Showing results for 
Search instead for 
Did you mean: 

ACE issues with a supernetted /25 subnet?

Hey techies.

We thought we'd do something different this week... a new server subnet was needed, but for only a few IP's.  As we had recently rolled out a subnet that fit the same category, the decision was made to take the existing class C subnet and bust it in half.

Our internal IP structure is in the range, and the existing subnet was  I took that and created a pair of subnets ( - 127 [vlan 155];  and [vlan 55].  Gateways are 155.1 and 155.254 respectively).

In the ACE, I created the same int vlan setup for the above addressing scheme:

interface vlan 55
  description *** UC Subnet ***
  ip address
  access-group input EVERY1
  service-policy input UC-POLICY
  no shutdown
interface vlan 155

  description *** ESB Subnet ***
  ip address
  access-group input EVERY1
  service-policy input ESB-POLICY
  no shutdown
interface vlan 234

  description *** Outside to ASA ***
  ip address
  access-group input EVERY1
  service-policy input REMOTE-ACCESS2
  no shutdown

Here then is the issue.  The half dozen servers in the bottom half of the subnet (vlan 155, servers are 155.50 through 155.90) can browse the network and the internet at will.  The servers in the top half of the subnet (vlan 55, servers are 155.150 through 155.200) cannot browse anything.  Even basic internet browsing fails.  DNS is confirmed... so though I can ping google/yahoo/etc and get resolution, browsing fails.

In the ACE syslogs, for my server at 151.163 I get the following when trying to browse to

Aug 12 2010 15:40:12 UAT-ESB: %ACE-6-302022: Built TCP connection 0x1f4682 for vlan55: ( to vlan234: (

Aug 12 2010 15:40:18 UAT-ESB: %ACE-6-302023: Teardown TCP connection 0x1f4682 for vlan55: ( to vlan234: ( duration 0:00:06 bytes 48 SYN Timeout

On the ASA 5540 attached via int vlan 234, the syslog error looks like this:

Aug 12 2010 15:40:39: %ASA-6-302014: Teardown TCP connection 79295482 for Outside-Con2: to duration 0:00:06 bytes 0 TCP Reset-I

So from the ACE, a SYN Timeout.  From the ASA, a Reset on the Inside int.

My best guess is that the request is being accepted by the ACE for the server in the top half of the subnet, but for some reason, the reply is being accepted on the ACE's outside interface on behalf of the bottom half of the subnet, resulting in a SYN handshake issue there, and a resulting Reset being sent to the Inside int on the ASA.

The question, then, is if anyone has had success CIDR'ing a subnet as I've done, and still had success having their ACE distinguish between the chunks?

Preciate any thoughts.



Re: ACE issues with a supernetted /25 subnet?

The ACE does not have any restrictions on subnet mask.

As long as you are not overlapping, the subnet mask should not be a problem.

We do not have much information about your topology. Are the servers directly connected to the ACE ?

Remember that the server needs to respond back to the ACE not directly to the client.

If the server does not use the ACE as the default route, you need to use source NAT on the server VLAN.

Thank you,



Re: ACE issues with a supernetted /25 subnet?

I didn't think the ACE would be the issue... but then I have nothing to go on.

The ACE module is in a 6504, along with a sup module and a 48-port ethernet module.  The servers use default gateways that the ACE owns.

We've used source natting in the past, but only when needed... ie, when routing traffic out and back into the same vlan.  For internet access, this has never been required.  As you said, the ACE is the default gateway.  For fun I went ahead and added a source nat for the top half of the subnet... though it didn't improve anything.  Still a syn timeout on the outside of the ACE, and a reset-I on the inside int of the ASA.

Let me know what else you can think of... and I appreciate your help.