Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1265
Views
0
Helpful
4
Replies

Cisco ACI Host to Internet connectivity issues

Joshua Glenn
Level 1
Level 1

‎03-30-2016 07:43 AM - edited ‎03-01-2019 04:56 AM

Hello,

I have a host plugged into a leaf switch, ACI model.  When I telnet to the internet from the host, I see the SYN packet leave the 9ks and go out to the Internet.  Then I see the SYN ACK packet being sent back into the 9ks, but I never gets back to the host.  I have bidirectional contracts allowing HTTPS/HTTP but it seems to be dropping somewhere in the Fabric.  

Nothing flags as negative when I run the Visibility & Troubleshooting report, so I am totally stumped here and would appreciate any feedback.

Thanks!

Labels:
0 Helpful
4 Replies 4

Leon
Level 1
Level 1

‎03-30-2016 11:43 AM

If I am reading your post correctly, you should also be allowing port 23 .. besides HTTP/HTTPS

0 Helpful

Joshua Glenn
Level 1
Level 1
In response to Leon

‎03-30-2016 01:08 PM

Sorry, I meant I would telnet on port 80 for HTTP.

0 Helpful

lpember
Level 1
Level 1

‎03-30-2016 11:54 AM

Hi Joshua,

Can you answer the following questions?

  • What version of ACI are you running?
  • What's the output of "show logging ip access-list internal packet-log deny" on the leaf(s) connected to the host?
  • What tool are you using to verify that that the SYN ACK is sent into the N9k?
  • Do you have bidirectional routes for the VRF that the endpoint is in?
0 Helpful

Joshua Glenn
Level 1
Level 1
In response to lpember

‎03-30-2016 01:18 PM

Hi Ipember,

1. 1.2(1k), running ACI mode

2. That command isn't taking, although I'm connecting to it via the Attach command on the APIC.  Assuming I'll need to setup a mgmt port on the leaf and ssh to it to get the CLI.

3. The L3 Out router can see the return traffic coming from the internet, egressing from the 9k-facing port.  IP cache flow.  I know it's an SYN ACK and not a reset because the next hop out is an ASA and the capture shows it handing a SYN ACK to the L3 Out router.

4. I think so, but I will admit I'm surrounded by a lot of new stuff that I'm still trying to absorb.

**** New Info ****

I discovered that I can make successful telnets from the host when I change the VRF's Policy Control Enforcement Preference to Unenforced.  Then breaks again when back to enforced.  So even though I haven't found any dropped packets yet, this makes me think my contracts are jacked up somehow.

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License