02-20-2012 07:35 AM - edited 03-01-2019 02:32 PM
Dear all,
I am having problems with L4REDIRECT feature on ISG running on ASR1004 chassis. I am also using PBHK in this scenario. When a customer opens a web session to port 80, ISG is redirecting the traffic to machine running the portal (apache server). I am running tcpdump on this machine. TCP dump shows incomming TCP SYN request from ISG and outgoing SYN/ACK packet form apache machine. However the third packet which is comming from ISG is TCP RST packet which resets the whole TCP sessions. After this third TCP packet the whole prcoedure goes once again. For some reason ISG is not able to establish a TCP session with the portal machine.
I have tried three different web servers (and machines) but always the same problem - ISG resets TCP session.
My configuration is below:
########################################################################
### TCPDUMP ###
### NO TCP session establishement. ISG sends TCP RST packet to destroy the session and then starts TCP sequence again###
### ISG = 10.91.0.1, WebPortal = 192.168.1.217 ###
#########################################################################
15:24:12.303345 IP 10.91.0.1.1072 > 192.168.1.217.www: Flags [S], seq 1672880685, win 65535, options [mss 1460,nop,nop,sackOK], length 0
15:24:12.303386 IP 192.168.1.217 > 10.91.0.1.1072: Flags [S.], seq 740503411, ack 1672880686, win 5840, options [mss 1460,nop,nop,sackOK], length 0
15:24:12.303737 IP 10.91.0.1.1072 > 192.168.1.217.www: Flags [R], seq 1672880686, win 0, length 0
###########################
### L4redirect configuration ###
###########################
interface GigabitEthernet0/0/1.105
encapsulation dot1Q 105
ip address 192.168.105.254 255.255.255.0
ip portbundle outside
cdp enable
service-policy type control PORTAL
ip subscriber routed
initiator unclassified ip-address
policy-map type control PORTAL
class type control always event session-start
10 service-policy type service name PBHK_SERV
30 service-policy type service name PORTAL_SRV
policy-map type service PORTAL_SRV
10 class type traffic PORTAL_CLASS
redirect to group PORTAL_RED_GRP
class-map type traffic match-any PORTAL_CLASS
match access-group input name PORTAL_ACL
redirect server-group PORTAL_RED_GRP
server ip 192.168.1.217 port 80
ip access-list extended PORTAL_ACL
permit tcp any any eq www
ip portbundle
match access-list 198
source Loopback10
access-list 198 permit ip any host 192.168.1.217
interface Loopback10
ip address 10.91.0.1 255.255.255.255
##################################
### Information about ASR1K router ###
###################################
cisco ASR1004 (RP2) processor with 4273011K/6147K bytes of memory.
5 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
8388608K bytes of physical memory.
1925119K bytes of eUSB flash at bootflash:.
78085207K bytes of SATA hard disk at harddisk:.
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Please help.
Regards.
02-20-2012 09:05 AM
Hi Dario,
any chance to sniff the traffic between ISG and portal (instead of capturing directly on the portal).
Is there any device in the middle, between the two?
EDIT: can you actually get a trace between PC and ISG, and one between ISG and Portal?
02-21-2012 02:09 PM
Hi Marco,
thank you for your reply. You gave me an idea. I connected Subscriber_PC and Portal directly to ISG (different ports) and L4redirect was finally working!!
Previously between ISG and portal there were few switches (3750, 2960, 3550). It seems that some configuration on one of them is causing my problem.
02-22-2012 12:30 AM
Hi Dario, glad to hear that it helped
Marco
* Remember to rate useful posts *
07-16-2019 05:16 AM
Hi Dario,
I am using ASR 1002-x and made the same configuration as you mentioned above. Even L4 redirection is not happening. Can you help on this.
Thanks in advance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: