Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
2
Replies

ACE show conn-from VIP to rserver

nygenx2011
Level 1
Level 1

‎01-03-2011 08:17 PM

We are currently doing an outbound proxy through the ACE using an external IP as an rserver.

Our internal server makes a request to the VIP on port 82 which than makes the request to the external server on 443 (rserver)

We are getting resets on this.

Our question is regarding the conn table.

The inital connection gets established to the VIP of the ACE and from the VIP to the external server

However the conn table than seems to switch from the external IP (rserver) directly to the the inside host-the vip no longer in the table

I understand that on L7 load balancing the VIP will set up the TCP connection, than cut through the connection from the

inside address to the external IP, however we are not doing this.

Here is the connection table we see

External IP's changed

172.20.212.6=internal server (client) making outbound cal

172.20.120,19=VIP

70.70.70.70=external server (rserver) IP changed

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
1484085    1  in  TCP   151  172.20.212.6:35866    172.20.120.19:82      ESTAB
1484307    1  out TCP   150  70.70.70.70:443       172.20.212.6:35866    ESTAB



Then switches to a direct connection:


1360573    1  out TCP   151  172.20.212.6:38495    70.70.70.70:443     ESTAB
1360577    1  in  TCP   150  70.70.70.70:443       172.20.212.6:38496    ESTAB
1360640    1  out TCP   151  172.20.212.6:38496    70.70.70.70:443     ESTAB
1364243    1  in  TCP   150  70.70.70.70:443       172.20.212.6:43138    ESTAB

My question is this a proper flow?

Under other connections we see the VIP stay in the connection table for the duration of the connection

Labels:
0 Helpful
2 Replies 2

cpomeroy
Level 1
Level 1

‎01-06-2011 12:46 PM

Richard,

   This definately don't look correct.  Can you show me the configuration you are using for this VIP including the interfaces.

Thanks,

Chris

0 Helpful

nygenx2011
Level 1
Level 1
In response to cpomeroy

‎01-07-2011 01:37 PM

Hi Chris-

We opened a TAC case and we were informed that this is normal behavior since we dont have NAT'ing on the interface

OUr capture shows that after the TCP connection is established withe the ACE VIP and the rserver

and SSL conversation than begins with the real host and real server directly.

My question is...since this is happening directly...is the ACE no longer active in the conversation

I was under the impresion that the ACE only unproxies itself and "splices" the real host and real server L7

behavior...redirectong on uri..etc

policy-map type loadbalance first-match CLASS-TEST1-POLICY
  class class-default
    serverfarm -TEST1
    ssl-proxy client TEST1-SSL

If this is normal behavior...is the ACE now just a pass through?

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card