Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
478
Views
0
Helpful
2
Replies

ACE issues with a supernetted /25 subnet?

Network Support
Level 1
Level 1

‎08-12-2010 02:12 PM

Hey techies.

We thought we'd do something different this week... a new server subnet was needed, but for only a few IP's.  As we had recently rolled out a subnet that fit the same category, the decision was made to take the existing class C subnet and bust it in half.

Our internal IP structure is in the 10.22.0.0 range, and the existing subnet was 10.22.155.0/24.  I took that and created a pair of 10.22.155.0/25 subnets (10.22.155.0 - 127 [vlan 155];  and 10.22.155.128-255 [vlan 55].  Gateways are 155.1 and 155.254 respectively).

In the ACE, I created the same int vlan setup for the above addressing scheme:

interface vlan 55
  description *** UC Subnet ***
  ip address 10.22.155.254 255.255.255.128
  access-group input EVERY1
  service-policy input UC-POLICY
  no shutdown
interface vlan 155

  description *** ESB Subnet ***
  ip address 10.22.155.1 255.255.255.128
  access-group input EVERY1
  service-policy input ESB-POLICY
  no shutdown
interface vlan 234

  description *** Outside to ASA ***
  ip address 172.23.4.3 255.255.255.0
  access-group input EVERY1
  service-policy input REMOTE-ACCESS2
  no shutdown

Here then is the issue.  The half dozen servers in the bottom half of the subnet (vlan 155, servers are 155.50 through 155.90) can browse the network and the internet at will.  The servers in the top half of the subnet (vlan 55, servers are 155.150 through 155.200) cannot browse anything.  Even basic internet browsing fails.  DNS is confirmed... so though I can ping google/yahoo/etc and get resolution, browsing fails.

In the ACE syslogs, for my server at 151.163 I get the following when trying to browse to www.durhammods.com:

Aug 12 2010 15:40:12 UAT-ESB: %ACE-6-302022: Built TCP connection 0x1f4682 for vlan55:10.22.155.163/49454 (10.22.155.163/49454) to vlan234:67.55.45.221/80 (67.55.45.221/80)

Aug 12 2010 15:40:18 UAT-ESB: %ACE-6-302023: Teardown TCP connection 0x1f4682 for vlan55:10.22.155.163/49454 (10.22.155.163/49454) to vlan234:67.55.45.221/80 (67.55.45.221/80) duration 0:00:06 bytes 48 SYN Timeout

On the ASA 5540 attached via int vlan 234, the syslog error looks like this:

Aug 12 2010 15:40:39: %ASA-6-302014: Teardown TCP connection 79295482 for Outside-Con2:67.55.45.221/80 to 10.22.155.163/49417 duration 0:00:06 bytes 0 TCP Reset-I

So from the ACE, a SYN Timeout.  From the ASA, a Reset on the Inside int.

My best guess is that the request is being accepted by the ACE for the server in the top half of the subnet, but for some reason, the reply is being accepted on the ACE's outside interface on behalf of the bottom half of the subnet, resulting in a SYN handshake issue there, and a resulting Reset being sent to the Inside int on the ASA.

The question, then, is if anyone has had success CIDR'ing a subnet as I've done, and still had success having their ACE distinguish between the chunks?

Preciate any thoughts.

Mike

Labels:
0 Helpful
2 Replies 2

lhamnqvi
Level 1
Level 1

‎08-13-2010 12:34 PM

The ACE does not have any restrictions on subnet mask.

As long as you are not overlapping, the subnet mask should not be a problem.

We do not have much information about your topology. Are the servers directly connected to the ACE ?

Remember that the server needs to respond back to the ACE not directly to the client.

If the server does not use the ACE as the default route, you need to use source NAT on the server VLAN.

http://tools.cisco.com/squish/b030B

Thank you,

/lilli

0 Helpful

Network Support
Level 1
Level 1
In response to lhamnqvi

‎08-16-2010 07:57 AM

I didn't think the ACE would be the issue... but then I have nothing to go on.

The ACE module is in a 6504, along with a sup module and a 48-port ethernet module.  The servers use default gateways that the ACE owns.

We've used source natting in the past, but only when needed... ie, when routing traffic out and back into the same vlan.  For internet access, this has never been required.  As you said, the ACE is the default gateway.  For fun I went ahead and added a source nat for the top half of the subnet... though it didn't improve anything.  Still a syn timeout on the outside of the ACE, and a reset-I on the inside int of the ASA.

Let me know what else you can think of... and I appreciate your help.

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents