08-01-2013 04:54 AM
I have an ACE pair in HA mode running A5.2(2) in one-armed configuration, therefore, doing source NAT. I'm researching a problem with an web serverfarm (L7 "/.*" rule) where one particular URL doesn't work, but it works when going to the back-end server directly. Anyway, my question has to do with: When I attempt to run the packet capture on the ACE of this event, I'm only capturing the front-end transation and never see anything on the backend. I've done this several times. I don't even see packets sourced from 10.11.39.2 (NATed address) go towards the realserver, and I know they must since pointing my browser to the VIP 10.11.39.2 on all other URLs work. Any ideas?
THANKS.
capture cap1 interface vlan 1201 access-list cap
capture cap1 start
----------------------------------------------------------
access-list access_in line 8 extended permit tcp any any
access-list cap line 8 extended permit ip host 10.11.39.2 any
access-list cap line 16 extended permit ip any host 10.11.39.2
class-map match-all REPORT_VIP
2 match virtual-address 10.11.39.2 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map multi-match LOAD_BAL
class REPORT_VIP
loadbalance vip inservice
loadbalance policy REPORT_PM
loadbalance vip icmp-reply active
nat dynamic 2 vlan 1201
appl-parameter http advanced-options PARSE_LENGTH_PARMS
interface vlan 1201
ip address 10.11.39.254 255.255.252.0
ip options clear
alias 10.11.39.246 255.255.252.0
peer ip address 10.11.39.245 255.255.252.0
syn-cookie 100
access-group input access_in
nat-pool 2 10.11.39.2 10.11.39.2 netmask 255.255.255.255 pat
service-policy input LOAD_BAL
service-policy input NORMALIZATION
service-policy input remote_mgmt_allow_policy
no shutdown
08-02-2013 12:16 PM
Hi Michael,
This example may be helpful for you:
Client 192.168.1.1
VIP 10.0.0.1 (No source NAT)
Rserver 20.0.0.1
You can set up the specific ACL as such:
access-list ACL-capture line 1 extended permit ip host 192.168.1.1 host 10.0.0.1
access-list ACL-capture line 2 extended permit ip host 10.0.0.1 host 192.168.1.1
access-list ACL-capture line 3 extended permit ip host 192.168.1.1 host 20.0.0.1
access-list ACL-capture line 4 extended permit ip host 20.0.0.1 host 192.168.1.1
---------------------
Cesar R
ANS Team
08-02-2013 03:34 PM
Cesar,
Thanks for the response- I should have included in the original post that I tried included the real-server (There's only one currently active) in the access-list as
access-list cap line 8 extended permit ip host 10.11.39.2 host 10.11.36.68
access-list cap line 16 extended permit ip host 10.11.36.68 host 10.11.39.2
Then, I even tried just the real server:
access-list cap line 8 extended permit ip any host 10.11.36.68
access-list cap line 8 extended permit ip host 10.11.36.68 any
But I still don't capture anything on the back end, even though I know that communications is happening- it almost seems buggy to me (or I'm missing something very obvious).
Thanks!
Mike.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide