Ace does not replace real server IP with VIP on https replies (sometimes)
I have ACE as SSL termination device and load balancer. It listens on VIP 192.168.1.20 port 443 and load balances (using cookies for stickyness) to two www servers 172.16.1.1 and 172.16.1.2 port 8795. The ACE is behind our firewall which does the NAT of the external IP to the VIP (192.168.1.20).
We have seen that sometimes the firewall drops packets because first packet isn't syn and the source of the packet is the real server IP and the destination IP is the real IP of the client.
So on the firewall I see the message 172.16.1.1 port 7791 to 126.96.36.199 dropped because first packet isn't syn. That means that ACE didn't replace the real server IP with the VIP. (we see the incoming connection is made ok). This doesn't happen always, but happens.
Moquery is the command line cousin of Vizore, it's very helpful and efficient sometimes during the troubleshooting. This article aims to provide moquery cheat sheet to the users for some most common seen scenarios.
Here is the checklist before customers/partners contact Cisco TAC:
Firmware Version of APIC and Switch
Download Switch and APIC techsupport logs
Problem description (Symptoms with details)
Business impact (eg, what kind of services...
moquery usageAPIC moquerySwitchmoquery
This document discuss a common issue observed during the VMM integration & VM workload migration to ACI fabric.
VMware Virtual machines are hosted in Cisco UCS-B seri...