Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ACE - "show conn" command queries

Hi all,

i have some queries regarding the "show conn" command in Cisco ACE.

Working Scenario:


VIP : 10.10.10.1

Server 1 : 10.10.20.1

Server 2 : 10.10.20.2

Client: 30.30.30.1

When a client 30.30.30.1 initiates a connection to the VIP on 10.10.10.1, the ACE load balances it to Server 1, 10.10.20.1. Looking at the "show conn" table, it shows that Server 1 is replying back to the Client 30.30.30.1 through the ACE.

Now, my question is when the ACE returns the traffic to the Client, should the Client be seeing the source IP coming from the VIP or Server 1? My understanding is that the Client should be seeing traffic returning from the VIP. But the show conn table does not seem to suggest so.

show conn table

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
1768       1  in  TCP   10   30.30.30.1:9221   10.10.10.1:80       ESTAB
41         1  out TCP   52    10.10.20.1:80    30.30.30.1:9221   CLOSED

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco ACE - "show conn" command queries

Daniel,

The client is expecting a response from the VIP otherwise there would be an asymmetrical routing problem and conns will never complete.

The fact that you're seeing 30.30.30.1 as the destination address is just that the server is able to see client's IP address on the request, when your backend servers sends the reply back to the client this response is forced to go through the ACE, when the ACE looks at the packet it matches with a previously conn created on the flow table so it "NATs"  the reply so now the source of the packet is the VIP and destination is 30.30.30.1.

This is a expected behavior as you're not using S-NAT on your network.

HTH.

__ __

Pablo

2 REPLIES
Cisco Employee

Re: Cisco ACE - "show conn" command queries

Daniel,

The client is expecting a response from the VIP otherwise there would be an asymmetrical routing problem and conns will never complete.

The fact that you're seeing 30.30.30.1 as the destination address is just that the server is able to see client's IP address on the request, when your backend servers sends the reply back to the client this response is forced to go through the ACE, when the ACE looks at the packet it matches with a previously conn created on the flow table so it "NATs"  the reply so now the source of the packet is the VIP and destination is 30.30.30.1.

This is a expected behavior as you're not using S-NAT on your network.

HTH.

__ __

Pablo

New Member

Re: Cisco ACE - "show conn" command queries

Thanks for clarifying my doubts Pablo! Really informative..appreciate it

3116
Views
0
Helpful
2
Replies
CreatePlease to create content