cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Unable to get desired output from ACE capture

607
Views
0
Helpful
0
Comments

 

Introduction


The packet capture feature will enable user to capture live packets of the intended traffic in real time. The attributes of the packet are defined by an ACL. The ACE buffers the captured packets, and you can copy the buffered contents to a file in Flash memory on the ACE or to a remote server. To avoid taxing ACE resources, it is recommended to use an ACL specific to the intended traffic for the capture. This result of the capture can be displayed via CLI or can be exported to be analyzed using a packet capture utility such as Ethereal or Wireshark.

 

Problem


User trying to capture packets on ACE to troubleshoot issues with connection but not getting the expected capture. The connection can be seen in ACE connection table.

 

Packet Capture Details


The ACE captures packets subject to the following guidelines:

One capture session is used per context
Capture is triggered at flow setup
Capture is configured on the client interface where the flow is received

Note: Probe traffic will not hit a security ACL, so ACLs cannot control the capture of those packets. Therefore, probe traffic cannot be captured by the packet capture utility.

If possible, you should capture packets using the ACE packet capturing utility before and after symptoms appear. Save the packet captures to a file.

 

Resolution


The capture is triggered at the flow set up. ACL match only happens when connection is being set up. Once the connection is set up already, the connection moves to fast path and acl checks are skipped.

 

Details


The command “show conn" will give the translated IP addresses, but to see what is the exact backend connection associated with the backend do the following:

show conn, from its output take the connection-id as well as the NP number.


562844     1  in  TCP   5    10.150.54.145:61560   10.86.212.34:23     ESTAB
560094     1  out TCP   5    10.86.212.34:23       10.150.54.145:61560   ESTAB

so in above 562844 is connection id and 1 is np number. Depending on the model it can be 1,2, 3, 4. ACE 30 has 4 and ace 20 has 2. ACE 4710 has one. Once you have that, do

switch/Admin# sh np 1 me-stats  "-c 562844 -vvv"
Connection ID:seq: 562844[0x8969c].0
  Other ConnID    : 560094[0x88bde].0
  Proxy ConnID    : 0[0x0].0
  Next Q    : 0[0x0]

10.150.54.145:61560 -> 10.86.212.34:23 [RX-NextHop: CP] [TX-NextHop: TX]
  Flags:  PAT: No  DynNAT: No  Implicit PAT: No On_Reuse: No
  L3 Protocol     : IPv4                L4 Protocol    : 6
  Inbound Flag    : 1
  Interface Match : Yes
    Interface MatchID: 3
  EncapsID:ver    : 15:0                TCP ACK delta  : 0x0
  MSS             : 1460                TOS Stamp       : 16
  Repeat mode     : No          Punt Flag      : No
  TOS Stamp       : No          TCP Window Check: No
  ACE ID          : 6           NAT Policy ID       : 0
  Post NAT hop    : 0           NAT Pool ID         : 0
  Packet Count    : 66          Byte Count          : 2810
  TCP Information: (State = 3)
    Window size   : 16325               Window scale    : 2
    FIN seen      : No          FIN/ACK seen    : No
    FIN/ACK exp   : No          Close initiator : No
    FIN/ACK expval: 0           Last seq        : 1f5db83
   timestamp_delta: 0           Last ack        : 7aa48cd7
    No Trigger    : 0           Trigger Status   : 0
    Timestamp : 6631b441
  TCP options negotiated:
    Sack:Allow          TS:Clear        Windowscale:  Allow
    Reserved: Allow     Exceed MSS: Allow       Window var: Allow
  Flags:  debug: 0              TCP Normalize: Yes
          Syslog: No    Reproxy Request: No   Policying Reqd: No
          Inbound Ipsec: No  Replicated: No  Data Channel: No
          L7: No  Fin Detect: Yes  FP Timeout: No
          Standby: No  ConnState: 2
          ACA Method: 0  ReqTS: 00000000  RspTS: 00000000
          RX Flags: 80481

  Sticky Internal Entry-id : 0x0

10.86.212.34:23 -> 10.150.54.145:61560 [RX-NextHop: TX] [TX-NextHop: CP]
  Flags:  PAT: No  DynNAT: No  Implicit PAT: No On_Reuse: No
  L3 Protocol     : IPv4                L4 Protocol    : 6
  Inbound Flag    : 0
  Interface Match : Yes
    Interface MatchID: 3
  EncapsID:ver    : 15:0                TCP ACK delta  : 0x0
  MSS             : 1460                TOS Stamp       : 0
  Repeat mode     : No          Punt Flag      : No
  TOS Stamp       : No          TCP Window Check: No
  ACE ID          : 6           NAT Policy ID       : 0
  Post NAT hop    : 4           NAT Pool ID         : 0
  Packet Count    : 59          Byte Count          : 6730
  TCP Information: (State = 3)
    Window size   : 46          Window scale    : 7
    FIN seen      : No          FIN/ACK seen    : No
    FIN/ACK exp   : No          Close initiator : No
    FIN/ACK expval: 0           Last seq        : 7aa48cd7
   timestamp_delta: 0           Last ack        : 1f5db83
    No Trigger    : 0           Trigger Status   : 0
    Timestamp : 6631b31d
  TCP options negotiated:
    Sack:Allow          TS:Clear        Windowscale:  Allow
    Reserved: Allow     Exceed MSS: Allow       Window var: Allow
  Flags:  debug: 0              TCP Normalize: Yes
          Syslog: No    Reproxy Request: No   Policying Reqd: No
          Inbound Ipsec: No  Replicated: No  Data Channel: No
          L7: No  Fin Detect: Yes  FP Timeout: No
          Standby: No  ConnState: 2
          ACA Method: 0  ReqTS: 00000000  RspTS: 00000000
          RX Flags: 80480

  Sticky Internal Entry-id : 0x0


It will show the details. If you have backend conn-id, you can easily find the front end associated and the other details of the connection too.

 

Related Information


Cisco Application Control Engine (ACE) Troubleshooting Guide
Can't get desired results from ACE capture