ACE Packet Capture Only Capturing Front-End Packets

Michael Mertens · ‎08-01-2013

I have an ACE pair in HA mode running A5.2(2) in one-armed configuration, therefore, doing source NAT. I'm researching a problem with an web serverfarm (L7 "/.*" rule) where one particular URL doesn't work, but it works when going to the back-end server directly. Anyway, my question has to do with: When I attempt to run the packet capture on the ACE of this event, I'm only capturing the front-end transation and never see anything on the backend. I've done this several times. I don't even see packets sourced from 10.11.39.2 (NATed address) go towards the realserver, and I know they must since pointing my browser to the VIP 10.11.39.2 on all other URLs work. Any ideas?

THANKS.

capture cap1 interface vlan 1201 access-list cap
capture cap1 start

----------------------------------------------------------

access-list access_in line 8 extended permit tcp any any

access-list cap line 8 extended permit ip host 10.11.39.2 any
access-list cap line 16 extended permit ip any host 10.11.39.2

class-map match-all REPORT_VIP
2 match virtual-address 10.11.39.2 tcp eq www

class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit

policy-map multi-match LOAD_BAL
class REPORT_VIP
    loadbalance vip inservice
    loadbalance policy REPORT_PM
    loadbalance vip icmp-reply active
    nat dynamic 2 vlan 1201
    appl-parameter http advanced-options PARSE_LENGTH_PARMS

interface vlan 1201
ip address 10.11.39.254 255.255.252.0
ip options clear
alias 10.11.39.246 255.255.252.0
peer ip address 10.11.39.245 255.255.252.0
syn-cookie 100
access-group input access_in
nat-pool 2 10.11.39.2 10.11.39.2 netmask 255.255.255.255 pat
service-policy input LOAD_BAL
service-policy input NORMALIZATION
service-policy input remote_mgmt_allow_policy
no shutdown

Cesar Roque · ‎08-02-2013

Hi Michael,

This example may be helpful for you:

Client 192.168.1.1

VIP 10.0.0.1 (No source NAT)

Rserver 20.0.0.1

You can set up the specific ACL as such:

access-list ACL-capture line 1 extended permit ip host 192.168.1.1 host 10.0.0.1

access-list ACL-capture line 2 extended permit ip host 10.0.0.1 host 192.168.1.1

access-list ACL-capture line 3 extended permit ip host 192.168.1.1 host 20.0.0.1

access-list ACL-capture line 4 extended permit ip host 20.0.0.1 host 192.168.1.1

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

Michael Mertens · ‎08-02-2013

Cesar,

Thanks for the response- I should have included in the original post that I tried included the real-server (There's only one currently active) in the access-list as

access-list cap line 8 extended permit ip host 10.11.39.2 host 10.11.36.68

access-list cap line 16 extended permit ip host 10.11.36.68 host 10.11.39.2

Then, I even tried just the real server:

access-list cap line 8 extended permit ip any host 10.11.36.68

access-list cap line 8 extended permit ip host 10.11.36.68 any

But I still don't capture anything on the back end, even though I know that communications is happening- it almost seems buggy to me (or I'm missing something very obvious).

Thanks!

Mike.