traffic count on ASA

suthomas1 · ‎07-11-2010

we have a 2-server cluster with a virtual ip and this server/s connect to internet via an ASA firewall. Rules to allow these on certain ports are configured.

i dont see any counts on acl with virtual ip, but ones with physical ip do show traffic.

Is this normal for virtual ip not showing any traffic hits on acl , even though that is the one doing the transmission. If so, any reasons for me to understand better.

Thanks in advance!

Nagaraja Thanthry · ‎07-11-2010

Hello,

If you are using virtual IP for the communication then the reply should also come using the virtual IP address. I would suggest you checking the original request to see if the requests are coming to the virtual IP or the actual IP of the server. You can use captures to see how the requests are coming.

Access-list cap permit ip any host

capture capin access-list cap interface inside

Once you generate some traffic, check the captures:

Show capture capin

That should tell you how the requests are going. If you see that the original requests are going to the actual IP of the server than the virtual IP, then the issue could be with your NAT translations. Check the static NAT and make sure that you are not translating the public IP to the original IP of the servers but you are translating it to the virtual IP. Also, make sure that the firewall has an ARP entry to the virtual IP of the server.

Hope this helps.

Regards,

NT

suthomas1 · ‎07-12-2010

Thanks for your inputs. I had a trace done before and it only showed requests from physical ip's.

arp cannot be seen on the asa for this as server is connected to another router. no seperate nat is used for this server as it is not accessed from outside.

This server is used for some web filtering, so all requests are started from internal to an external ip in the cloud. it shares the nat ip with other users.

Appreciate all your help.

Thanks.