ACE - Inter-context traffic flow.

Similar Messages

• How ACE classifies the traffic and send it to appropriate Context

  Hi ,
  Could some one please explain packet clasification in ACE modulue  ,example : let us assume thee are three contexts ( context1 , context 2, context3) in ACE module , how the ACE  classifies the traffic and send to appropriate CONTEXT  if any customer comes and hit the ACE .
  Regards
  Raj

  Hello Raj,
  In addition to what Ajay mentioned, yes each virtual address ( VIP) in combination with the port which you configured( if any) will act as unique identifier for the ACE to handle a specific traffic and finally take the load balance decision it needs or any other action which would be required
  Another thing which you can take into consideration from the routing perspective is that you configure on the Admin Context the specific vlans allocated to each contexts based on your requirements so for example: you may allocate this vlan10 for context 1 then vlan 20 for context 2 or all of the vlans for context 3
  Going back to your original, yes the ACE works this:
  Request ----->VIP--->ACE checks which contexts has the VIP in question---->send request to context--->traffic is load balanced between the servers
  Jorge

• ASA 5505, how to configure DMZ to Inside traffic flows

  Dear.
  We have a Cisco ASA 5505 with an outside, inside and DMZ interface.
  We really need all these interfaces.
  The DMZ interface has been configured to block any traffic to the inside (restrict traffic flow). This restriction can’t be disable, an error occurred when doing this.
  I will allow only one single port has access from DMZ to the inside, is that possible? And how?
  Thanks for the feedback.
  Regards.
  Peter.

  What i mean with "can't be disabled": when you navigate to Configuration/interfaces and select the DMZ interface / advanced, you can block traffic. By default Inside has been selected in the drop-down box. However, you can't leave it blank, you need to specify at least one. I can't create another, extra interfaces because the license is 3 max.
  So, my question is: can I create a rule somewhere to overwrite this setting for only one specific port? And how?
  Result of the command: "show version"
  Cisco Adaptive Security Appliance Software Version 8.2(5)
  Device Manager Version 6.4(5)
  Compiled on Fri 20-May-11 16:00 by builders
  System image file is "disk0:/asa825-k8.bin"
  Config file at boot was "startup-config"
  router up 100 days 1 hour
  Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  Internal ATA Compact Flash, 128MB
  BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
  Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
  0: Int: Internal-Data0/0    : address is a44c.11bb.5492, irq 11
  1: Ext: Ethernet0/0         : address is a44c.11bb.548a, irq 255
  2: Ext: Ethernet0/1         : address is a44c.11bb.548b, irq 255
  3: Ext: Ethernet0/2         : address is a44c.11bb.548c, irq 255
  4: Ext: Ethernet0/3         : address is a44c.11bb.548d, irq 255
  5: Ext: Ethernet0/4         : address is a44c.11bb.548e, irq 255
  6: Ext: Ethernet0/5         : address is a44c.11bb.548f, irq 255
  7: Ext: Ethernet0/6         : address is a44c.11bb.5490, irq 255
  8: Ext: Ethernet0/7         : address is a44c.11bb.5491, irq 255
  9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
  10: Int: Not used            : irq 255
  11: Int: Not used            : irq 255
  Licensed features for this platform:
  Maximum Physical Interfaces    : 8        
  VLANs                          : 3, DMZ Restricted
  Inside Hosts                   : 50       
  Failover                       : Disabled
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 10       
  Dual ISPs                      : Disabled 
  VLAN Trunk Ports               : 0        
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled 
  This platform has a Base license.
  Serial Number: xxxxxxxxxxxxxx
  Running Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  Configuration register is 0x1
  Configuration last modified by enable_15 at 14:43:11.295 CEDT Mon Sep 9 2013

• Trying to understand traffic Flow in a LWAPP wireless configuration.

  I'm trying to understand at a high level how wireless traffic flow in the new LWAPP configuration. Based on what I can tell all wireless traffic must flow through the controllers prior to getting onto the LAN.
  So lets say I have a LWAPP Access Point off an access switch in a remote closet and my controller is off my core switches. I want to communicate from my wireless PC to a wired PC on this same access switch. The traffic flows from the AP down to the core switch, through the Controller and back up to the access switch to the wired PC.
  Is that correct?
  If this is true my main concern is supporting APs from a central controller across a low speed WAN. Looks like I would not want to do that...

  You're right in your assumption. Data traffic travels from the client to the AP. The AP then encapsulates this data using LWAPP and forwards it to the Controller. The WLC then de-encapsulates (?) it, processes the traffic as necessary and then drops it onto the wired LAN.
  So, in your scenario, the wireless client would send data to the AP. This would be encapsulated between the AP and the controller and then sent back again unencapsulated to the wired client.
  Regarding using this system over a low speed WAN, there are two ways of doing this.
  The first is to use a local WLC at the remote site (e.g. a WLC2006 or the new WLC network module for 2800/3800 ISR routers).
  The second is to use AP1030s which are 'Remote Edge Access Points'. These aren't quite as lightweight as the rest of the 1000 Series in that they will bridge local traffic and only encapsulate traffic heading 'off site'. They will also continue to operate if connection back to the WLC is lost (the first WLAN configured on the WLC remains up on the REAP whilst connection to the WLC is lost).
  I believe that the recommendation for these is a minimum of 2Mbps WAN connection.

• Dual wan failover config: failback does not always work as expected for existing LAN traffic flows

  I have an 881 router configured with 2 dhcp WAN connections.  I am trying to configure failure detection of the primary connection (I do not really care about the secondary at this time).
  I have an ip sla/track configured to monitor the primary WAN connection, and if it stops passing traffic it removes that route, passing all traffic out the second WAN connection.  When the first connection is restored it should restore the route and everything should pass through the first connection again.  This works for all my tests except one.  If I start a ping stream from a client "ping 8.8.8.8 -t" and disconnect the primary connection it will lose a few packets but then use the secondary connection in about 15 seconds.  After restoring the primary connection all new traffic will use the primary connection, but the ping stream will then stop working (fails over, but not back).  If I stop the ping stream for a time (not sure how long is required, but my test was over a minute) it will then use the primary connection like all other new traffic.  A stop of a few seconds is not enough, and even opening up a second command prompt to ping the same target also does not work (pinging new targets works as desired).  It is as if something is caching the route/session/whatever and it has to have a window of no traffic before expiring/relearning the route.  This means any sustained traffic to the original target will not work until it is stopped for a certain time to let "something" age out.
  I need to know if there is a way to "flush the cache" (or whatever) during fail-back to force the primary route to be used after fail-back, or something else that will have the same effect.  My suspicion is that the second route gets "preferred" because the first is removed by the sla, and when the sla returns the route to the list the existing traffic flow is not aware of the route list change, using the last known good route (which now does not pass traffic).  The Issue here is that it takes a length of time for the now bad route to get flushed, which is greater than I want to have.
  config (edited):
  interface FastEthernet3
   description Backup ISP
   switchport access vlan 800
   no ip address
  interface FastEthernet4
   description Primary ISP
   ip dhcp client route track 100
   ip address dhcp
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
   crypto ipsec client ezvpn EZVPN-to-1941
  interface Vlan800
   description Backup ISP
   ip address dhcp
   ip nat outside
   ip virtual-reassembly in
  track 100 list boolean or
   object 101
   object 102
  track 101 ip sla 10 reachability
  track 102 ip sla 20 reachability
  ip sla 10
   icmp-echo 4.2.2.2 source-interface FastEthernet4
   threshold 1000
   timeout 1500
   frequency 5
  ip sla schedule 10 life forever start-time now
  ip sla 20
   icmp-echo 208.67.222.222 source-interface FastEthernet4
   threshold 1000
   timeout 1500
   frequency 5
  ip sla schedule 20 life forever start-time now
  ip route 4.2.2.2 255.255.255.255 FastEthernet4 permanent
  ip route 10.1.2.0 255.255.255.0 <1941 wan ip removed>
  ip route <1941 wan ip removed> 255.255.255.255 FastEthernet4 permanent
  ip route 208.67.222.222 255.255.255.255 FastEthernet4 permanent
  ip route 0.0.0.0 0.0.0.0 Vlan800 dhcp 254
  ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
  Observation: the last 2 routes appear in the order shown above.  Even though the vlan800 route has a higher administrative cost it is in front of the FA4 route, could this be contributing to the issue?  Is there a way to ensure the FA4 route is always listed before vlan800 at all times?

  I have an 881 router configured with 2 dhcp WAN connections.  I am trying to configure failure detection of the primary connection (I do not really care about the secondary at this time).
  I have an ip sla/track configured to monitor the primary WAN connection, and if it stops passing traffic it removes that route, passing all traffic out the second WAN connection.  When the first connection is restored it should restore the route and everything should pass through the first connection again.  This works for all my tests except one.  If I start a ping stream from a client "ping 8.8.8.8 -t" and disconnect the primary connection it will lose a few packets but then use the secondary connection in about 15 seconds.  After restoring the primary connection all new traffic will use the primary connection, but the ping stream will then stop working (fails over, but not back).  If I stop the ping stream for a time (not sure how long is required, but my test was over a minute) it will then use the primary connection like all other new traffic.  A stop of a few seconds is not enough, and even opening up a second command prompt to ping the same target also does not work (pinging new targets works as desired).  It is as if something is caching the route/session/whatever and it has to have a window of no traffic before expiring/relearning the route.  This means any sustained traffic to the original target will not work until it is stopped for a certain time to let "something" age out.
  I need to know if there is a way to "flush the cache" (or whatever) during fail-back to force the primary route to be used after fail-back, or something else that will have the same effect.  My suspicion is that the second route gets "preferred" because the first is removed by the sla, and when the sla returns the route to the list the existing traffic flow is not aware of the route list change, using the last known good route (which now does not pass traffic).  The Issue here is that it takes a length of time for the now bad route to get flushed, which is greater than I want to have.
  config (edited):
  interface FastEthernet3
   description Backup ISP
   switchport access vlan 800
   no ip address
  interface FastEthernet4
   description Primary ISP
   ip dhcp client route track 100
   ip address dhcp
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
   crypto ipsec client ezvpn EZVPN-to-1941
  interface Vlan800
   description Backup ISP
   ip address dhcp
   ip nat outside
   ip virtual-reassembly in
  track 100 list boolean or
   object 101
   object 102
  track 101 ip sla 10 reachability
  track 102 ip sla 20 reachability
  ip sla 10
   icmp-echo 4.2.2.2 source-interface FastEthernet4
   threshold 1000
   timeout 1500
   frequency 5
  ip sla schedule 10 life forever start-time now
  ip sla 20
   icmp-echo 208.67.222.222 source-interface FastEthernet4
   threshold 1000
   timeout 1500
   frequency 5
  ip sla schedule 20 life forever start-time now
  ip route 4.2.2.2 255.255.255.255 FastEthernet4 permanent
  ip route 10.1.2.0 255.255.255.0 <1941 wan ip removed>
  ip route <1941 wan ip removed> 255.255.255.255 FastEthernet4 permanent
  ip route 208.67.222.222 255.255.255.255 FastEthernet4 permanent
  ip route 0.0.0.0 0.0.0.0 Vlan800 dhcp 254
  ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
  Observation: the last 2 routes appear in the order shown above.  Even though the vlan800 route has a higher administrative cost it is in front of the FA4 route, could this be contributing to the issue?  Is there a way to ensure the FA4 route is always listed before vlan800 at all times?

• Traffic flowing through Fw

                     Hi Everyone,
  We have SVI vlan on layer 3 core switch A.
  this switch has connection to ASA  and also to another B Layer 3 switch.
  B Layer 3 switch connects to Layer 2 switch which has this vlan.
  Need to undertsand traffic flow from user PC to Switch A.
  Switch B has default route which is static to fw for subnet of vlan.
  Now traffic goes from layer 2 switch to core Switch B  then it has static route for that vlan which is ASA as next hop.
  now traffic comes to ASA  from there it goes to core Switch B which has SVI Vlan in it.
  Also Core Switch A and B has trunk connection which carries that vlan.
  Need to know if return traffic from core Switch A comes via ASA or by Switch B?
  How can i check this?
  Thanks
  MAhesh

  Hello Mahesh,
  Not sure if I undertsood the topology but anyway the way to test this would be creating captures on the interface where you think the ASA should receive the traffic, if you do not see the packets there well that would lead us to the returning traffic going to Switch B.

• Cisco asa traffic flow

  Hi,
  Can somebody give the packet/traffic flow paths from a higher security interface to lower & viceversa..
  For eg: session > acl > xlate > etc...
  Are these checking different in both of the above scenarios ?

  Hi Felipe,
  But i do see find difference while reading the below URL.
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9d00.shtml
  I would like to know how is the traffic flow from outside to inside and inside to outside.
  Hope you go it...
  regards
  rajesh

• Can't get traffic flowing between VLANs on an ASA 5505

  I've got an ASA 5505 with the Security Plus license that I'm trying to configure.
  So far I have setup NATing on two VLANs, one called 16jda (VLAN 16 - 10.16.2.0/24) and one called 16jdc (VLAN 11 - 10.105.11.0/24).
  From each subnet I am able to connect to the internet, but I need these subnets to also be able to talk to each other.
  I have each VLAN interface at security level 100 and enabled "same-security-traffic permit inter-interface", and I have setup static NAT mappings between the two subnets, but they still can't communicate.
  When I try to ping there is no reply and the only log message is:
  6     Aug 21 2012     09:00:54     302020     10.16.2.10     23336     10.105.11.6     0     Built inbound ICMP connection for faddr 10.16.2.10/23336 gaddr 10.105.11.6/0 laddr 10.105.11.6/0
  I have attached a copy of the router config.

  Hi Bro
  I know your problem and I know exactly how to solve it too. You could refer to https://supportforums.cisco.com/message/3714412#3714412 for further details.
  Moving forward, this is what you’re gonna paste in your FW. This should work like a charm.
  access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.105.11.0 255.255.255.0
  access-list from-inside permit ip 10.105.1.0 255.255.255.0 10.16.2.0 255.255.255.0
  access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.1.0 255.255.255.0
  access-list from-16jda permit ip 10.16.2.0 255.255.255.0 10.105.11.0 255.255.255.0
  access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.105.1.0 255.255.255.0
  access-list from-16jdc permit ip 10.105.11.0 255.255.255.0 10.16.2.0 255.255.255.0
  nat (inside) 0 access-list from-inside
  nat (16jdc) 0 access-list from-16jdc
  nat (16jda) 0 access-list from-16jda
  clear xlate
  nat (inside) 1 10.105.1.0 255.255.255.0 <-- You forgot this!!
  Basically, when inside wants to communicate with the other interfaces bearing security-level 100 e.g. 16jda or 16jdc or vice-versa, you’ll need to enable “NAT Exemption” i.e. nat (nameif) 0 . I know you have already enabled the same-security permit inter-interface command, but this command becomes useless once you’ve enable dynamic nat on one of those interfaces. It’s as if the same-security traffic command wasn't even entered in the first place. Hence, the Cisco ASA is behaving as expected as per Cisco's documentation. For further details on this, you could refer to the URLs below;
  https://supportforums.cisco.com/thread/223898
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1042530
       

• ACE server initiating traffic issue

  Hello
  I'm trying to establish a session between one of my real servers behind the ace and some external network without any NAT. According to the documentation I should only configure correct ACL on both the client and server vlan and it should works. Unfortunately, although I see hits in the ACL configured on the outside direction for client vlan the traffic is not passing the ACE.
  When I configure the capture I can see traffic only in the server vlan. There is no traffic in the client vlan.
  Does anybody know what else should I configure ?
  Thank you in advance
  Regards
  Lucas

  Hi,
  the capture feature on the ACE only works in the input direction:
  The packet capture function enables access-control lists (ACLs) to control which packets are captured by the ACE on the input interface.
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/managesw.html#wp1035160
  Is your problem resolved now or does this still not work?
  If so, what do you see in the capture?
  HTH,
  Dario

• ACE Module Context Up to 8 Chain Groups

  Hi
  I have and ACE with 8 chain groups, each with 8 certificates, what I need to do if I need another certificate?
  This because the information in the document
  The ACE supports the following certificate chain group capabilities:
  •A chain group can contain up to eight certificate chains.
  •Each context on the ACE can contain up to eight chain groups.
  •The maximum size of a chain group is 16 KB.
  thanks for your help.

  I do not need to match a specific URL. The application on the server does however. The server admin reports that connection is being refused as there is no URL included to match.
  When setting this up as a one-arm config with source NAT everything works fine. Unfortunately, it is a requirement of the application that the client IP remain intact.

• ACE multi context

  Can I have a context in ACE in transparent mode and another context in routed mode.

  you can, but you can't use any of the "bridged" vlans in the routed context.
  Gilles.

• Port Disable for traffic flowing only one direction

  Hi,
  We use some Catalyst Express 500 and ESW-520 in our company.
  But with the Catalyst Express 500 we have problem that we can't arrive to explain.
  Some Gi port turn disable with this log error message :
  Description: Gi1: This port is disabled because the traffic is flowing only in one direction. The cause might be incorrect cabling.
  Recommendation: Make sure that cable is properly connected to the ports. For fiber connections, ensure that the transmit and receive fibers are connected correctly. Disable and Enable the port.
  For the recommandation the cable is right, we change it and we change the switch by an other and the probleme continue.
  If we change with a ESW-520 the problem don't arrive, but we can't change all our old switch for moment.
  Any idea about this problem?

  Hi Guys,
  Thank you all for your help. The packet was being dropped on the "implicit rule", that means that the packet was not finding an ACL to match.
  I checked the ACLs that the VPN Wizard generates by itself when used to configure an IPSec connection, and the ACLs where correct and "before" the implicit rule . (They are called by default outside_cryptomap_"number")
  It seems that since I am not using "sysopt connection permit-vpn" I have to add the same ACLs to the "Local Network" interface (VPN_LAN).
  Since there was inbound ACLs related to the VPN_LAN interface, the firewall jumped directly to the "implicit rule".
  So the result is that I have two times the same rules first inbound on the VPN_LAN and second on the default outside_cryptomap ACLs.
  Greetings,
  Daniel

• Test ACL to see which ACE is blocking traffic

  On the ASA and FWSM, is there a way to check which ACE would be blocking a particular traffic?  I'm looking for a command where I just tell it which ACL is use and feed it the source-ip/port and dest-ip/port.
  Thank you in advanced.
  Vince

  Hi,
  Well the ASA does have a tool that can easily tell you which ACL rule some traffic hits. Though I guess there is a very small change that you would have so old software that its not supported but I doubt it. This command isnt supported on FWSM however.
  On ASA you can use the "packet-tracer" command.
  Basically if you want to test traffic incoming from "inside" interface then you could do (IPs and ports are made up)
  packet-tracer input inside tcp 10.10.10.10 12345 8.8.8.8 80
  Traffic incoming from "outside" could be simulated with
  packet-tracer input outside tcp 1.1.1.1 12345
  I am not completely sure but on the FWSM (and also ASA side) side you might be able to look at the log message of the blocked connection and look at the very end of the log message that has a sequence of numbers. This might match some ACE in that interfaces ACL when you look at the ACL through with command "show access-list"
  For example I made a "deny" rule on my ASA like this
  access-list WAN-IN line 1 extended deny ip host 3.3.3.3 any
  I then generate traffic from source address 3.3.3.3 to one of my internal IP addresses and ASA generates this log message
  Deny tcp src WAN:3.3.3.3/12345 dst LAN:10.0.10.1/80 by access-group "WAN-IN" [0x6131ef0b, 0x0]
  I then check my ACLs with "show access-list | inc 6131ef0b" which essentially contains the number sequence I told about earlier. The output is the following and we have found the ACL rule that blocked the connection attempt
  ASA# show access-list | inc 6131ef0b
  access-list WAN-IN line 1 extended deny ip host 3.3.3.3 any (hitcnt=3) 0x6131ef0b
  Hope this helps
  Please  do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni

• CRM ACE User Context Update

  Hi all,
       How do we update the user context of active ace users automatically. Currently the user context is getting expired after the default time of 16 hours and after that when the users search on orders produces zero results. When I go to ACE_UPDATE and update the user context then again it works fine.
  Is there a way to do it automatically.
  Thanks.
  Neha.
  Edited by: Neha Kapoor on May 22, 2009 1:04 AM

  Hi Neha,
  This is due to some missing authorization with users when ACE try to do a user context refresh or calculates actor again. Please put a trace on user when this automatic refresh happens (after 16 hours in your case and when user login).
  Ideally, user should have required auth. be able to execute the AFU method of his/her ACE classes.
  Hope this helps.
  Regards,
  Satender

• BB Internet Browser traffic flowing thru company web filter

  I have a BES server, with all users on corporate email.
  When using the BB handset to access a website, some users are blocked
  from certain sites by the corporate web filter.  Others are not.
  I did not know any BB Handset internet traffic was routed thru the
  corporate internet network.  What determines this?  Why are some
  going thru the filter, while others do not?
  Thanks for the help.

  While they are on your corporate BES, all traffic that is through the blackberry browser goes through the BES.  On the blackberry, you can change the browser to the device browser or another one of your choosing, but the blackberry browser is for interal usage. Just have the user use a diffrent web browser on his blackberry if he really wants to get around it.
  If someone helped you give them kudos. Research all info!