03-30-2016 07:43 AM - edited 03-01-2019 04:56 AM
Hello,
I have a host plugged into a leaf switch, ACI model. When I telnet to the internet from the host, I see the SYN packet leave the 9ks and go out to the Internet. Then I see the SYN ACK packet being sent back into the 9ks, but I never gets back to the host. I have bidirectional contracts allowing HTTPS/HTTP but it seems to be dropping somewhere in the Fabric.
Nothing flags as negative when I run the Visibility & Troubleshooting report, so I am totally stumped here and would appreciate any feedback.
Thanks!
03-30-2016 11:43 AM
If I am reading your post correctly, you should also be allowing port 23 .. besides HTTP/HTTPS
03-30-2016 01:08 PM
Sorry, I meant I would telnet on port 80 for HTTP.
03-30-2016 11:54 AM
Hi Joshua,
Can you answer the following questions?
03-30-2016 01:18 PM
Hi Ipember,
1. 1.2(1k), running ACI mode
2. That command isn't taking, although I'm connecting to it via the Attach command on the APIC. Assuming I'll need to setup a mgmt port on the leaf and ssh to it to get the CLI.
3. The L3 Out router can see the return traffic coming from the internet, egressing from the 9k-facing port. IP cache flow. I know it's an SYN ACK and not a reset because the next hop out is an ASA and the capture shows it handing a SYN ACK to the L3 Out router.
4. I think so, but I will admit I'm surrounded by a lot of new stuff that I'm still trying to absorb.
**** New Info ****
I discovered that I can make successful telnets from the host when I change the VRF's Policy Control Enforcement Preference to Unenforced. Then breaks again when back to enforced. So even though I haven't found any dropped packets yet, this makes me think my contracts are jacked up somehow.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide