I was working on debugging a VIP on a Citrix Netscaler awhile back to verify traffic was passing with no loss and that connections were being attempted or established through a Cisco ASA firewall. To do that, I built a capture ACL with a non-circular buffer(has to be cleared) on the outside interface. I made a named ACL(extended) to capture traffic to a particular VIP(1.1.1.1) since there was very little communication at the time to check connectivity:
asa# conf term
asa(config)# access-list snifftest extended permit tcp any host 1.1.1.1 eq https
asa(config)# capture snifftest access-list snifftest interface outside
To show buffer data for the "snifftest" capture:
asa# show capture snifftest
2 packets captured
1: 15:59:24.543169 2.2.2.2.53360 > 1.1.1.1.443: S 2744539342:2744539342(0)
win 5840 <mss 1380,sackOK,timestamp 2400379488 0,nop,wscale 1>
2: 15:59:24.600158 2.2.2.2.53360 > 1.1.1.1.443: . ack 3969450766 win 5840
2 packets shown
asa# show capture snifftest
2 packets captured
1: 15:59:24.543169 2.2.2.2.53360 > 1.1.1.1.443: S 2744539342:2744539342(0)
win 5840 <mss 1380,sackOK,timestamp 2400379488 0,nop,wscale 1>
2: 15:59:24.600158 2.2.2.2.53360 > 1.1.1.1.443: . ack 3969450766 win 5840
2 packets shown
asa#
To clear the buffer:
asa# clear capture snifftest
asa# show capture snifftest
0 packet captured
0 packet shown
To remove the ongoing capture:
asa# conf term
asa(config)# no capture snifftest
asa# show capture
asa#
To remove the ACL added:
asa#conf term
asa(config)# no access-list snifftest line 1 extended permit tcp any host 1.1.1.1 eq https
ERROR: access-list <snifftest> does not exist
asa#
This was the first step into checking the path for packet loss including things like sniffing the Netscaler DMZ interface(nstrace) and the backend web server interface to ensure simple TCP connections were being established before load. It, of course, gets tricky at the load balancer as you're changing backend server IPs/ports and even frontend inbound IPs/ports to follow a stream...
No comments:
Post a Comment