Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
0
Helpful
3
Replies

ACE problem - bridge mode - behind a firewall

damianhinojosa
Level 1
Level 1

‎04-01-2009 05:07 AM

Hello

We are having problems with one of you ACE context, this implementation was done by a supplier and I am trying to troubleshoot it.

The clients and the servers are on different subnets, there is a Nokia firewall in the middle. The firewalls are setup on a cluster.

Connecting to port 7072 is taking at least 30 seconds. If I move the server into the VLAN in front of the ACE, the connection is instant. So it does indicate a problem on the ACE.

The client IP is .99.11.

The VIP is .100.62 and the server node is .100.12.

Running the capture command I can see the following behavior:

1. The client initiates the connection to the ACE Vip

2. At the same time it looks like a second connection is initiated from the client to the server node

Please see attachment.

Is this a normal situation where the connection is duplicated?

Does this interface setup look correct?

Is the bridge mode the correct setup in this scenario?

interface vlan 10

bridge-group 2

no normalization

mac-sticky enable

access-group input PERMITALL

service-policy input VLAN10-INTER-MMPM

no shutdown

interface vlan 15

bridge-group 2

no normalization

access-group input PERMITALL

no shutdown

interface bvi 2

ip address 192.168.100.7 255.255.255.192

alias 192.168.100.6 255.255.255.192

peer ip address 192.168.100.8 255.255.255.192

no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.100.1

Many thanks,

Damian

Labels:
Preview file
4 KB
0 Helpful
3 Replies 3

JamesLuther
Level 3
Level 3

‎04-01-2009 07:02 AM

Hi,

Are you capturing data on both sides of the ACE?

It looks to me that you are seeing the connection from the client to the ACE (192.168.99.11 -> 192.168.100.62) and then the connection from the ACE to the server (192.168.99.11 -> 192.168.100.12). So the capture output is normal.

I can't comment on the bridge mode setup as I've not seen this used before.

Regards

0 Helpful

damianhinojosa
Level 1
Level 1
In response to JamesLuther

‎04-01-2009 07:45 AM

Thanks for replying James,

I am sure I configured the capture only for VLAN10 which is in the VIP side.

But you are right, it looks like is showing both VLAN10 and VLAN15. So that is one of my theories out of the window! :)

This is a new installation, still on the testing stage. So it would be good time to make changes.

Do you normally implement a routed setup behind a firewall? Rather than a bridged….

It is quite a small setup:

• Traffic is coming from a separate local subnet

• Traffic is not coming from the internet so it does not required a NAT

• We need 1 VIP listening on two ports

• The backend servers are four Linux boxes

Thanks again,

Damian

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee

‎04-01-2009 08:05 AM

Damian,

we don't see a 30 seconds trace in your capture.

If you say it takes 30sec, we should see the delay somewhere in the trace.

The trace only last 4 seconds.

Bridging w/ firewall is very common.

Your setup should be ok.

Try to locate the delay in your trace.

G.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents