05-07-2010 09:26 AM
Hello,
Customer has an ACE installed as attached. With the server set with a DG of the ACE and traffic directed at the servers real IP address (ping, for example), we never seem to receive a response. I've configured the VLAN interfaces on both sides of the ACE with "permit ip any any" ACLs.
Should I expect the ACE to act like a router in this instance (and not care) or is it trying to act like a stateful device i.e. it should see the echo request first?
Thanks,
Mike
Solved! Go to Solution.
05-07-2010 10:43 AM
Mike,
In this case ICMP packets were discarded by the ACE because of security checks added by the stateful ICMP feature. These ICMP packets are discarded for any of the following reasons:
1. If you have asymmetric routing such that the ACE never sees the ICMP Echo Request, but does see the ICMP Echo Reply, the packet will be
dropped.
2. If the ICMP Echo Reply is seen after the two second inactivity timer for ICMP traffic, the session will have been aged out, and
therefore the packet will be dropped.
3. ICMP error messages are received that are not related to any TCP, UDP, or ICMP session already established in the ACE.
Please disable the ICMP guard feature on your interfaces and let us know if the ping still fails.
ACE4710/Admin(config)# interface vlan X
ACE4710/Admin(config-if)# no icmp-guard
Hope this helps.
__ __
Pablo
Cisco TAC
05-07-2010 10:43 AM
Mike,
In this case ICMP packets were discarded by the ACE because of security checks added by the stateful ICMP feature. These ICMP packets are discarded for any of the following reasons:
1. If you have asymmetric routing such that the ACE never sees the ICMP Echo Request, but does see the ICMP Echo Reply, the packet will be
dropped.
2. If the ICMP Echo Reply is seen after the two second inactivity timer for ICMP traffic, the session will have been aged out, and
therefore the packet will be dropped.
3. ICMP error messages are received that are not related to any TCP, UDP, or ICMP session already established in the ACE.
Please disable the ICMP guard feature on your interfaces and let us know if the ping still fails.
ACE4710/Admin(config)# interface vlan X
ACE4710/Admin(config-if)# no icmp-guard
Hope this helps.
__ __
Pablo
Cisco TAC
05-18-2010 08:16 AM
Hello Pablo,
Thanks, once you prompted me with the command I found the right section in the Config Guide.
Cheers,
Mike
05-18-2010 03:29 PM
Mike,
Do you performed the test with the command no icmp-guard?.
I had the same question. With this topology, now you see ping response from server?
Regards,
Jaime.
05-18-2010 10:24 PM
Hello Jaime,
Yes, the only caveat was applying it in the right virtual context. After I applied it to the correct interfaces in the right context, ping worked fine. It was covered in this section of the configuration guide:
Cheers,
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide