I am stuck with a CSS sending icmp time-to-live exceeded when I try to browse the internet from a server behind it. Tcpdump shows thats not the server sending the icmp packets and ethereal shows that the original SYN/ACK response comes from th internet endpoint but never arrives at the server ( probably dropped by the css). Does anyone havae any idea(s) about this.
I have 2 servers with a direct connection each to 2 CSS 11501 wich in turn has a direct connection each to 2 PIX 515E in failover mode.The CSS are connected through an interface . The outside interface of the PIX is shares a subnet with the internet router through a small hub. Server requests to the internet are translated by the PIX to a valid internet address. The server address the PIX sees is the group ( each server is a group)address translated by the CSS.
The master for vip redudancy is configured for the CSS wich has direct connection with the active PIX, and the other CSS is the master for interface redundancy. Requests for VIP address are handled just fine and requests from the servers to other internasl networks also. The server wich is connected to the master for interface redundancy can also browse the internet. The other server, wich is connected to the master for VIP can not. They are identically configured as the PIX and other equipments throughout the path to internet.
I have run tcpdump on the server and did not see any icmp package to the internet, just SYN packets. DNS works fine.
Run ethereal on the outside subnet i can see SYN/ACK packets returning from the internet( but not delivered to the server). In the middle I can see icmp ttl exceeded sent from the server group address to the internet address. How can I run a trace on the CSS?
Yes, I should not have one master VIP and another master Interface. But in this topology the master VIP rules, because it is connected with the active Firewall. All the traffic must go through it( avoiding asymetric routing i think). How do I force an CSS to be master vip or interface on the fly?
How do I see if the traffic is bouncing between the devices?
Attached is the configuration of one the CSS devices. The other is identically configured, but without the preempt.
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
In the Previous articles of ACI Automation, we are using Postman/Newman as the Rest API tool to automate the ACI Configuration.
In this article I’m going to discuss on usin...
One of the first steps in building your ACI Fabric is to go through Fabric Discovery. While Fabric Discovery is usually a straightforward process, there are various issues that may prevent you from discovering an ACI switch. This article wil...