I have a Catalyst 6500 with an ACE and Firewall Service Module (FWSM) installed. See Diagram.
The server sits in VLAN 10 which is configured in both ACE and FWSM. The server load balancing is configured in DSR mode (Direct Server Return) which means that the request from the client goes through the VIP configured in the ACE but the server's default gateway point to the FWSM. The purpose is to avoid high volume return traffic from the server through the ACE. The client sits in VLAN 14. I am able to ping the VIP address. By pinging VIP I mean load balancing ICMP (not "loadbalance vip icmp-reply"). However SSL or SSH to the VIP does not work. I suspect this may be an issue with the FWSM but not sure. Any suggestions?
Since the FWSM is a stateful firewall, it will drop this return traffic from the Server to the Client because it never saw the initial connection. This is also referred to as asymmetric routing.
In the example of SSH to the Server, the Client will send the initial SYN to the VIP to open up the TCP connection. The Server will receive this SYN through the ACE module and reply with a SYN-ACK back to the Client. However, the Server is sending this to the FWSM, rather than back through the ACE. Since the FWSM never saw the initial SYN and built a subsequent TCP connection, the FWSM will drop this SYN-ACK and the connection cannot be established. If you observe syslogs at level 6 during a time when you are trying to establish this connection, you will see message 106015 indicating that the packets are being dropped because no existing connection exists.
The problem you are running into here is that the firewall only sees half of the traffic for the connection, thus it cannot effectively firewall the connection and so the traffic is dropped. Typically, you would want to resolve this so that the FWSM can see and firewall all traffic. A common way to do this is with the following topology:
With this topology, the FWSM and the ACE module are in-line with each other. So, packets will pass through both devices and the FWSM will see both sides of the connection.
If this is not possible for you, you can enable a feature called TCP State Bypass. When this is enabled, the FWSM will not enforce stateful checks on matching TCP sessions. In other words, the FWSM will not care that it never saw the initial SYN of the SSH session and simply allow the SYN-ACK to pass through and arrive at your client. Enabling this for SSH sessions between the Client and Server might look something like this:
!An ACL to match interesting traffic
access-list bypass permit tcp host eq 22 host
!A class-map to match this ACL
match access-list bypass
!Tie the class-map to a policy-map
set connection advanced-options tcp-state-bypass
!Enable the policy-map with a service-policy
However, keep in mind that this will disable all stateful checks for traffic matching the bypass ACL.
Here is a link to the TCP State Bypass documentation as well:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...