gateway can you get a sniff to confirm that the pings are arriving at the ACE alias?
Thank you
Jim
08-07-2011 09:10 PM
I ran a capture and I see the traffic hit the ingress interface of the ACE, but it never gets passed to the backend server vlan. The icmp is recieved and the connection is closed, but then I get 4 more packets marked PKT_XMT then the packet is dropped. The capture was done on the ingress vlan. If I do a capture on the server side vlan I get nothng at all in the capture.
0001: msg_type: PKT_RCV
ace_id: 6809 action_flag: 0x13
src_addr: 74.113.193.34 src_port: 53575
dst_addr: 10.62.222.136 dst_port: 2048
l3_protocol: 0 l4_protocol: 1
0002: msg_type: CON_CLOSE
con_id: 1345505684 out_con_id: 271763861
src_addr: 74.113.193.34 src_port: 53575
dst_addr: 10.62.222.136 dst_port: 2048
l3_protocol: 0 l4_protocol: 1
0003: msg_type: PKT_XMT
con_id: 1345505684 other_con_id: 0
0011: msg_type: PKT_XMT
con_id: 1345505684 other_con_id: 0
0019: msg_type: PKT_XMT
con_id: 1345505684 other_con_id: 0
0029: msg_type: PKT_XMT
con_id: 1345505684 other_con_id: 0
0037: msg_type: PKT_DROP
con_id: 1345505684 reason: 0
src_addr: 74.113.193.34 src_port: 53575
dst_addr: 10.62.222.136 dst_port: 2048
l3_protocol: 0 l4_protocol: 1
This is my access list and its applied globally with the access-group input ALL command. I also have my default gateway pointing back to my upstream router and there are no other routes on the ACE. I can ping the ingress interface from my upstream router and I can ping my gateway from the ACE. I can ping my backend server from the ACE, but not from anything outside the ACE. I can not ping anything behind my ACE module.
access-list ALL line 12 extended permit icmp any any
access-list ALL line 18 extended permit ip any any
08-08-2011 06:18 AM
Sharon,
I see you opened a TAC case on this issue. I am looking at the capture icmp.pcap. Can you confirm who owns the mac address 00.0b.fc.fe.1b.14 and 00.24.e8.5f.9a.20 and what were you spanning when you took the capture? If it is the ACE that owns the mac 00.0b.fc.fe.1b.14 then it looks like the packets are being passed through and I would suggest setting up a capture directly on the server interface to verify if it is receiving them.
Thank you
Jim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide