Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1662
Views
0
Helpful
4
Replies

Does the ACE support traffic asymmetry?

Go to solution
ddmikeollington
Level 1
Level 1

‎05-07-2010 09:26 AM

Hello,

Customer has an ACE installed as attached.  With the server set with a DG of the ACE and traffic directed at the servers real IP address (ping, for example), we never seem to receive a response.  I've configured the VLAN interfaces on both sides of the ACE with "permit ip any any" ACLs.

Should I expect the ACE to act like a router in this instance (and not care) or is it trying to act like a stateful device i.e. it should see the echo request first?

Thanks,

Mike

Scenario.jpg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎05-07-2010 10:43 AM

Mike,

In this case ICMP packets were discarded by the ACE because of security checks added by the stateful ICMP feature. These ICMP packets are discarded for any of the following reasons:

1. If you have asymmetric routing such that the ACE never sees the ICMP Echo Request, but does see the ICMP Echo Reply, the packet will be
dropped.

2. If the ICMP Echo Reply is seen after the two second inactivity timer for ICMP traffic, the session will have been aged out, and
therefore the packet will be dropped.

3. ICMP error messages are received that are not related to any TCP,  UDP, or ICMP session already established in the ACE.

Please disable the ICMP guard feature on your interfaces and let us know if the ping still fails.

ACE4710/Admin(config)# interface vlan X

ACE4710/Admin(config-if)#  no icmp-guard

Hope this helps.

__ __

Pablo

Cisco TAC

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎05-07-2010 10:43 AM

Mike,

In this case ICMP packets were discarded by the ACE because of security checks added by the stateful ICMP feature. These ICMP packets are discarded for any of the following reasons:

1. If you have asymmetric routing such that the ACE never sees the ICMP Echo Request, but does see the ICMP Echo Reply, the packet will be
dropped.

2. If the ICMP Echo Reply is seen after the two second inactivity timer for ICMP traffic, the session will have been aged out, and
therefore the packet will be dropped.

3. ICMP error messages are received that are not related to any TCP,  UDP, or ICMP session already established in the ACE.

Please disable the ICMP guard feature on your interfaces and let us know if the ping still fails.

ACE4710/Admin(config)# interface vlan X

ACE4710/Admin(config-if)#  no icmp-guard

Hope this helps.

__ __

Pablo

Cisco TAC

0 Helpful

Go to solution
ddmikeollington
Level 1
Level 1
In response to Pablo

‎05-18-2010 08:16 AM

Hello Pablo,

Thanks, once you prompted me with the command I found the right section in the Config Guide.

Cheers,

Mike

0 Helpful

Go to solution
Jaime Soto Valenzuela
Level 1
Level 1
In response to ddmikeollington

‎05-18-2010 03:29 PM

Mike,

Do you performed the test with the command no icmp-guard?.

I had the same question. With this topology, now you see ping response from server?

Regards,

Jaime.

0 Helpful

Go to solution
ddmikeollington
Level 1
Level 1
In response to Jaime Soto Valenzuela

‎05-18-2010 10:24 PM

Hello Jaime,

Yes, the only caveat was applying it in the right virtual context.  After I applied it to the correct interfaces in the right context, ping worked fine.  It was covered in this section of the configuration guide:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/overview.html#wp1004320

Cheers,

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents