Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE 4710 deny SYN-ACK routing without SYN before?

Hi there,

I've one behaviour on ace, than I can not understand...

We've one interface on the ACE which is connected to a firewall via switch.

In the same vlan is a serverfarm.

net e.g. 172.16.10.0/24

the server's gateway is the ACE (172.16.10.1)

the ACE's gateway is the firewall (172.16.10.2)

when a server in another net 172.20.10.0/24 is connecting to 172.16.10.0/24, then the SYN is sent from the firewall directly to the server in net 172.16.10.0/24. because the firewall has an interface directly connected.

the SYN-ACK is sent through the ACE (because servergateway is ACE).

> the ACE is NOT routing this packet back to 172.20.10.0/24 via firewall. routing-table is OK.

in capture on ACE the packet is NOT displayed...

but when the server in 172.16.10.0/24 is initiating the session, the SYN is routed through the ACE and in capture I can see the packet...

can anyone tell me, if the ACE prevents routing without seeing SYN? (anti-spoofing ect...)

know, I mean really ROUTING, not balancing...

mfg. K. Liepold

Everyone's tags (3)
4 REPLIES

ACE 4710 deny SYN-ACK routing without SYN before?

Hi Liepold,

In some way ACE works as a statefull proxy. If there is a SYN-ACK from the server, the SYN had to be generated by the ACE itself as an action for the SYN received on the VIP ( proxy between the client and the server(s) ).

You can solve this by setting the Server gateway the firewall , and doing SNAT for the clients. This way the connections that come directly to the server will be back via the firewall , and the connections to the VIP on the ACE will be SNATed, the flow back going to the ACE in his way to the client.

Dan

New Member

ACE 4710 deny SYN-ACK routing without SYN before?

Hi Dan-Ciprian,

thank you for the fast answer.

but I'm not sure that you know what I mean.

in this case I need the ACE as a simple router, not as a loadbalancer.

or do you mean that the ACE interprets the SYN-ACK from the "backend" server as an loadbalancing act?

because the L7-Policy is bound on this interface.

so when I remove this policy from the interface, the ACE has no reason to handle as an loadbalancer and routes the SYN-ACK despite the initiating SYN has failed to pass the ACE?

Karlheinz Liepold

Cisco Employee

ACE 4710 deny SYN-ACK routing without SYN before?

Hi Karlheinz.

The ACE will internally open a connection even for traffic that is just routed through it. This includes applying some of the normalization features, which can cause asymmetric connections to fail.

You could try disabling normalization on all the interfaces to see if it solves the issue.

Regards

Daniel

New Member

ACE 4710 deny SYN-ACK routing without SYN before?

wow, THIS is it!

works!

oh, the ACE and it's thousands default-security-features... :-)

thank you.

1005
Views
0
Helpful
4
Replies