Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE problem - bridge mode - behind a firewall


We are having problems with one of you ACE context, this implementation was done by a supplier and I am trying to troubleshoot it.

The clients and the servers are on different subnets, there is a Nokia firewall in the middle. The firewalls are setup on a cluster.

Connecting to port 7072 is taking at least 30 seconds. If I move the server into the VLAN in front of the ACE, the connection is instant. So it does indicate a problem on the ACE.

The client IP is .99.11.

The VIP is .100.62 and the server node is .100.12.

Running the capture command I can see the following behavior:

1. The client initiates the connection to the ACE Vip

2. At the same time it looks like a second connection is initiated from the client to the server node

Please see attachment.

Is this a normal situation where the connection is duplicated?

Does this interface setup look correct?

Is the bridge mode the correct setup in this scenario?

interface vlan 10

bridge-group 2

no normalization

mac-sticky enable

access-group input PERMITALL

service-policy input VLAN10-INTER-MMPM

no shutdown

interface vlan 15

bridge-group 2

no normalization

access-group input PERMITALL

no shutdown

interface bvi 2

ip address


peer ip address

no shutdown

ip route

Many thanks,



Re: ACE problem - bridge mode - behind a firewall


Are you capturing data on both sides of the ACE?

It looks to me that you are seeing the connection from the client to the ACE ( -> and then the connection from the ACE to the server ( -> So the capture output is normal.

I can't comment on the bridge mode setup as I've not seen this used before.


New Member

Re: ACE problem - bridge mode - behind a firewall

Thanks for replying James,

I am sure I configured the capture only for VLAN10 which is in the VIP side.

But you are right, it looks like is showing both VLAN10 and VLAN15. So that is one of my theories out of the window! :)

This is a new installation, still on the testing stage. So it would be good time to make changes.

Do you normally implement a routed setup behind a firewall? Rather than a bridged….

It is quite a small setup:

• Traffic is coming from a separate local subnet

• Traffic is not coming from the internet so it does not required a NAT

• We need 1 VIP listening on two ports

• The backend servers are four Linux boxes

Thanks again,


Cisco Employee

Re: ACE problem - bridge mode - behind a firewall


we don't see a 30 seconds trace in your capture.

If you say it takes 30sec, we should see the delay somewhere in the trace.

The trace only last 4 seconds.

Bridging w/ firewall is very common.

Your setup should be ok.

Try to locate the delay in your trace.