Solved: Hi Ken,Never paid attention

Ken Johnson · ‎04-02-2015

I have a ACE with a one arm configuration. we often have a problem with lockouts from our users with our LDAP application. In order to troubleshoot this i would take a capture on the ACE to search for the offending source IP. However this time around i'm not seeing the desired traffic. The application engineer can see the connections with the ACE source NAT IP and i too can see the connection in my connection table, but when i take the capture i do not see the offender.

My questions are... If an connection is already established can you create a capture and get results? Or do you know a better way to isolate this issue?

This is my ACL i'm using for the capture

access-list PCAP line 8 extended permit tcp any host [VIP_FOR_LDAP_FARM] eq 3890
access-list PCAP line 16 extended permit tcp any host [RSERVER] eq 3890

Thanks

Ken

Kanwaljeet Singh · ‎04-02-2015

Hi Ken,

"Show conn" shall give you the result but if you want to see what is the exact backend connection associated with the backend do the following:

show conn, from its output take the connection-id as well as the NP number.

562844 1 in TCP 5 10.150.54.145:61560 10.86.212.34:23 ESTAB
560094 1 out TCP 5 10.86.212.34:23 10.150.54.145:61560 ESTAB

so in above 562844 is connection id and 1 is np number. Depending on the model it can be 1,2, 3, 4. ACE 30 has 4 and ace 20 has 2. ACE 4710 has one. Once you have that, do

switch/Admin# sh np 1 me-stats "-c 562844 -vvv"
Connection ID:seq: 562844[0x8969c].0
Other ConnID : 560094[0x88bde].0
Proxy ConnID : 0[0x0].0
Next Q : 0[0x0]

10.150.54.145:61560 -> 10.86.212.34:23 [RX-NextHop: CP] [TX-NextHop: TX]
Flags: PAT: No DynNAT: No Implicit PAT: No On_Reuse: No
L3 Protocol : IPv4 L4 Protocol : 6
Inbound Flag : 1
Interface Match : Yes
Interface MatchID: 3
EncapsID:ver : 15:0 TCP ACK delta : 0x0
MSS : 1460 TOS Stamp : 16
Repeat mode : No Punt Flag : No
TOS Stamp : No TCP Window Check: No
ACE ID : 6 NAT Policy ID : 0
Post NAT hop : 0 NAT Pool ID : 0
Packet Count : 66 Byte Count : 2810
TCP Information: (State = 3)
Window size : 16325 Window scale : 2
FIN seen : No FIN/ACK seen : No
FIN/ACK exp : No Close initiator : No
FIN/ACK expval: 0 Last seq : 1f5db83
timestamp_delta: 0 Last ack : 7aa48cd7
No Trigger : 0 Trigger Status : 0
Timestamp : 6631b441
TCP options negotiated:
Sack:Allow TS:Clear Windowscale: Allow
Reserved: Allow Exceed MSS: Allow Window var: Allow
Flags: debug: 0 TCP Normalize: Yes
Syslog: No Reproxy Request: No Policying Reqd: No
Inbound Ipsec: No Replicated: No Data Channel: No
L7: No Fin Detect: Yes FP Timeout: No
Standby: No ConnState: 2
ACA Method: 0 ReqTS: 00000000 RspTS: 00000000
RX Flags: 80481

Sticky Internal Entry-id : 0x0

Raw Connection Entry
0000 0x00000000 0x00088bde 0x06090003 0xf0780017
0010 0x0a963691 0x00000000 0x00000000 0x00000000
0020 0x0a56d422 0x00000000 0x00000000 0x00000000
0030 0x00000000 0x00000000 0x000f0010 0x05b41000
0040 0x00080481 0x00040000 0x00000042 0x00000afa
0050 0x3fc50230 0x00000000 0x01f5db83 0x7aa48cd7
0060 0x00000000 0x00000000 0x00000000 0x00030000
0070 0x662c6b46 0x00000400 0x00000006 0x6631b441
0080 0x00000000 0x00000000 0x00000000 0x00000000

Doing verbose output for proxy id: 0

No valid TCB proxy entry.
No valid HTTP proxy entry.
No valid SSL proxy entry.
No valid AI proxy entry.
Connection ID:seq: 560094[0x88bde].0
Other ConnID : 562844[0x8969c].0
Proxy ConnID : 0[0x0].0
Next Q : 0[0x0]

10.86.212.34:23 -> 10.150.54.145:61560 [RX-NextHop: TX] [TX-NextHop: CP]
Flags: PAT: No DynNAT: No Implicit PAT: No On_Reuse: No
L3 Protocol : IPv4 L4 Protocol : 6
Inbound Flag : 0
Interface Match : Yes
Interface MatchID: 3
EncapsID:ver : 15:0 TCP ACK delta : 0x0
MSS : 1460 TOS Stamp : 0
Repeat mode : No Punt Flag : No
TOS Stamp : No TCP Window Check: No
ACE ID : 6 NAT Policy ID : 0
Post NAT hop : 4 NAT Pool ID : 0
Packet Count : 59 Byte Count : 6730
TCP Information: (State = 3)
Window size : 46 Window scale : 7
FIN seen : No FIN/ACK seen : No
FIN/ACK exp : No Close initiator : No
FIN/ACK expval: 0 Last seq : 7aa48cd7
timestamp_delta: 0 Last ack : 1f5db83
No Trigger : 0 Trigger Status : 0
Timestamp : 6631b31d
TCP options negotiated:
Sack:Allow TS:Clear Windowscale: Allow
Reserved: Allow Exceed MSS: Allow Window var: Allow
Flags: debug: 0 TCP Normalize: Yes
Syslog: No Reproxy Request: No Policying Reqd: No
Inbound Ipsec: No Replicated: No Data Channel: No
L7: No Fin Detect: Yes FP Timeout: No
Standby: No ConnState: 2
ACA Method: 0 ReqTS: 00000000 RspTS: 00000000
RX Flags: 80480

Sticky Internal Entry-id : 0x0

Raw Connection Entry
0000 0x00000000 0x4008969c 0x06010003 0x0017f078
0010 0x0a56d422 0x00000000 0x00000000 0x00000000
0020 0x0a963691 0x00000000 0x00000000 0x00000000
0030 0x00000000 0x00000000 0x000f0000 0x05b41004
0040 0x00080480 0x00040000 0x0000003b 0x00001a4a
0050 0x002e0730 0x00000000 0x7aa48cd7 0x01f5db83
0060 0x00000000 0x00000000 0x00000000 0x00030000
0070 0x662c6b46 0x00000400 0x00000006 0x6631b31d
0080 0x00000000 0x00000000 0x00000000 0x00000000

Doing verbose output for proxy id: 0

No valid TCB proxy entry.
No valid HTTP proxy entry.
No valid SSL proxy entry.
No valid AI proxy entry.

I have put things in bold. It will show the details. If you have backend conn-id, you can easily find the front end associated and the other details of the connection too.

Let me know if you have any questions.

You can also use "show xlate global/local if you know the IP's.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

View solution in original post

Kanwaljeet Singh · ‎04-02-2015

Hi Ken,

Never paid attention but as per below doc, the capture is triggered at the flow set up.

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Overview_of_ACE_Troubleshooting

And it would make sense since ACL match only happens when connection is being set up. Once the connection is set up already, the connection moves to fast path and acl checks are skipped.

So tell the user to set up the connection again and see if it captures.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Ken Johnson · ‎04-02-2015

I suspected that might have been the case. Do you know what xlate commands i'd use to view the connections associated with this connection (NAT from the ACE to the LDAP Server). I'm trying to find who's on the client side of that connection.

Kanwaljeet Singh · ‎04-02-2015

Hi Ken,

"Show conn" shall give you the result but if you want to see what is the exact backend connection associated with the backend do the following:

show conn, from its output take the connection-id as well as the NP number.

562844 1 in TCP 5 10.150.54.145:61560 10.86.212.34:23 ESTAB
560094 1 out TCP 5 10.86.212.34:23 10.150.54.145:61560 ESTAB

so in above 562844 is connection id and 1 is np number. Depending on the model it can be 1,2, 3, 4. ACE 30 has 4 and ace 20 has 2. ACE 4710 has one. Once you have that, do

switch/Admin# sh np 1 me-stats "-c 562844 -vvv"
Connection ID:seq: 562844[0x8969c].0
Other ConnID : 560094[0x88bde].0
Proxy ConnID : 0[0x0].0
Next Q : 0[0x0]

10.150.54.145:61560 -> 10.86.212.34:23 [RX-NextHop: CP] [TX-NextHop: TX]
Flags: PAT: No DynNAT: No Implicit PAT: No On_Reuse: No
L3 Protocol : IPv4 L4 Protocol : 6
Inbound Flag : 1
Interface Match : Yes
Interface MatchID: 3
EncapsID:ver : 15:0 TCP ACK delta : 0x0
MSS : 1460 TOS Stamp : 16
Repeat mode : No Punt Flag : No
TOS Stamp : No TCP Window Check: No
ACE ID : 6 NAT Policy ID : 0
Post NAT hop : 0 NAT Pool ID : 0
Packet Count : 66 Byte Count : 2810
TCP Information: (State = 3)
Window size : 16325 Window scale : 2
FIN seen : No FIN/ACK seen : No
FIN/ACK exp : No Close initiator : No
FIN/ACK expval: 0 Last seq : 1f5db83
timestamp_delta: 0 Last ack : 7aa48cd7
No Trigger : 0 Trigger Status : 0
Timestamp : 6631b441
TCP options negotiated:
Sack:Allow TS:Clear Windowscale: Allow
Reserved: Allow Exceed MSS: Allow Window var: Allow
Flags: debug: 0 TCP Normalize: Yes
Syslog: No Reproxy Request: No Policying Reqd: No
Inbound Ipsec: No Replicated: No Data Channel: No
L7: No Fin Detect: Yes FP Timeout: No
Standby: No ConnState: 2
ACA Method: 0 ReqTS: 00000000 RspTS: 00000000
RX Flags: 80481

Sticky Internal Entry-id : 0x0

Raw Connection Entry
0000 0x00000000 0x00088bde 0x06090003 0xf0780017
0010 0x0a963691 0x00000000 0x00000000 0x00000000
0020 0x0a56d422 0x00000000 0x00000000 0x00000000
0030 0x00000000 0x00000000 0x000f0010 0x05b41000
0040 0x00080481 0x00040000 0x00000042 0x00000afa
0050 0x3fc50230 0x00000000 0x01f5db83 0x7aa48cd7
0060 0x00000000 0x00000000 0x00000000 0x00030000
0070 0x662c6b46 0x00000400 0x00000006 0x6631b441
0080 0x00000000 0x00000000 0x00000000 0x00000000

Doing verbose output for proxy id: 0

No valid TCB proxy entry.
No valid HTTP proxy entry.
No valid SSL proxy entry.
No valid AI proxy entry.
Connection ID:seq: 560094[0x88bde].0
Other ConnID : 562844[0x8969c].0
Proxy ConnID : 0[0x0].0
Next Q : 0[0x0]

10.86.212.34:23 -> 10.150.54.145:61560 [RX-NextHop: TX] [TX-NextHop: CP]
Flags: PAT: No DynNAT: No Implicit PAT: No On_Reuse: No
L3 Protocol : IPv4 L4 Protocol : 6
Inbound Flag : 0
Interface Match : Yes
Interface MatchID: 3
EncapsID:ver : 15:0 TCP ACK delta : 0x0
MSS : 1460 TOS Stamp : 0
Repeat mode : No Punt Flag : No
TOS Stamp : No TCP Window Check: No
ACE ID : 6 NAT Policy ID : 0
Post NAT hop : 4 NAT Pool ID : 0
Packet Count : 59 Byte Count : 6730
TCP Information: (State = 3)
Window size : 46 Window scale : 7
FIN seen : No FIN/ACK seen : No
FIN/ACK exp : No Close initiator : No
FIN/ACK expval: 0 Last seq : 7aa48cd7
timestamp_delta: 0 Last ack : 1f5db83
No Trigger : 0 Trigger Status : 0
Timestamp : 6631b31d
TCP options negotiated:
Sack:Allow TS:Clear Windowscale: Allow
Reserved: Allow Exceed MSS: Allow Window var: Allow
Flags: debug: 0 TCP Normalize: Yes
Syslog: No Reproxy Request: No Policying Reqd: No
Inbound Ipsec: No Replicated: No Data Channel: No
L7: No Fin Detect: Yes FP Timeout: No
Standby: No ConnState: 2
ACA Method: 0 ReqTS: 00000000 RspTS: 00000000
RX Flags: 80480

Sticky Internal Entry-id : 0x0

Raw Connection Entry
0000 0x00000000 0x4008969c 0x06010003 0x0017f078
0010 0x0a56d422 0x00000000 0x00000000 0x00000000
0020 0x0a963691 0x00000000 0x00000000 0x00000000
0030 0x00000000 0x00000000 0x000f0000 0x05b41004
0040 0x00080480 0x00040000 0x0000003b 0x00001a4a
0050 0x002e0730 0x00000000 0x7aa48cd7 0x01f5db83
0060 0x00000000 0x00000000 0x00000000 0x00030000
0070 0x662c6b46 0x00000400 0x00000006 0x6631b31d
0080 0x00000000 0x00000000 0x00000000 0x00000000

Doing verbose output for proxy id: 0

No valid TCB proxy entry.
No valid HTTP proxy entry.
No valid SSL proxy entry.
No valid AI proxy entry.

I have put things in bold. It will show the details. If you have backend conn-id, you can easily find the front end associated and the other details of the connection too.

Let me know if you have any questions.

You can also use "show xlate global/local if you know the IP's.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Ken Johnson · ‎04-03-2015

Great, thank you so much. I used the show conn | incl [NAT-IP:PORT], and show xlate gport [PORT]. I can see the client source address. In this case it is a proxy server with what i can only assume is a bad cached password.

Thanks Again

Ken

Can't get desired results from ACE capture