Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1808
Views
0
Helpful
4
Replies

ACE working with IronPort WSA server farm

e.lopessilva
Level 1
Level 1

‎09-03-2012 07:50 AM

We have an ACE load balancing a group of Ironport WSA. The WSA are working with the feature IP Spoofing, then the request to WWW has the source ip address of the WSA client and not the WSA itself.

We follow the documento behind, but it is not working. When the packet coming from Internet having the destination address the WSA client address, the ACE can not delivery the packet even with the mac-sticky configured.

I read in other forum that ACE needs to have in its arp table or route table the destination IP address for being able to deal with the packet by the encapid.

But we don't have this entry in the arp table.

When we configure the WSA with IP spoofing and the source ip address is the WSA itself the configuration works fine.

Some have this kind of problem in some ocasion?

Thank you,

Everaldo

Labels:
0 Helpful
4 Replies 4

Jorge Bejarano
Level 4
Level 4

‎09-03-2012 12:17 PM

Hello Everaldo,

Can you paste your configuration?

Could you elaborate a little bit more your question or requirement here?

From my understanding you are using a Ironport as proxy server which will handle receive all the requests from all the internet users and will represent the users when it talks to the ACE, correct? And it seems you need to have stickiness configured correct? What kind of stickiness are you using? Have you tried with a stickiness based on cookies?

Jorge

0 Helpful

e.lopessilva
Level 1
Level 1
In response to Jorge Bejarano

‎09-03-2012 01:26 PM

Hi Jorge,

Follow the configuration. Trying to be more clear, exactly ACE load balances of IronPorts from internal clients accessing Internet. The Ironports are using IP spoofing that uses the address of internal client instead of its own ip address. We are using just mac-sticky acording a Cisco document recomends. Follow the link http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/guide_c07-623533_ps7027_Products_White_Paper.html

Follow the configuration:

`show running-config`
Generating configuration....

logging enable
logging trap 5
logging monitor 7
logging device-id string 10.10.192.16/WSA
logging host 10.10.192.55 udp/514
logging message 111008 level 2

access-list EVERYONE line 5 extended permit icmp any any
access-list EVERYONE line 10 extended permit ip any any
access-list EVERYONE-v6 line 8 extended permit icmpv6 anyv6 anyv6
access-list EVERYONE-v6 line 16 extended permit ip anyv6 anyv6
access-list TESTE line 8 extended permit tcp host 10.6.16.19 any eq www
access-list TESTE line 16 extended permit tcp any eq www host 10.6.16.19
access-list TRACE line 8 extended permit ip host 10.6.16.118 any
access-list TRACE line 16 extended permit ip any host 10.6.16.118


probe tcp WSA_TCP_3128
  port 3128
  interval 5
  faildetect 60


rserver host WSA-01
  ip address 10.10.193.36
  inservice
rserver host WSA-02
  ip address 10.10.193.37
  inservice
rserver host WSA-03
  ip address 10.10.193.38
  inservice
rserver host WSA-04
  ip address 10.10.193.39
  inservice
rserver host WSA-05
  ip address 10.10.193.40
  inservice
rserver host WSA-06
  ip address 10.10.193.41
  inservice
rserver host WSA-07
  ip address 10.10.193.42
  inservice
rserver host WSA-08
  ip address 10.10.193.43
  inservice
rserver host WSA-09
  ip address 10.10.193.44
  inservice
rserver host WSA-10
  ip address 10.10.193.45
  inservice

serverfarm host WSA_FARM
  probe WSA_TCP_3128
  fail-on-all
  rserver WSA-01
  rserver WSA-02
    inservice
  rserver WSA-03
  rserver WSA-04
  rserver WSA-05
  rserver WSA-06
  rserver WSA-07
  rserver WSA-08
  rserver WSA-09
  rserver WSA-10

class-map type management match-any REMOTE_ACCESS
  2 match protocol ssh any
  3 match protocol telnet any
  4 match protocol icmp any
  5 match protocol snmp any
  6 match protocol http any
class-map match-all WSA_REAL_IP
  2 match source-address 10.10.193.32 255.255.255.224
class-map match-all WSA_VIP_TCP_3128
  2 match virtual-address 10.10.193.25 tcp eq 3128

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit

policy-map type loadbalance http first-match WSA_L7_POLICY
  class class-default
    serverfarm WSA_FARM

policy-map multi-match VIPs
  class WSA_VIP_TCP_3128
    loadbalance vip inservice
    loadbalance policy WSA_L7_POLICY
    loadbalance vip icmp-reply active
    loadbalance vip advertise active

interface vlan 303
  description Gerencia
  ipv6 enable
  ip address 2801:94:0:4::18/66
  peer ip address 2801:94:0:4::19/66
  ip address 10.10.192.18 255.255.255.0
  peer ip address 10.10.192.19 255.255.255.0
  access-group input EVERYONE
  access-group input EVERYONE-v6
  service-policy input REMOTE_MGMT_ALLOW_POLICY
interface vlan 304
  description to_6509
  ipv6 enable
  ip address 2801:94:0:3::21/64
  alias 2801:94:0:3::20/64
  peer ip address 2801:94:0:3::22/64
  ip address 10.10.193.21 255.255.255.240
  alias 10.10.193.20 255.255.255.240
  peer ip address 10.10.193.22 255.255.255.240
  access-group input EVERYONE
  access-group input EVERYONE-v6
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input VIPs
  no shutdown
interface vlan 306
  description To_WSAs
  ipv6 enable
  ip address 2801:94:0:7::46/64
  alias 2801:94:0:7::33/64
  peer ip address 2801:94:0:7::47/64
  ip address 10.10.193.46 255.255.255.224
  alias 10.10.193.33 255.255.255.224
  peer ip address 10.10.193.47 255.255.255.224
  mac-sticky enable
  access-group input EVERYONE
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.193.17
ip route ::/0 2801:94:0:3::17
username anmanager password 5 $1$DIacUZzq$IaFMnaN4m0/9bVXbKjEVM0  role Admin domain default-domain
username admin password 5 $1$MlYw5GVF$LJfSPfjNMnB/PR0QdOvZ61  role Admin domain default-domain

snmp-server community ProdamSec group Network-Monitor

snmp-server host 10.10.192.55 traps version 2c ProdamSec

Regards,

Everaldo

0 Helpful

Jorge Bejarano
Level 4
Level 4
In response to Jorge Bejarano

‎09-03-2012 01:56 PM

Hello Everaldo,

Besides that sample which you have included, what exactly are you looking for?

You have external users which will try to match the virtual address: 10.10.193.25 tcp eq 3128 which will load balance the traffic between these servers, correct?

  rserver WSA-01

  rserver WSA-02

  rserver WSA-03

  rserver WSA-04

  rserver WSA-05

  rserver WSA-06

  rserver WSA-07

  rserver WSA-08

  rserver WSA-09

  rserver WSA-10

What is the current behavior which you are having?

Can you upload these outputs: #show service-policy VIPs class-map WSA_VIP_TCP_3128 detail and also #show probe WSA_TCP_3128 and #show probe WSA_TCP_3128 detail?

Jorge

0 Helpful

e.lopessilva
Level 1
Level 1
In response to Jorge Bejarano

‎09-03-2012 02:33 PM

Hi Jorge,

The behavior is when we have IP Spoofing configured in the WSAs, the connection is not established. The ACE establishes the connection with the client but the connection with Internet is not established. I captured the packets that arrive in the ACE coming from Internet and I see SYN packets with source address as a public IP (Google) and the destination address as the internal client IP address with no ACK just RST.

With no IP Spoofing, meaning that the ip source address is tha WSA the connection is established with no RST.

Follow the output the commands:


show service-policy WSA-VIPS class-map WSA_VIP_TCP_3128 detail

Status     : ACTIVE
Description: -----------------------------------------
Interface: vlan 304
  service-policy: WSA-VIPS
    class: WSA_VIP_TCP_3128
     VIP Address:                              Protocol:  Port:
     10.10.193.25                              tcp    eq   3128
      loadbalance:
        L7 loadbalance policy: WSA-POLICY
        VIP Route Metric     : 77
        VIP Route Advertise  : ENABLED-WHEN-ACTIVE
        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
        VIP State: INSERVICE
        VIP DWS state: DWS_DISABLED
        Persistence Rebalance: DISABLED
        curr conns       : 3         , hit count        : 1260
        dropped conns    : 4
        conns per second    : 0
        client pkt count : 19271     , client byte count: 2326106
        server pkt count : 26140     , server byte count: 16572023
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : WSA-POLICY
          class/match : class-default
            LB action :
               primary serverfarm: WSA_FARM
                    state: UP
                backup serverfarm : -
            hit count        : 1260
            dropped conns    : 0
            compression      : off
      compression:
        bytes_in  : 0                          bytes_out : 0
        Compression ratio : 0.00%
                Gzip: 0               Deflate: 0
      compression errors:
        User-Agent  : 0               Accept-Encoding    : 0
        Content size: 0               Content type       : 0
        Not HTTP 1.1: 0               HTTP response error: 0
        Others      : 0

switch/WSA# show probe WSA_TCP_3128

probe       : WSA_TCP_3128
type        : TCP
state       : ACTIVE
----------------------------------------------
   port      : 3128         address   : 0.0.0.0
   addr type : -            interval  : 5       pass intvl  : 10
   pass count: 3            fail count: 30      recv timeout: 10
                ------------------ probe results ------------------
   associations     ip-address         port porttype probes failed passed health

   ------------ ----------------------+----+--------+------+------+------+------

   serverfarm  : WSA_FARM
     real      : WSA-01[0]

     real      : WSA-02[0]
                          10.10.193.37 3128 PROBE   15076  72     15004  SUCCESS

     real      : WSA-03[0]

     real      : WSA-04[0]

     real      : WSA-05[0]

     real      : WSA-06[0]

     real      : WSA-07[0]

     real      : WSA-08[0]

     real      : WSA-09[0]

     real      : WSA-10[0]

switch/WSA# show probe WSA_TCP_3128 detail

probe       : WSA_TCP_3128
type        : TCP
state       : ACTIVE
description :
----------------------------------------------
   port      : 3128         address   : 0.0.0.0
   addr type : -            interval  : 5       pass intvl  : 10
   pass count: 3            fail count: 30      recv timeout: 10
   conn termination : FORCED
   expect offset    : 0         , open timeout     : 3
   expect regex     : -
   send data        : -
                ------------------ probe results ------------------
   associations     ip-address         port porttype probes failed passed health

   ------------ ----------------------+----+--------+------+------+------+------

   serverfarm  : WSA_FARM
     real      : WSA-01[0]

     real      : WSA-02[0]
                          10.10.193.37 3128 PROBE   15088  72     15016  SUCCESS

   Socket state        : CLOSED
   No. Passed states   : 2         No. Failed states : 1
   No. Probes skipped  : 0         Last status code  : 0
   No. Out of Sockets  : 0         No. Internal error: 0
   Last disconnect err :  -
   Last probe time     : Mon Sep  3 21:06:47 2012
   Last fail time      : Mon Sep  3 20:45:05 2012
   Last active time    : Mon Sep  3 20:45:57 2012

     real      : WSA-03[0]

     real      : WSA-04[0]

     real      : WSA-05[0]

     real      : WSA-06[0]

     real      : WSA-07[0]

     real      : WSA-08[0]

     real      : WSA-09[0]

     real      : WSA-10[0]

Thank you,

Everaldo

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents