Solved: Cisco ACE and PMTU Discovery

pbijiko76 · ‎09-05-2012

Hello everybody!

We have a problem connecting to VIP configured on Cisco ACE20 module installed in 6509 from remote clients. Clients are connected to our core network over IPSec or GRE tunnels (MTU less than 1500).

Investigation and traffic dump reading shows that the reason is that Path MTU Discovery looks not working with ACE.

ACE terminates connection to VIP, establishes connection to the real server, and sends to the client IP packets with DF-bit set, using PMTUD. Border router replies with appropriate ICMP message but ACE ignores it and doesn't adjust the MTU for the session. So all packets are lost.

Clients have no problems connecting to the real servers, PMTU works.

The problem persists only for connections passing ACE. I tried both "normal" and one-arm modes.

Now I have few workarounds:

- change MTU to the lowest value we have in our network

- clear DF bit using 'ip df clear' command on ACE interface

- clear DF bit on the border router using route-map

Is it a bug, feature, or misconfiguration of Cisco ACE module?

Kanwaljeet Singh · ‎09-06-2012

Hi Anatoly,

You are right. It will not work for VIP. It is only applicable to pass through traffic. This is how it is. Request for supporting PMTU was there but since the amount of requests received were not much, it was dropped.

That is what i see when i search internally here.

Regards,

Kanwal

View solution in original post

Kanwaljeet Singh · ‎09-05-2012

Hi Anatoly,

PMTU is not supported on ACE. ACE does not support PMTUD directly to a VIP IP address. It will allow ICMP through ACE if the access lists permits it, which means PMTUD will work through ACE.

By default ip df allow is enabled so ICMP sent by border router should be forwarded by ACE to the server and for that please check if ACL permits ICMP on ACE interfaces.

Regards,

Kanwal

pbijiko76 · ‎09-05-2012

Thanks for your reply, but we have no ACL on ACE interfaces. Also I tried to apply an ACL that permits everything - PMTUD doesn't work.

I don't really understand, if ACE does not support PMTUD directly to a VIP IP address, how should it forward ICMP unreachables from router to VIP address to the real server (and to which one)? Anyway, our ACE doesn't do that.

Actually it doesn't see any ICMP unreachables, according to

ACE1/VC_SERVERS# sh icmp statistics

-----------------------------------------------

ICMP Statistics :

-----------------------------------------------

Tx Rx

Total Messages : 65714 65684

Errors : 36 1048

Echo Request : 88 65627

Echo Reply : 65627 57

Unreachable : 0 0

TTL Expired : 0 0

Redirect : 0 0

Address Mask : 0 0

Param problem : 0 0

Source quench : 0 0

Time stamp : 0 0

-----------------------------------------------

But the packets are sent (debug icmp from border router):

ICMP: dst () frag. needed and DF set unreachable sent to

We have no firewall or any ACL applied between router and ACE.

Kanwaljeet Singh · ‎09-06-2012

Hi Anatoly,

You are right. It will not work for VIP. It is only applicable to pass through traffic. This is how it is. Request for supporting PMTU was there but since the amount of requests received were not much, it was dropped.

That is what i see when i search internally here.

Regards,

Kanwal

pbijiko76 · ‎09-07-2012

So, probably not so many people use ACE-based SLB with low-MTU links like tunnels.

Ok, thanks a lot for your help, Kanwal!