Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1496
Views
0
Helpful
4
Replies

ACE 4710 deny SYN-ACK routing without SYN before?

karlheinz.liepold
Level 1
Level 1

‎02-07-2012 06:51 AM

Hi there,

I've one behaviour on ace, than I can not understand...

We've one interface on the ACE which is connected to a firewall via switch.

In the same vlan is a serverfarm.

net e.g. 172.16.10.0/24

the server's gateway is the ACE (172.16.10.1)

the ACE's gateway is the firewall (172.16.10.2)

when a server in another net 172.20.10.0/24 is connecting to 172.16.10.0/24, then the SYN is sent from the firewall directly to the server in net 172.16.10.0/24. because the firewall has an interface directly connected.

the SYN-ACK is sent through the ACE (because servergateway is ACE).

> the ACE is NOT routing this packet back to 172.20.10.0/24 via firewall. routing-table is OK.

in capture on ACE the packet is NOT displayed...

but when the server in 172.16.10.0/24 is initiating the session, the SYN is routed through the ACE and in capture I can see the packet...

can anyone tell me, if the ACE prevents routing without seeing SYN? (anti-spoofing ect...)

know, I mean really ROUTING, not balancing...

mfg. K. Liepold

Labels:
0 Helpful
4 Replies 4

Dan-Ciprian Cicioiu
Level 7
Level 7

‎02-07-2012 01:09 PM

Hi Liepold,

In some way ACE works as a statefull proxy. If there is a SYN-ACK from the server, the SYN had to be generated by the ACE itself as an action for the SYN received on the VIP ( proxy between the client and the server(s) ).

You can solve this by setting the Server gateway the firewall , and doing SNAT for the clients. This way the connections that come directly to the server will be back via the firewall , and the connections to the VIP on the ACE will be SNATed, the flow back going to the ACE in his way to the client.

Dan

0 Helpful

karlheinz.liepold
Level 1
Level 1
In response to Dan-Ciprian Cicioiu

‎02-08-2012 12:11 AM

Hi Dan-Ciprian,

thank you for the fast answer.

but I'm not sure that you know what I mean.

in this case I need the ACE as a simple router, not as a loadbalancer.

or do you mean that the ACE interprets the SYN-ACK from the "backend" server as an loadbalancing act?

because the L7-Policy is bound on this interface.

so when I remove this policy from the interface, the ACE has no reason to handle as an loadbalancer and routes the SYN-ACK despite the initiating SYN has failed to pass the ACE?

Karlheinz Liepold

0 Helpful

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee
In response to karlheinz.liepold

‎02-08-2012 12:38 AM

Hi Karlheinz.

The ACE will internally open a connection even for traffic that is just routed through it. This includes applying some of the normalization features, which can cause asymmetric connections to fail.

You could try disabling normalization on all the interfaces to see if it solves the issue.

Regards

Daniel

0 Helpful

karlheinz.liepold
Level 1
Level 1
In response to Daniel Arrondo Ostiz

‎02-08-2012 01:02 AM

wow, THIS is it!

works!

oh, the ACE and it's thousands default-security-features... :-)

thank you.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card