We thought we'd do something different this week... a new server subnet was needed, but for only a few IP's. As we had recently rolled out a subnet that fit the same category, the decision was made to take the existing class C subnet and bust it in half.
Our internal IP structure is in the 10.22.0.0 range, and the existing subnet was 10.22.155.0/24. I took that and created a pair of 10.22.155.0/25 subnets (10.22.155.0 - 127 [vlan 155]; and 10.22.155.128-255 [vlan 55]. Gateways are 155.1 and 155.254 respectively).
In the ACE, I created the same int vlan setup for the above addressing scheme:
description *** ESB Subnet *** ip address 10.22.155.1 255.255.255.128 access-group input EVERY1 service-policy input ESB-POLICY no shutdown interface vlan 234
description *** Outside to ASA *** ip address 172.23.4.3 255.255.255.0 access-group input EVERY1 service-policy input REMOTE-ACCESS2 no shutdown
Here then is the issue. The half dozen servers in the bottom half of the subnet (vlan 155, servers are 155.50 through 155.90) can browse the network and the internet at will. The servers in the top half of the subnet (vlan 55, servers are 155.150 through 155.200) cannot browse anything. Even basic internet browsing fails. DNS is confirmed... so though I can ping google/yahoo/etc and get resolution, browsing fails.
In the ACE syslogs, for my server at 151.163 I get the following when trying to browse to www.durhammods.com:
Aug 12 2010 15:40:12 UAT-ESB: %ACE-6-302022: Built TCP connection 0x1f4682 for vlan55:10.22.155.163/49454 (10.22.155.163/49454) to vlan234:184.108.40.206/80 (220.127.116.11/80)
Aug 12 2010 15:40:18 UAT-ESB: %ACE-6-302023: Teardown TCP connection 0x1f4682 for vlan55:10.22.155.163/49454 (10.22.155.163/49454) to vlan234:18.104.22.168/80 (22.214.171.124/80) duration 0:00:06 bytes 48 SYN Timeout
On the ASA 5540 attached via int vlan 234, the syslog error looks like this:
Aug 12 2010 15:40:39: %ASA-6-302014: Teardown TCP connection 79295482 for Outside-Con2:126.96.36.199/80 to 10.22.155.163/49417 duration 0:00:06 bytes 0 TCP Reset-I
So from the ACE, a SYN Timeout. From the ASA, a Reset on the Inside int.
My best guess is that the request is being accepted by the ACE for the server in the top half of the subnet, but for some reason, the reply is being accepted on the ACE's outside interface on behalf of the bottom half of the subnet, resulting in a SYN handshake issue there, and a resulting Reset being sent to the Inside int on the ASA.
The question, then, is if anyone has had success CIDR'ing a subnet as I've done, and still had success having their ACE distinguish between the chunks?
I didn't think the ACE would be the issue... but then I have nothing to go on.
The ACE module is in a 6504, along with a sup module and a 48-port ethernet module. The servers use default gateways that the ACE owns.
We've used source natting in the past, but only when needed... ie, when routing traffic out and back into the same vlan. For internet access, this has never been required. As you said, the ACE is the default gateway. For fun I went ahead and added a source nat for the top half of the subnet... though it didn't improve anything. Still a syn timeout on the outside of the ACE, and a reset-I on the inside int of the ASA.
Let me know what else you can think of... and I appreciate your help.
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
In the Previous articles of ACI Automation, we are using Postman/Newman as the Rest API tool to automate the ACI Configuration.
In this article I’m going to discuss on usin...
One of the first steps in building your ACI Fabric is to go through Fabric Discovery. While Fabric Discovery is usually a straightforward process, there are various issues that may prevent you from discovering an ACI switch. This article wil...