Introduction
The packet capture feature will enable user to capture live packets of the intended traffic in real time. The attributes of the packet are defined by an ACL. The ACE buffers the captured packets, and you can copy the buffered contents to a file in Flash memory on the ACE or to a remote server. To avoid taxing ACE resources, it is recommended to use an ACL specific to the intended traffic for the capture. This result of the capture can be displayed via CLI or can be exported to be analyzed using a packet capture utility such as Ethereal or Wireshark.
Problem
User trying to capture packets on ACE to troubleshoot issues with connection but not getting the expected capture. The connection can be seen in ACE connection table.
Packet Capture Details
The ACE captures packets subject to the following guidelines:
One capture session is used per context
Capture is triggered at flow setup
Capture is configured on the client interface where the flow is received
Note: Probe traffic will not hit a security ACL, so ACLs cannot control the capture of those packets. Therefore, probe traffic cannot be captured by the packet capture utility.
If possible, you should capture packets using the ACE packet capturing utility before and after symptoms appear. Save the packet captures to a file.
Resolution
The capture is triggered at the flow set up. ACL match only happens when connection is being set up. Once the connection is set up already, the connection moves to fast path and acl checks are skipped.
Details
The command “show conn" will give the translated IP addresses, but to see what is the exact backend connection associated with the backend do the following:
show conn, from its output take the connection-id as well as the NP number.
562844 1 in TCP 5 10.150.54.145:61560 10.86.212.34:23 ESTAB
560094 1 out TCP 5 10.86.212.34:23 10.150.54.145:61560 ESTAB
so in above 562844 is connection id and 1 is np number. Depending on the model it can be 1,2, 3, 4. ACE 30 has 4 and ace 20 has 2. ACE 4710 has one. Once you have that, do
switch/Admin# sh np 1 me-stats "-c 562844 -vvv"
Connection ID:seq: 562844[0x8969c].0
Other ConnID : 560094[0x88bde].0
Proxy ConnID : 0[0x0].0
Next Q : 0[0x0]
10.150.54.145:61560 -> 10.86.212.34:23 [RX-NextHop: CP] [TX-NextHop: TX]
Flags: PAT: No DynNAT: No Implicit PAT: No On_Reuse: No
L3 Protocol : IPv4 L4 Protocol : 6
Inbound Flag : 1
Interface Match : Yes
Interface MatchID: 3
EncapsID:ver : 15:0 TCP ACK delta : 0x0
MSS : 1460 TOS Stamp : 16
Repeat mode : No Punt Flag : No
TOS Stamp : No TCP Window Check: No
ACE ID : 6 NAT Policy ID : 0
Post NAT hop : 0 NAT Pool ID : 0
Packet Count : 66 Byte Count : 2810
TCP Information: (State = 3)
Window size : 16325 Window scale : 2
FIN seen : No FIN/ACK seen : No
FIN/ACK exp : No Close initiator : No
FIN/ACK expval: 0 Last seq : 1f5db83
timestamp_delta: 0 Last ack : 7aa48cd7
No Trigger : 0 Trigger Status : 0
Timestamp : 6631b441
TCP options negotiated:
Sack:Allow TS:Clear Windowscale: Allow
Reserved: Allow Exceed MSS: Allow Window var: Allow
Flags: debug: 0 TCP Normalize: Yes
Syslog: No Reproxy Request: No Policying Reqd: No
Inbound Ipsec: No Replicated: No Data Channel: No
L7: No Fin Detect: Yes FP Timeout: No
Standby: No ConnState: 2
ACA Method: 0 ReqTS: 00000000 RspTS: 00000000
RX Flags: 80481
Sticky Internal Entry-id : 0x0
10.86.212.34:23 -> 10.150.54.145:61560 [RX-NextHop: TX] [TX-NextHop: CP]
Flags: PAT: No DynNAT: No Implicit PAT: No On_Reuse: No
L3 Protocol : IPv4 L4 Protocol : 6
Inbound Flag : 0
Interface Match : Yes
Interface MatchID: 3
EncapsID:ver : 15:0 TCP ACK delta : 0x0
MSS : 1460 TOS Stamp : 0
Repeat mode : No Punt Flag : No
TOS Stamp : No TCP Window Check: No
ACE ID : 6 NAT Policy ID : 0
Post NAT hop : 4 NAT Pool ID : 0
Packet Count : 59 Byte Count : 6730
TCP Information: (State = 3)
Window size : 46 Window scale : 7
FIN seen : No FIN/ACK seen : No
FIN/ACK exp : No Close initiator : No
FIN/ACK expval: 0 Last seq : 7aa48cd7
timestamp_delta: 0 Last ack : 1f5db83
No Trigger : 0 Trigger Status : 0
Timestamp : 6631b31d
TCP options negotiated:
Sack:Allow TS:Clear Windowscale: Allow
Reserved: Allow Exceed MSS: Allow Window var: Allow
Flags: debug: 0 TCP Normalize: Yes
Syslog: No Reproxy Request: No Policying Reqd: No
Inbound Ipsec: No Replicated: No Data Channel: No
L7: No Fin Detect: Yes FP Timeout: No
Standby: No ConnState: 2
ACA Method: 0 ReqTS: 00000000 RspTS: 00000000
RX Flags: 80480
Sticky Internal Entry-id : 0x0
It will show the details. If you have backend conn-id, you can easily find the front end associated and the other details of the connection too.
Related Information
Cisco Application Control Engine (ACE) Troubleshooting Guide
Can't get desired results from ACE capture
