cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1262
Views
0
Helpful
2
Replies

ACE Packet Capture Only Capturing Front-End Packets

Michael Mertens
Level 1
Level 1

I have an ACE pair in HA mode running A5.2(2) in one-armed configuration, therefore, doing source NAT. I'm researching a problem with an web serverfarm (L7 "/.*" rule) where one particular URL doesn't work, but it works when going to the back-end server directly. Anyway, my question has to do with: When I attempt to run the packet capture on the ACE of this event, I'm only capturing the front-end transation and never see anything on the backend. I've done this several times. I don't even see packets sourced from 10.11.39.2 (NATed address) go towards the realserver, and I know they must since pointing my browser to the VIP 10.11.39.2 on all other URLs work. Any ideas?

THANKS.

    

capture cap1 interface vlan 1201 access-list cap
capture cap1 start


----------------------------------------------------------

access-list access_in line 8 extended permit tcp any any

access-list cap line 8 extended permit ip host 10.11.39.2 any
access-list cap line 16 extended permit ip any host 10.11.39.2

class-map match-all REPORT_VIP
  2 match virtual-address 10.11.39.2 tcp eq www

class-map type management match-any remote_access
  2 match protocol xml-https any
  3 match protocol icmp any
  4 match protocol telnet any
  5 match protocol ssh any
  6 match protocol http any
  7 match protocol https any
  8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit


policy-map multi-match LOAD_BAL
  class REPORT_VIP
    loadbalance vip inservice
    loadbalance policy REPORT_PM
    loadbalance vip icmp-reply active
    nat dynamic 2 vlan 1201
    appl-parameter http advanced-options PARSE_LENGTH_PARMS


interface vlan 1201
  ip address 10.11.39.254 255.255.252.0
  ip options clear
  alias 10.11.39.246 255.255.252.0
  peer ip address 10.11.39.245 255.255.252.0
  syn-cookie 100
  access-group input access_in
  nat-pool 2 10.11.39.2 10.11.39.2 netmask 255.255.255.255 pat
  service-policy input LOAD_BAL
  service-policy input NORMALIZATION
  service-policy input remote_mgmt_allow_policy
  no shutdown

2 Replies 2

Cesar Roque
Level 4
Level 4

Hi Michael,

This example may be helpful for you:

        Client 192.168.1.1

        VIP 10.0.0.1 (No source NAT)

        Rserver 20.0.0.1

    You can set up the specific ACL as such:

       access-list ACL-capture line 1 extended permit ip host 192.168.1.1 host 10.0.0.1

       access-list ACL-capture line 2 extended permit ip host 10.0.0.1 host 192.168.1.1

       access-list ACL-capture line 3 extended permit ip host 192.168.1.1 host 20.0.0.1

       access-list ACL-capture line 4 extended permit ip host 20.0.0.1 host 192.168.1.1

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

Cesar,

Thanks for the response- I should have included in the original post that I tried included the real-server (There's only one currently active) in the access-list as

access-list cap line 8 extended permit ip host 10.11.39.2 host 10.11.36.68

access-list cap line 16 extended permit ip host 10.11.36.68 host 10.11.39.2

Then, I even tried just the real server:

access-list cap line 8 extended permit ip any host 10.11.36.68

access-list cap line 8 extended permit ip host 10.11.36.68 any

But I still don't capture anything on the back end, even though I know that communications is happening- it almost seems buggy to me (or I'm missing something very obvious).

Thanks!

Mike.

Review Cisco Networking for a $25 gift card