Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4196
Views
0
Helpful
2
Replies

Cisco ACE - "show conn" command queries

Go to solution
danielng83
Level 1
Level 1

‎09-15-2010 10:58 PM

Hi all,

i have some queries regarding the "show conn" command in Cisco ACE.

Working Scenario:


VIP : 10.10.10.1

Server 1 : 10.10.20.1

Server 2 : 10.10.20.2

Client: 30.30.30.1

When a client 30.30.30.1 initiates a connection to the VIP on 10.10.10.1, the ACE load balances it to Server 1, 10.10.20.1. Looking at the "show conn" table, it shows that Server 1 is replying back to the Client 30.30.30.1 through the ACE.

Now, my question is when the ACE returns the traffic to the Client, should the Client be seeing the source IP coming from the VIP or Server 1? My understanding is that the Client should be seeing traffic returning from the VIP. But the show conn table does not seem to suggest so.

show conn table

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
1768       1  in  TCP   10   30.30.30.1:9221   10.10.10.1:80       ESTAB
41         1  out TCP   52    10.10.20.1:80    30.30.30.1:9221   CLOSED

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎09-16-2010 10:46 AM

Daniel,

The client is expecting a response from the VIP otherwise there would be an asymmetrical routing problem and conns will never complete.

The fact that you're seeing 30.30.30.1 as the destination address is just that the server is able to see client's IP address on the request, when your backend servers sends the reply back to the client this response is forced to go through the ACE, when the ACE looks at the packet it matches with a previously conn created on the flow table so it "NATs"  the reply so now the source of the packet is the VIP and destination is 30.30.30.1.

This is a expected behavior as you're not using S-NAT on your network.

HTH.

__ __

Pablo

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎09-16-2010 10:46 AM

Daniel,

The client is expecting a response from the VIP otherwise there would be an asymmetrical routing problem and conns will never complete.

The fact that you're seeing 30.30.30.1 as the destination address is just that the server is able to see client's IP address on the request, when your backend servers sends the reply back to the client this response is forced to go through the ACE, when the ACE looks at the packet it matches with a previously conn created on the flow table so it "NATs"  the reply so now the source of the packet is the VIP and destination is 30.30.30.1.

This is a expected behavior as you're not using S-NAT on your network.

HTH.

__ __

Pablo

0 Helpful

Go to solution
danielng83
Level 1
Level 1
In response to Pablo

‎09-16-2010 07:45 PM

Thanks for clarifying my doubts Pablo! Really informative..appreciate it

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents