Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1145
Views
0
Helpful
2
Replies

Ace does not replace real server IP with VIP on https replies (sometimes)

Go to solution
g.eleftheriou
Level 1
Level 1

‎09-28-2010 11:44 PM

Hi people,

I have ACE as SSL termination device and load balancer. It listens on VIP 192.168.1.20 port 443 and load balances (using cookies for stickyness) to two www servers 172.16.1.1 and 172.16.1.2 port 8795. The ACE is behind our firewall which does the NAT of the external IP to the VIP (192.168.1.20).

We have seen that sometimes the firewall drops packets because first packet isn't syn and the source of the packet is the real server IP and the destination IP is the real IP of the client.

So on the firewall I see the message 172.16.1.1 port 7791 to 89.23.45.67 dropped because first packet isn't syn. That means that ACE didn't replace the real server IP with the VIP. (we see the incoming connection is made ok). This doesn't happen always, but happens.

Any ideas why this is happenning?

Any help is appreciated

George

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎09-29-2010 08:47 AM

only possible explanation is that the connection was deleted from ACE and you have normalization turn off.

So when the server sends a packet to the client after the connection was removed, ACE does not know it should be nated to the vip.

Normally, with normalization on, the packet should be dropped.  But if you have it turned off, the packet is forwarded.

Re-enable normalization to block this traffic before it gets to the firewall.


Then start sniffing your traffic to see why the connection got removed from ACE.

Could be a time out ? or a RESET from client or firewall.

Gilles.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎09-29-2010 08:47 AM

only possible explanation is that the connection was deleted from ACE and you have normalization turn off.

So when the server sends a packet to the client after the connection was removed, ACE does not know it should be nated to the vip.

Normally, with normalization on, the packet should be dropped.  But if you have it turned off, the packet is forwarded.

Re-enable normalization to block this traffic before it gets to the firewall.


Then start sniffing your traffic to see why the connection got removed from ACE.

Could be a time out ? or a RESET from client or firewall.

Gilles.

0 Helpful

Go to solution
g.eleftheriou
Level 1
Level 1
In response to Gilles Dufour

‎09-29-2010 11:27 PM

Gilles you are right. I had "no normalization"

By enabling back normalization the problem stopped.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card