We're running a pair of CSS's with a couple of back-end servers behind them. We could determine if the traffic is coming into the CSS by uing the sh flows command. However, this command will only show the connections from the CSS to the server, not back to the CSS, so if there's an asymetry in the flow, this command will not pick it up. Is there a similar command(s) that would show a return connection from back-end servers to the CSS?
No, there is not such a command, but you can easily confirm that there is no asymmetric traffic from the fact that connections work.
If the CSS doesn't see the full TCP handshake for a connection (which includes the client and server directions), it will close the connection and log a SYN attack.
On top of that, unless you are defining the servers as transparent, the CSS will apply NAT to the destination IP (from the VIP to the server), so, if there is asymmetric routing, the NAT is not undone for the return traffic, which will cause connections to fail.
Daniel, thanks for your reply. We had a case, where the default gateway configured on the back-end servers was wrong. Obviously, the users could not pull the web content, however, when I did sh flows, they looked OK, because the only showed the connections from the CSS to the server. So, is there a command that would have showen the connections from the server to the CSS not working and, therefore, would have picked up the assymetrical routing?
Topology & Design:
Two ACI fabrics
Stretching VLANs using OTV
Both fabrics are advertising BD subnets into same routing domain
Some BDs(or say VLANs) are stretched, but some are not.
Endpoints can move betwee...
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
Topology &Design:Traffic flow within same fabric:Endpoint moves to Fabric-2Bounce Entry Times OutTraffic Black-holedSummarySolutionAppendix:
In the Previous articles of ACI Automation, we are using Postman/Newman a...