Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Ace does not replace real server IP with VIP on https replies (sometimes)

Hi people,

I have ACE as SSL termination device and load balancer. It listens on VIP 192.168.1.20 port 443 and load balances (using cookies for stickyness) to two www servers 172.16.1.1 and 172.16.1.2 port 8795. The ACE is behind our firewall which does the NAT of the external IP to the VIP (192.168.1.20).

We have seen that sometimes the firewall drops packets because first packet isn't syn and the source of the packet is the real server IP and the destination IP is the real IP of the client.

So on the firewall I see the message 172.16.1.1 port 7791 to 89.23.45.67 dropped because first packet isn't syn. That means that ACE didn't replace the real server IP with the VIP. (we see the incoming connection is made ok). This doesn't happen always, but happens.

Any ideas why this is happenning?

Any help is appreciated

George

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Ace does not replace real server IP with VIP on https replie

only possible explanation is that the connection was deleted from ACE and you have normalization turn off.

So when the server sends a packet to the client after the connection was removed, ACE does not know it should be nated to the vip.

Normally, with normalization on, the packet should be dropped.  But if you have it turned off, the packet is forwarded.

Re-enable normalization to block this traffic before it gets to the firewall.


Then start sniffing your traffic to see why the connection got removed from ACE.

Could be a time out ? or a RESET from client or firewall.

Gilles.

2 REPLIES
Cisco Employee

Re: Ace does not replace real server IP with VIP on https replie

only possible explanation is that the connection was deleted from ACE and you have normalization turn off.

So when the server sends a packet to the client after the connection was removed, ACE does not know it should be nated to the vip.

Normally, with normalization on, the packet should be dropped.  But if you have it turned off, the packet is forwarded.

Re-enable normalization to block this traffic before it gets to the firewall.


Then start sniffing your traffic to see why the connection got removed from ACE.

Could be a time out ? or a RESET from client or firewall.

Gilles.

Community Member

Re: Ace does not replace real server IP with VIP on https replie

Gilles you are right. I had "no normalization"

By enabling back normalization the problem stopped.

596
Views
0
Helpful
2
Replies
CreatePlease to create content