ISG L4 redirect to portal - problem

Unanswered Question
Feb 20th, 2012

Dear all,

I am having problems with L4REDIRECT feature on ISG running on ASR1004 chassis. I am also using PBHK in this scenario. When a customer opens a web session to port 80, ISG is redirecting the traffic to machine running the portal (apache server). I am running tcpdump on this machine. TCP dump shows incomming TCP SYN request from ISG and outgoing SYN/ACK packet form apache machine. However the third packet which is comming from ISG is TCP RST packet which resets the whole TCP sessions. After this third TCP packet the whole prcoedure goes once again. For some reason ISG is not able to establish a TCP session with the portal machine.

I have tried three different web servers (and machines) but always the same problem - ISG resets TCP session.

My configuration is below:

########################################################################
### TCPDUMP ###
### NO TCP session establishement. ISG sends TCP RST packet to destroy the session  and then starts TCP sequence again###
### ISG = 10.91.0.1,   WebPortal = 192.168.1.217 ###
#########################################################################
15:24:12.303345 IP 10.91.0.1.1072 > 192.168.1.217.www: Flags [S], seq 1672880685, win 65535, options [mss 1460,nop,nop,sackOK], length 0
15:24:12.303386 IP 192.168.1.217 > 10.91.0.1.1072: Flags [S.], seq 740503411, ack 1672880686, win 5840, options [mss 1460,nop,nop,sackOK], length 0
15:24:12.303737 IP 10.91.0.1.1072 > 192.168.1.217.www: Flags [R], seq 1672880686, win 0, length 0


###########################
### L4redirect configuration ###
###########################
interface GigabitEthernet0/0/1.105
  encapsulation dot1Q 105
  ip address 192.168.105.254 255.255.255.0
ip portbundle outside
cdp enable
  service-policy type control PORTAL
ip subscriber routed
   initiator unclassified ip-address

policy-map type control PORTAL
class type control always event session-start
   10 service-policy type service name PBHK_SERV
   30 service-policy type service name PORTAL_SRV

policy-map type service PORTAL_SRV
10 class type traffic PORTAL_CLASS
  redirect to group PORTAL_RED_GRP

class-map type traffic match-any PORTAL_CLASS
match access-group input name PORTAL_ACL

redirect server-group PORTAL_RED_GRP
server ip 192.168.1.217 port 80

ip access-list extended PORTAL_ACL
permit tcp any any eq www

ip portbundle
  match access-list 198
  source Loopback10

access-list 198 permit ip any host 192.168.1.217

interface Loopback10
  ip address 10.91.0.1 255.255.255.255

##################################
### Information about ASR1K router ###
###################################
cisco ASR1004 (RP2) processor with 4273011K/6147K bytes of memory.
5 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
8388608K bytes of physical memory.
1925119K bytes of eUSB flash at bootflash:.
78085207K bytes of SATA hard disk at harddisk:.

Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport

Please help.

Regards.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
mavespig Mon, 02/20/2012 - 09:05

Hi Dario,

any chance to sniff the traffic between ISG and portal (instead of capturing directly on the portal).

Is there any device in the middle, between the two?

EDIT: can you actually get a trace between PC and ISG, and one between ISG and Portal?

dario.bosnjak Tue, 02/21/2012 - 14:09

Hi Marco,

thank you for your reply. You gave me an idea. I connected Subscriber_PC and Portal directly to ISG (different ports) and L4redirect was finally working!!

Previously between ISG and portal there were few switches (3750,  2960, 3550). It seems that some configuration on one of them is causing my problem.

mavespig Wed, 02/22/2012 - 00:30

Hi Dario, glad to hear that it helped

Marco

* Remember to rate useful posts *

Actions

Login or Register to take actions

This Discussion

Posted February 20, 2012 at 7:35 AM
Stats:
Replies:3 Avg. Rating:5
Views:969 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard