cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
958
Views
10
Helpful
5
Replies

Urgent!!! Cisco ACE and asymetric routing assistance needed

cisco24x7
Level 6
Level 6

I am wondering if someone can give me pointers on the cisco ACE

and asymetric routes. I've attached the diagram:

-Cisco IOS IP address is 192.168.15.4/24 and 4.1.1.4/24

-Firewall External interface is 192.168.15.1/24,

-Firewall Internal interface is 192.168.192.1/24,

-F5_BigIP External interface is 192.168.192.4/24,

-F5_BigIP Internal interface is 192.168.196.1/24 and 192.168.197.1/24,

-host_y has IP addresses of 192.168.196.10/24 and 192.168.197.10/24,

-Checkpoint has static route for 192.168.196.0/24 and 192.168.197.0/24

pointing to the F5_BigIP,

-host_y is dual-home to both VLAN_A and VLAN_B with the default

gateway on host_y pointing to VLAN_A which is 192.168.196.1,

-host_x CAN ssh/telnet/http/https to both of host_y IP addresses

of 192.168.196.10 and 192.168.197.10.

In other words, from host_x, when I try to connect to host_y

via IP address of 192.168.197.10, the traffics will go through VLAN_B

but the return traffics will go through VLAN_A. Everything

is working perfectly for me so far.

Now customer just replaces the F5_BigIP with Cisco ACE. Now,

I could not get it to work with Asymetric route with Cisco ACE. In

other words, from host_x, I can no longer ssh or telnet to host_y

via IP address of 192.168.197.10.

Anyone knows how to get asymetric route to work on Cisco ACE?

Thanks in advance.

5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

That won't work because ACE uses the vlan id to distinguish between flows.

So when the response comes back on a different vlan, ACE can't find the flow it belongs to and it drops it.

Even if we could force it to accept the packet, ACE would then try to create a new flow for this packet and it will collide with the flow already existing on the frontend.

You would need to force your host to respond on the same vlan the traffic came in.

This could be done with client nat on ACE using different nat pool.

Gilles.

"You would need to force your host to respond on the same vlan the traffic came in.

This could be done with client nat on ACE using different nat pool."

I am very aware of this. But that's not what

I want. I do not want to NAT anything.

Is there a possiblity that Cisco will fix this

anytime soon? F5_BigIP and NetScaler can do

this very easily. Why not Cisco?

CCIE Security

There is no plan to change this behavior.

This is how the platform was designed.

This design gives some other advantages like allowing the same flow to enter multiple times the same blade from different vlan and each time perform a different action.

Not possible if you do not have the vlan as part of the flowid.

Gilles

CCIE Routing & Switching

CCIE Security

CCIE CDN

jim.soliven
Level 1
Level 1

Had a similar issue which was resolved by turning off normalization on the server-side VLAN on the ACE which hopefully is where VLAN A is pointed to.

Hope that helps.

Jim

Turning off normalization enable asymetric flow where half the traffic doesn't even go through the ACE module.

But in this particular case, the 2nd half of the flow goes back to the ACE module on a different vlan.

Gilles.

Review Cisco Networking for a $25 gift card