ACE dropped conns problem (Bridged mode)

Similar Messages

• ACE problem - bridge mode - behind a firewall

  Hello
  We are having problems with one of you ACE context, this implementation was done by a supplier and I am trying to troubleshoot it.
  The clients and the servers are on different subnets, there is a Nokia firewall in the middle. The firewalls are setup on a cluster.
  Connecting to port 7072 is taking at least 30 seconds. If I move the server into the VLAN in front of the ACE, the connection is instant. So it does indicate a problem on the ACE.
  The client IP is .99.11.
  The VIP is .100.62 and the server node is .100.12.
  Running the capture command I can see the following behavior:
  1. The client initiates the connection to the ACE Vip
  2. At the same time it looks like a second connection is initiated from the client to the server node
  Please see attachment.
  Is this a normal situation where the connection is duplicated?
  Does this interface setup look correct?
  Is the bridge mode the correct setup in this scenario?
  interface vlan 10
  bridge-group 2
  no normalization
  mac-sticky enable
  access-group input PERMITALL
  service-policy input VLAN10-INTER-MMPM
  no shutdown
  interface vlan 15
  bridge-group 2
  no normalization
  access-group input PERMITALL
  no shutdown
  interface bvi 2
  ip address 192.168.100.7 255.255.255.192
  alias 192.168.100.6 255.255.255.192
  peer ip address 192.168.100.8 255.255.255.192
  no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.100.1
  Many thanks,
  Damian

  Thanks for replying James,
  I am sure I configured the capture only for VLAN10 which is in the VIP side.
  But you are right, it looks like is showing both VLAN10 and VLAN15. So that is one of my theories out of the window! :)
  This is a new installation, still on the testing stage. So it would be good time to make changes.
  Do you normally implement a routed setup behind a firewall? Rather than a bridged….
  It is quite a small setup:
  • Traffic is coming from a separate local subnet
  • Traffic is not coming from the internet so it does not required a NAT
  • We need 1 VIP listening on two ports
  • The backend servers are four Linux boxes
  Thanks again,
  Damian

• ACE dropped conns with New Vip

  I have been load balancing our mail servers for quite sometime without an issue however I have been using a dynamic Nat statement. This however causes our mail team to have problems with logging. I then created a whole new vlan and ace context for the mail servers to use. This is where my dilemma is.
  I now have dropped connections going to my vip but only from one server which is our Anti-span / Antivirus server which filters the mail from the internet and then passes it on to these other mail servers.
  I can send mail just fine if I don't use the VIP I created.
  Also if I use a Nat statement the mail sends fine but obviously I don't want to use that anymore.
  The only thing I see that the ACE is not doing is closing the connections. So if every five minutes I do a clear conn all, I won't get any dropped connections for at least 10 to 15 minutes but I am not going to be doing this. Right now I have a server with a script that logs into the ace and then clears the connection but this is a band aid problem.
  Here is my config. This is the only thing on this context. All 6 of my other contexts do not have this issue.
  access-list ALL line 10 extended permit ip any any
  access-list ALL line 18 extended permit icmp any any
  probe smtp SMTP_Probe
  interval 15
  passdetect interval 30
  expect status 210 250
  parameter-map type connection TCP_Mail_TO
  slowstart
  set timeout inactivity 2
  set tcp timeout half-closed 15
  set tcp ack-delay 300
  tcp-options timestamp allow
  rserver host hub2
  ip address *.*.*.*.*.*
  inservice
  serverfarm host Mail_Hub_Servers_SF
  probe SMTP_Probe
  rserver hub2 25
  inservice
  class-map match-all Mail_Hub_VIP
  2 match virtual-address *.*.*.*.*.* tcp eq smtp
  class-map type management match-any Remote_Management
  2 match protocol http any
  3 match protocol icmp any
  4 match protocol telnet any
  5 match protocol ssh any
  policy-map type management first-match rmt_mgt_policy
  class Remote_Management
  permit
  policy-map type loadbalance first-match Mail_Hub_VIP-l7slb
  class class-default
  serverfarm Mail_Hub_Servers_SF
  policy-map multi-match int7
  class Mail_Hub_VIP
  loadbalance vip inservice
  loadbalance policy Mail_Hub_VIP-l7slb
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  connection advanced-options TCP_Mail_TO
  access-group input ALL
  interface vlan 108
  ip address *.*.*.*.
  alias *.*.*.*
  peer ip address *.*.*.*.
  no normalization
  no icmp-guard
  service-policy input rmt_mgt_policy
  service-policy input int7
  no shutdown
  ip route 0.0.0.0 0.0.0.0 *.*.*.*

  I would like to avoid trying routed mode for this just right now because we haven't had a good experience in routed mode here. I can try creating a new context in routed mode because I cannot experiment with production mail. Also I have this scenario working fine on 3 other contexts with 0 Connections being dropped. The other thing is I am not dropping all connections its dropping about 2-8%. of the connections. I have been playing around with connection limits.
  Interface: vlan 108
  service-policy: int7
  class: Mail_Hub_VIP
  loadbalance:
  L7 loadbalance policy: Mail_Hub_VIP-l7slb
  VIP Route Metric : 77
  VIP Route Advertise : ENABLED-WHEN-ACTIVE
  VIP ICMP Reply : ENABLED-WHEN-ACTIVE
  VIP State: INSERVICE
  curr conns : 1 , hit count : 12052
  dropped conns : 839
  client pkt count : 385190 , client byte count: 375718706
  server pkt count : 133814 , server byte count: 11089648
  conn-rate-limit : 50 , drop-count : 0
  bandwidth-rate-limit : - , drop-count : -
  Parameter-map(s):
  TCP_Mail_TO

• ACE: dropped conns due to header insert

  My LB is dropping connections on port 443 when I have "insert-http source header-value "%is" configured. Other ports such as 80, or 8080 are working. The config is the same for all ports.
  class-map match-any Service_VIP_Class
  4 match virtual-address 1.1.1.1 tcp eq https
  policy-map type loadbalance first-match Service_L7_Policy
  class class-default
  serverfarm Service_Serverfarm
  insert-http source header-value "%is"
  policy-map multi-match Service_LB_Policy
  class Service_VIP_Class
  loadbalance vip inservice
  loadbalance policy Service_L7_Policy
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  I see dropped conns on the service policy. When I remove the header insertion config, it connects ok.
  Please help!

  There is no way any device (including ACE) can open an https packet to insert anything.
  Only exception:
  You offload ssl using server keys and certs.Then make changes to the decrypted packet.
  Syed

• ACE; Dynamic SNAT in bridge mode without Dnat (VIP) needed

  Hi,
  We are interested about the ACE NAT performance. We would like to use this module just for the SNAT feature and only in bridge mode (to facilitate the ACE integration in the current network).
  the configuration could be similar to this one:
  class-map PrivateSource
  match source-address 10.0.0.0 255.0.0.0
  policy-map multimatch SourceNat
  class PrivateSource
  nat dynamic 1 vlan X
  interface vlan X (incoming traffic from the source)
  bridge-group 1
  service-policy in SourceNat
  nat-pool 1 publicIP netmask A.B.C.D pat
  interface vlan Y
  bridge-group 1
  Could anyone confirm if this feature is supported on the ACE and if the above configuration could be a good one?
  Many thanks for your help.
  Regards/Ludovic.

  Ludovic,
  ACE does not NAT bridged traffic.
  You could catch it with a catch-all-destination class-map
  ie:
  class-map all
  match virtual 0.0.0.0 0.0.0.0 any
  And use a transparent serverfarm sending all traffic to a unique default gateway.
  That would work.
  Gilles.

• ACE SM in a bridge mode

  We're architecting a pair of the ACE SM's and trying to better understand the upside/downside of configuring them in the bridged vs. a routed mode. Also, undr what circumstances  the bridge mode would be superior to the routing mode?
  Thanks..

  If running in bridged mode you are free to use any routing protocol your routers support. The ACE will not interfere with the routing.
  But beware, the ACE bridges only connected networks. Only version A2 3.0 has secondary address support.

• ACE bridge mode , FWSM routed mode

  i have the following senario:
  MSFC ---vlan 777----FWSM----vlan160---ACE----VLAN180
  FWSM is working in routed mode and vlan 777 is shared between the MSFC and FWSM
  ACE is working in bridged mode and vlan 160 is shared between the FWSM and ACE
  vlan 180 is the server side vlan
  i want he FWSM ip address to be the Server gateway while ACE module in
  bridge mode
  i create bvi interface but i can't ping from ACE to FWSM or from FWSM to
  ACE
  if i change ACE to routed mode , i can ping to FWSM
  any body can help me in this issue?

  The config looks good.
  I would look at the arp table on FWSM and ACE when the ping fails and also capture a sniffer trace of ACE tengig interface and see if the ping request goes out - on which vlan - and if we get a response.
  Is evertyhing else working ?
  Like ping through the ACE module ?
  Your config does not show a 'no shutdown' on the vlan interface, but I assume you fixed that already.
  Gilles.

• Routed or bridged mode + licensing question

  Hi Cisco ACE gurus,
  I have the following questions and I would be grateful if anyone could answer them.
  1) As we know the basic license for ACE limits its throughput to 4Gbps. What does it mean? Does it mean that only load balanced traffic is limited (policed) to 4Gbps? Or any other traffic passing through ACE is limited to 4Gbps (from what I know ACE is a cef720 linecard having 20Gbps to a switch fabric)?
  My question comes from the following scenario. Let's say ACE is deployed in routed mode and it has 1 client vlan and 2 server vlans. There are VIPs, serverfarms, rservers defined etc.... Now there is a need for a rserver from vlan1 to communicate with a rserver from vlan2 (directly and not through a VIP). In this scenario def gateway of both servers points to ACE (ACE is doing inter-vlan routing).
  So in this case in order to allow for that communication I would need to create ACLs and apply them to ACE interfaces.
  Does it mean that the traffic would be limited to only 4Gbps?
  2) let's say I have 2 DC (2 different geo locations). ACE is located only in one of them. Real servers are dispersed in both of them. ACE is deployed in routed mode. Is it possible to configure ACE in such a scenario (to server VIPs for clients when rservers are in 2 different DC)?
  My assumption is that it is possible and in order to do that I would have to use NAT (and source NAT client traffic) so that traffic sent from client to a VIP could be src natted and go to the other DC (through client vlan), reach the rsevers in the other DC and come back.
  Is it possible to also do that while ACE is deployed in bridged mode?
  While reading about ACE and NAT I came across the sentence "ACE is not able to NAT bridged traffic". What does it mean?
  regards

  sorry Marko but I am lost. We are talking now about one-armed mode of deployment. There
  are 2 contexts and the same vlan is used in both of them (that's why it is shared). In this case I don' understand what you wrote "you have server A in the shared VLAN of context A, you can not reach a VIP from context B" ... that is the same vlan so I can't see any problems..... unless you are describing situation for bridged mode deployment of ACE.

• ACE bridge mode not working

  Folks,
  I am trying to configure ACE in transparent mode and it is not working, i can browse to the servers directly,but when i try to hit the vip , I do not get any webpages, all keepalives are up and everything is in inservice.
  hostname abc
  boot system image:c6ace-t1k9-mz.3.0.0_A1_6_1.bin
  access-list ANY line 8 extended permit ip any any
  rserver host rs1
  ip address 1.1.1.1
  inservice
  rserver host rs2
  ip address 1.1.1.2
  inservice
  serverfarm host SF1
  rserver rs1
  inservice
  rserver rs2
  inservice
  class-map type management match-any REMOTE_ACCESS
  10 match protocol telnet any
  20 match protocol ssh any
  30 match protocol icmp any
  class-map match-all VIP
  2 match virtual-address 1.1.1.3 any
  class-map type http loadbalance match-any src1
  2 match source-address 0.0.0.0 0.0.0.0
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
  permit
  policy-map type loadbalance first-match R-Policy
  class class-defaut
  serverfarm SF1
  policy-map multi-match R-LB
  class VIP
  loadbalance vip inservice
  loadbalance policy R-Policy
  loadbalance vip icmp-reply active
  loadbalance vip advertise
  interface vlan 3
  bridge-group 1
  access-group input ANY
  access-group output ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  interface vlan 4
  bridge-group 1
  access-group input ANY
  access-group output ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input R-LB
  no shutdown
  interface bvi 1
  ip address 1.1.1.4 255.255.255.0
  no shutdown
  ip route 0.0.0.0 0.0.0.0 1.1.1.5

  I made some progress, but still it is not working.
  When the server behind the ACE module default gateway is set to the firewall, i can telnet to the vip at port 80,but i still do not see the page when i open the browser and point to the vip. here are the outputs.
  hostname RBharti
  boot system image:c6ace-t1k9-mz.3.0.0_A1_6_1.bin
  access-list ANY line 8 extended permit ip any any
  rserver host rs1
  ip address 1.1.1.1
  inservice
  rserver host rs2
  ip address 1.1.1.3
  inservice
  serverfarm host SF1
  rserver rs1
  inservice
  rserver rs2
  inservice
  class-map type management match-any REMOTE_ACCESS
  10 match protocol telnet any
  20 match protocol ssh any
  30 match protocol icmp any
  class-map match-all VIP
  2 match virtual-address 1.1.1.5 any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
  permit
  policy-map type loadbalance first-match R-Policy
  class class-default
  serverfarm SF1
  policy-map multi-match R-LB
  class VIP
  loadbalance vip inservice
  loadbalance policy R-Policy
  loadbalance vip icmp-reply active
  loadbalance vip advertise
  interface vlan 3
  bridge-group 1
  access-group input ANY
  access-group output ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input R-LB
  no shutdown
  interface vlan 4
  bridge-group 1
  access-group input ANY
  access-group output ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  interface bvi 1
  ip address 1.1.1.4 255.255.255.0
  no shutdown
  ip route 0.0.0.0 0.0.0.0 202.137.232.193
  Ri/Admin# sh service-policy
  Policy-map : R-LB
  Status : ACTIVE
  Interface: vlan 3
  service-policy: R-LB
  class: VIP
  loadbalance:
  L7 loadbalance policy: Rediff-Policy
  VIP Route Metric : 77
  VIP Route Advertise : DISABLED
  VIP ICMP Reply : ENABLED-WHEN-ACTIVE
  VIP State: INSERVICE
  curr conns : 0 , hit count : 54
  dropped conns : 54
  client pkt count : 81 , client byte count: 3888
  server pkt count : 0 , server byte count: 0

• PBR with ACE in bridge mode

  I have one ACE configured in bridge mode.
  for proxy users : they have the VIP as proxy so the traffice from the client with destination the VIP
  but there are some users without proxy so we used the Policy Base Routing and it is working and can see the connections on the ACE
  but with destination IP of the websites so the traffice is not comming back as show below
  BC-LB1/BlueCoat# sho conn | include 10.1.50.10
  1782765    1  in  TCP   210  10.1.50.10:52052      67.195.160.76:80      SYNSEEN
  1355728    1  out TCP   210  67.195.160.76:80      10.1.50.10:52052      INIT
  BC-LB1/BlueCoat#
  in the PBR , we used the VIP as next hop address.
  please advice what is the problem?
  thanks in advance

  Good afternoon,
  As you mentioned, it seems the return traffic is not coming back through the ACE. You should review your PBR configuration to ensure that also the return traffic is matched and sent to the ACE
  Regards
  Daniel

• Airport Extreme Bridge Mode Connection Drop

  Hi everyone,
  Hoping that someone will be able to help me. I have a one year old son who is now getting his hands into everything so a few weeks ago I decided to look at my options for networking my home iMac and External HD's.
  I am currently running a SKY (Netgear router) into an Airport Extreme set up in Bridge mode. I have turned off the SSID of the SKY Router and everything connects to the Airport. On the AIrport I have a USB hub attached which then has three external HDs attached to it. I know this is a lot, but I have not had any issues at all with data transfer with this set up.
  The issues I am having is that on average, once or twice a day the iMac will drop connection to the Airport. There is no patern to this as the iMac will drop connection while I have been working on the machine and also at times when it has been woken from sleep mode. There is then no physical way to restore the connection unless I restart the iMac. Even turning on/off airport does not fix the issue. If I try this, the iMac then seems to not be able to find any wirless networks, even those that are in the area of my home.
  I have turn off the the airport and ran the iMac simply connecting to the SKY router and have experienced zero problems, the issue only happens when I introduce the Airport Extreme.
  Does anyone know what might be causing the problem? I really need to try to get this to work so that I can eliminate the need to have the external hard drives attached physically to the iMac. In my home the router/Airport and drives are safely out of the way in a child proof area. I fear that if I have to introduce them back to being physically connected to the iMac they will no longer be safe from small hands!!!
  Many thanks for any advice.
  -  Neil

  Unfortunately, you did not not include information about the operating system that you will use to configure the AirPort Extreme, so we would need that you be able to provide you with the correct steps to set up the AirPort Extreme.
  Bridge Mode would be the correct setting for the AirPort Extreme, but you will not have to worry about this if you use the setup "wizard" in AirPort Utility on your Mac or an iPhone / iPad since the wizard will automatically provide the correct settings for the AirPort Extreme.
  I'm not clear though on whether you want the AirPort Extreme to provide another separate wireless network or extend the existing Arris network. If you plan to locate the AirPort Extreme a room or two away from the Arris, then it might make sense to extend the Arris network, so you will have one "big" network that provides greater range.
  Whether or not the Arris will have NAT issues, we cannot say. This will be one of those times where you will not know whether something will work correctly until you try.
  If you are not in a rush to get the AirPort Extreme configured, temporarily power off the Extreme and get things working with the Arris modem/router and your Xbox.

• ACE 30, dropped conns counter incorrect number

  We have host in our network which tests reachability of ACE's VIP address at regular intervals. The test sequence consists of 4 TCP packets (SYN, SYN-ACK, FIN-ACK, RST-ACK; see picture attached) and causes incrementation of "dropped conns" counter in show service-policy output.
  ACE30# sh service-policy XYZ detail | inc drop
          dropped conns    : 266812
          conn-rate-limit      : 0         , drop-count : 0
          bandwidth-rate-limit : 0         , drop-count : 0
                       dropped conns: 238177
              dropped conns    : 7
  ACE30# sh service-policy XYZ detail | inc drop
          dropped conns    : 266813
          conn-rate-limit      : 0         , drop-count : 0
          bandwidth-rate-limit : 0         , drop-count : 0
                       dropped conns: 238178
              dropped conns    : 7
  Is this normal behavior of ACE? Is there a way how to get rid of the dropped cons counter incrementation.
  Petr

  Hi Kanwal,
  When I set "no normalization" problem is solved. Disadvantage of this appoach is that by this command all trafic on interface is affected.
  I've also tried to tune  timeout for embrionic connection.
  When I had set it to 0, dropped conns counter stopped to increase. Client which sends those "SYN,FIN" packets ends communication after 30 seconds using RST. This cause that connection ends and dropped conns counter does not increase.
  Unfortunately for some reason sometimes happens that client doesn't send this final RST packet. This cause that number of active connection increases ...
  ACE30-hto2/TEST-WEBAPP# sh service-policy XYZ | inc conn
          curr conns       : 9         , hit count        : 2279841   
          dropped conns    : 385467    
          conns per second    : 0         
          conn-rate-limit      : -         , drop-count : -         
  ACE30-hto2/TEST-WEBAPP# sh service-policy XYZ | inc conn
          curr conns       : 22        , hit count        : 2283653   
          dropped conns    : 385467    
          conns per second    : 0         
          conn-rate-limit      : -         , drop-count : -
  When I set timeout to 120, those "non RST" connections are cleared but of course dropped conns counter increases ...
  I guess I will try to reconfigure the probe.
  Kanwal, thanks for your suggestions!
  Kind regards
  Petr

• ACE redundancy with bridge mode

  I need configure redundancy between two ACE modules (no problem). There is context in bridge mode. My question is, in which state is standby context. Is it in blocked state (that means, it not ansfer to any L2 requests) similar as for example ASA? I need explain loop-free topology.
  can anybody explain me, how it works?

  Yes, that's correct.
  If you have a redundant setup, don't forget to allow the Spanning-tree BPDUs!
  Create an ACL that permits BPDUs and configure it on the both ACEs on the client- and serverside:
  access-list NONIP ethertype permit bdpu
  int vlan 10 ! client-side
  access-group input NONIP
  int vlan 20 ! server-side
  access-group input NONIP
  more info:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/bridge.html#wp1174530
  Please rate if this was useful for you.
  Kind regards,
  Dario

• Firewall Load Balance using bridged mode ACE

  Dear Folks,
  I 'd like to load balance 2 ASA using 3 ACE [ Inside,outside,dmz network zone]
  I 've seen sample configuration, all of them are running the ACE in the route mode, and asa are running in route mode
  Would it be possible to run the ACE in the bridge Mode, because the ip subneted problem, We don't have enough to split,,
  by the way if possible,All server that install behind ACE, what is default gateway should Server Point to [ in our case we have 2 independent firewall ] should I create the VIP for both firewall ? or should I just simply set the server's gateway to BVI interface, ?
  Please Help Thanks

  Thank you very much Gilles,
  You 're the man. ;-)
  Another question in my case I try to load balance 3 interface firewall [inside,outside,dmz] in order to make the packet return the same firewall it has passed earlier,
  What kind of hashing technique do I need to use and Do i need to use mac sticky command ???
  I tried to find some configuration sample from cisco website , but i only found with only 2 interface with ACE running source hash and destination hash in each ends,
  Thank you very much

• Internet Problem with Time Capsule (Wi-Fi) and AT&T U-verse Motorola NVG589 (Bridge Mode)

  I'm having a problem with my Internet connection. For some unknown reason it keeps cutting out every 5 min for about 5 seconds. The wi-fi signal doesn't drop or anything like that, just the internet connection stops working for a little bit and then its fine again (pages don't load, etc).
  Here is my current set-up:
  1. AT&T Motorola NVG589 - set to bridge mode as per instructions here http://www.dslreports.com/faq/17734 (followed instructions step by step)
  2. Apple Time Capsule (latest model 2TB)
  3. Motorola is connected to the Time Capsule through an ethernet cable.
  I tried contacting AT&T and they just sent me a new Motorola router, I installed it, put it in bridge mode and still the same thing is happening.
  I am thinking maybe there is some problem in settings or something. Airport Utility is showing everything in "green", no problems there.
  Please let me know if anyone can help.

  Ok, here is an update on how I decided to deal with the problem. I will include all of my troubleshooting step by step for easy reference.
  1. At first I put the NVG589 into Bridge Mode and used the TC as the main wireless router. This didn't work as my connection kept dropping for no apparent reason.
  2. Second, I tried to put the Time Capsule in Bridge Mode and connect it directly to NVG589. This didn't work as my connection would still lag out for 5 seconds about every 5 minutes.
  3. Third, I bought an ASUS RT-AC87U Wireless AC2400 Dual-band Gigabit Router to try and substitute the TC in previous steps and see if it helps. Same problem persisted when I put the NVG589 into Bridge Mode and RT-AC87U as the main router as well as RT-AC87U into bridge mode and NVG589 as the main router. The problem was exactly the same as when I tried using TC initially so my conclusion was this is NVG589's fault of being not compatible with other wireless routers.
  4. I looked around everywhere and came up with the only feasible solution possible (for me at least):
  Currently I use NVG589 as my main wireless router. I works pretty well and even though it doesn't have the specs of TC or the ASUS router my WI-FI connection is pretty fast and stable. In order to have Time Machine wireless backups, I purchased a Western Digital My Cloud Drive that is connected directly to the NVG589. Everything seems to sync and work well together.
  I know this is not the ideal solution most people are looking for. But it works for me. Patiently waiting for AT&T to start offering NVG599 (http://www.dslreports.com/forum/r28967809-NEW-U-verse-Gateway-Motorola-NVG599-WI RELESS-AC-AC1600) in my area. Once I get my hands on it will report back on how it will react to all the steps above and hopefully work well with Time Capsule.
  Shoot me any questions you might have. Hope this was helpful for some of you.