Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
762
Views
0
Helpful
7
Replies

ACE server initiating traffic issue

lukaszkhalil
Level 1
Level 1

‎03-12-2010 12:22 AM

Hello

I'm trying to establish a session between one of my real servers behind the ace and some external network without any NAT. According to the documentation I should only configure correct ACL on both the client and server vlan and it should works. Unfortunately, although I see hits in the ACL configured on the outside direction for client vlan the traffic is not passing the ACE.

When I configure the capture I can see traffic only in the server vlan. There is no traffic in the client vlan.

Does anybody know what else should I configure ?

Thank you in advance

Regards

Lucas

Labels:
0 Helpful
7 Replies 7

dario.didio
Level 4
Level 4

‎03-12-2010 06:56 AM

Hi,

Make sure that the routers in your network know the path to the subnet behind the ACE. You can do this by configuring a static route on your upstream router connected to the ACE, and redistribute this static route in your routing protocol.

The static route on your upstream router should have the alias address (in case of HA) or the physical address of the ACE as next hop.

HTH,

Dario

0 Helpful

lukaszkhalil
Level 1
Level 1
In response to dario.didio

‎03-15-2010 12:09 AM

Hello

I did it. Finally I found that the packets were living the ACE but I could not see them in the capture. I captured them by using span port on the ACE client vlan.

Is seems that the ACE does not show the outgoing traffic in the capture. At least in the A2(1.5) version.

Regards

Lukas

0 Helpful

aljaloudi
Level 1
Level 1
In response to lukaszkhalil

‎03-15-2010 10:37 PM

are trying to initiate a traffic using the server IP or the VIP ip?

0 Helpful

lukaszkhalil
Level 1
Level 1
In response to aljaloudi

‎03-16-2010 12:20 AM

The server ip

0 Helpful

aljaloudi
Level 1
Level 1
In response to lukaszkhalil

‎03-16-2010 12:36 AM

if you are natting server ip to the ACE VIP, you may switch to DSR which allow the servers to source packets using the VIP IP.

0 Helpful

aljaloudi
Level 1
Level 1
In response to aljaloudi

‎03-16-2010 12:39 AM

but if you want the rserver to send traffic without any NAT or using the VIP IP,

make sure you apply your access list to the inbout interfaces and static route from the ACE to the next hop MSFC

0 Helpful

dario.didio
Level 4
Level 4
In response to lukaszkhalil

‎03-16-2010 01:46 AM

Hi,

the capture feature on the ACE only works in the input direction:

The packet capture function enables access-control lists (ACLs) to control which packets are captured by the ACE on the input interface.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/managesw.html#wp1035160

Is your problem resolved now or does this still not work?

If so, what do you see in the capture?

HTH,

Dario

0 Helpful
Customers Also Viewed These Support Documents