09-05-2012 07:22 AM
Hello everybody!
We have a problem connecting to VIP configured on Cisco ACE20 module installed in 6509 from remote clients. Clients are connected to our core network over IPSec or GRE tunnels (MTU less than 1500).
Investigation and traffic dump reading shows that the reason is that Path MTU Discovery looks not working with ACE.
ACE terminates connection to VIP, establishes connection to the real server, and sends to the client IP packets with DF-bit set, using PMTUD. Border router replies with appropriate ICMP message but ACE ignores it and doesn't adjust the MTU for the session. So all packets are lost.
Clients have no problems connecting to the real servers, PMTU works.
The problem persists only for connections passing ACE. I tried both "normal" and one-arm modes.
Now I have few workarounds:
- change MTU to the lowest value we have in our network
- clear DF bit using 'ip df clear' command on ACE interface
- clear DF bit on the border router using route-map
Is it a bug, feature, or misconfiguration of Cisco ACE module?
Solved! Go to Solution.
09-06-2012 08:15 PM
Hi Anatoly,
You are right. It will not work for VIP. It is only applicable to pass through traffic. This is how it is. Request for supporting PMTU was there but since the amount of requests received were not much, it was dropped.
That is what i see when i search internally here.
Regards,
Kanwal
09-05-2012 07:57 PM
Hi Anatoly,
PMTU is not supported on ACE. ACE does not support PMTUD directly to a VIP IP address. It will allow ICMP through ACE if the access lists permits it, which means PMTUD will work through ACE.
By default ip df allow is enabled so ICMP sent by border router should be forwarded by ACE to the server and for that please check if ACL permits ICMP on ACE interfaces.
Regards,
Kanwal
09-05-2012 11:12 PM
Thanks for your reply, but we have no ACL on ACE interfaces. Also I tried to apply an ACL that permits everything - PMTUD doesn't work.
I don't really understand, if ACE does not support PMTUD directly to a VIP IP address, how should it forward ICMP unreachables from router to VIP address to the real server (and to which one)? Anyway, our ACE doesn't do that.
Actually it doesn't see any ICMP unreachables, according to
ACE1/VC_SERVERS# sh icmp statistics
-----------------------------------------------
ICMP Statistics :
-----------------------------------------------
Tx Rx
Total Messages : 65714 65684
Errors : 36 1048
Echo Request : 88 65627
Echo Reply : 65627 57
Unreachable : 0 0
TTL Expired : 0 0
Redirect : 0 0
Address Mask : 0 0
Param problem : 0 0
Source quench : 0 0
Time stamp : 0 0
-----------------------------------------------
But the packets are sent (debug icmp from border router):
ICMP: dst (
We have no firewall or any ACL applied between router and ACE.
09-06-2012 08:15 PM
Hi Anatoly,
You are right. It will not work for VIP. It is only applicable to pass through traffic. This is how it is. Request for supporting PMTU was there but since the amount of requests received were not much, it was dropped.
That is what i see when i search internally here.
Regards,
Kanwal
09-07-2012 01:04 AM
So, probably not so many people use ACE-based SLB with low-MTU links like tunnels.
Ok, thanks a lot for your help, Kanwal!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide