I'm running into a problem that I suspect is caused by the ACE timing out flow state information. We have several connections that are initiated from rserver's that remain mostly idle. Is it possible to disable this feature where connections established from behind the ACE are not maintained?
There is a default timer of 60 minutes for tcp connections. So if your flow happens to be longer idle than that it will get dropped. I had this situation with some frontend to backend flows.
You can create a tcp parameter map and adjust the tcp idle timeout value to something more suitable. I had to apply it globally in the context to make it work. The parameter map then will fit to all new established flows hence you have to drop old flows to make sure the parameter gets applied.
Thanks for the response. I think this resolved my issue. I configured this yesterday (after a TAC call) and so far I seem to have connections upwards of 16 hours that still show in "show conn detail".
What still troubles me is that I can't change the idle timeout on a per protocol basis. It seems to be an all or nothing deal. For instance, DNS lookups that my rserver performed are still showing up in the connection table. I don't see why that should be the case for DNS since these are short lived transactions. Is this anyway I can control the idle timeout on a more granular level? i.e. TCP vs UDP or even on a per port basis?
An access-list...I think this answers all of my questions. I can pick/choose any combination of IP/proto/port. What threw me off was the limited availability of options for the match statement under the class-map. I saw source-address, destination address, and port where port had only tcp as an option.
Topology & Design:
Two ACI fabrics
Stretching VLANs using OTV
Both fabrics are advertising BD subnets into same routing domain
Some BDs(or say VLANs) are stretched, but some are not.
Endpoints can move betwee...
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
Topology &Design:Traffic flow within same fabric:Endpoint moves to Fabric-2Bounce Entry Times OutTraffic Black-holedSummarySolutionAppendix:
In the Previous articles of ACI Automation, we are using Postman/Newman a...