We have an ACE load balancing a group of Ironport WSA. The WSA are working with the feature IP Spoofing, then the request to WWW has the source ip address of the WSA client and not the WSA itself.
We follow the documento behind, but it is not working. When the packet coming from Internet having the destination address the WSA client address, the ACE can not delivery the packet even with the mac-sticky configured.
I read in other forum that ACE needs to have in its arp table or route table the destination IP address for being able to deal with the packet by the encapid.
But we don't have this entry in the arp table.
When we configure the WSA with IP spoofing and the source ip address is the WSA itself the configuration works fine.
Could you elaborate a little bit more your question or requirement here?
From my understanding you are using a Ironport as proxy server which will handle receive all the requests from all the internet users and will represent the users when it talks to the ACE, correct? And it seems you need to have stickiness configured correct? What kind of stickiness are you using? Have you tried with a stickiness based on cookies?
access-list EVERYONE line 5 extended permit icmp any any access-list EVERYONE line 10 extended permit ip any any access-list EVERYONE-v6 line 8 extended permit icmpv6 anyv6 anyv6 access-list EVERYONE-v6 line 16 extended permit ip anyv6 anyv6 access-list TESTE line 8 extended permit tcp host 10.6.16.19 any eq www access-list TESTE line 16 extended permit tcp any eq www host 10.6.16.19 access-list TRACE line 8 extended permit ip host 10.6.16.118 any access-list TRACE line 16 extended permit ip any host 10.6.16.118
probe tcp WSA_TCP_3128 port 3128 interval 5 faildetect 60
rserver host WSA-01 ip address 10.10.193.36 inservice rserver host WSA-02 ip address 10.10.193.37 inservice rserver host WSA-03 ip address 10.10.193.38 inservice rserver host WSA-04 ip address 10.10.193.39 inservice rserver host WSA-05 ip address 10.10.193.40 inservice rserver host WSA-06 ip address 10.10.193.41 inservice rserver host WSA-07 ip address 10.10.193.42 inservice rserver host WSA-08 ip address 10.10.193.43 inservice rserver host WSA-09 ip address 10.10.193.44 inservice rserver host WSA-10 ip address 10.10.193.45 inservice
class-map type management match-any REMOTE_ACCESS 2 match protocol ssh any 3 match protocol telnet any 4 match protocol icmp any 5 match protocol snmp any 6 match protocol http any class-map match-all WSA_REAL_IP 2 match source-address 10.10.193.32 255.255.255.224 class-map match-all WSA_VIP_TCP_3128 2 match virtual-address 10.10.193.25 tcp eq 3128
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permit
policy-map type loadbalance http first-match WSA_L7_POLICY class class-default serverfarm WSA_FARM
policy-map multi-match VIPs class WSA_VIP_TCP_3128 loadbalance vip inservice loadbalance policy WSA_L7_POLICY loadbalance vip icmp-reply active loadbalance vip advertise active
interface vlan 303 description Gerencia ipv6 enable ip address 2801:94:0:4::18/66 peer ip address 2801:94:0:4::19/66 ip address 10.10.192.18 255.255.255.0 peer ip address 10.10.192.19 255.255.255.0 access-group input EVERYONE access-group input EVERYONE-v6 service-policy input REMOTE_MGMT_ALLOW_POLICY interface vlan 304 description to_6509 ipv6 enable ip address 2801:94:0:3::21/64 alias 2801:94:0:3::20/64 peer ip address 2801:94:0:3::22/64 ip address 10.10.193.21 255.255.255.240 alias 10.10.193.20 255.255.255.240 peer ip address 10.10.193.22 255.255.255.240 access-group input EVERYONE access-group input EVERYONE-v6 service-policy input REMOTE_MGMT_ALLOW_POLICY service-policy input VIPs no shutdown interface vlan 306 description To_WSAs ipv6 enable ip address 2801:94:0:7::46/64 alias 2801:94:0:7::33/64 peer ip address 2801:94:0:7::47/64 ip address 10.10.193.46 255.255.255.224 alias 10.10.193.33 255.255.255.224 peer ip address 10.10.193.47 255.255.255.224 mac-sticky enable access-group input EVERYONE service-policy input REMOTE_MGMT_ALLOW_POLICY no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.193.17 ip route ::/0 2801:94:0:3::17 username anmanager password 5 $1$DIacUZzq$IaFMnaN4m0/9bVXbKjEVM0 role Admin domain default-domain username admin password 5 $1$MlYw5GVF$LJfSPfjNMnB/PR0QdOvZ61 role Admin domain default-domain
snmp-server community ProdamSec group Network-Monitor
snmp-server host 10.10.192.55 traps version 2c ProdamSec
The behavior is when we have IP Spoofing configured in the WSAs, the connection is not established. The ACE establishes the connection with the client but the connection with Internet is not established. I captured the packets that arrive in the ACE coming from Internet and I see SYN packets with source address as a public IP (Google) and the destination address as the internal client IP address with no ACK just RST.
With no IP Spoofing, meaning that the ip source address is tha WSA the connection is established with no RST.
Follow the output the commands:
show service-policy WSA-VIPS class-map WSA_VIP_TCP_3128 detail
real : WSA-02 10.10.193.37 3128 PROBE 15088 72 15016 SUCCESS
Socket state : CLOSED No. Passed states : 2 No. Failed states : 1 No. Probes skipped : 0 Last status code : 0 No. Out of Sockets : 0 No. Internal error: 0 Last disconnect err : - Last probe time : Mon Sep 3 21:06:47 2012 Last fail time : Mon Sep 3 20:45:05 2012 Last active time : Mon Sep 3 20:45:57 2012
The unmanaged mode is also known as Network only switching, which is introduced in Brazos release. It adds the flexibility for customer to use only network automation for service appliance.
If a device is configured a...
Usually, we can access ESXi Shell by pressing Alt+F1 from ESXi DCUI (Direct Console User Interface).
But on HyperFlex system, it just shows black window.
This is expected behavior because HyperFlex redirects ESXi Shell output to SoL...
Configuring an Export Policy Using the GUI
This procedure explains how to configure an Export policy using the APIC GUI. Follow these steps to trigger a backup of your data:
On the menu bar, choose Admi...