topic Re: ACE PAT to two IP-number in Application Networking

ACE PAT to two IP-number

mruuth — Thu, 22 Sep 2011 09:28:03 GMT

Hi all,

ACE20 module with A2(3.3)

I have tried to config a NAT-pool with two adresses, but only one is used.

class-map match-all NAT015_VLAN702

2 match source-address 192.168.137.93 255.255.255.255

3 match destination-address 192.168.137.0 255.255.255.255

policy-map multi-match lb-int-vlan802

class V13700080

loadbalance vip inservice

loadbalance policy V13700080-l7slb

loadbalance vip icmp-reply active

appl-parameter http advanced-options PAMHTTP001

connection advanced-options PAMCONNSV

class NAT015_VLAN702

nat dynamic 70203 vlan 702

interface vlan 702

bridge-group 802

no normalization

access-group input BPDU

access-group input alla

access-group output alla

nat-pool 70202 192.168.32.1 192.168.32.2 netmask 255.255.255.255 pat

nat-pool 70203 192.168.32.5 192.168.32.6 netmask 255.255.255.255 pat

nat-pool 70204 192.168.32.9 192.168.32.10 netmask 255.255.255.255 pat

nat-pool 70205 192.168.32.13 192.168.32.14 netmask 255.255.255.255 pat

nat-pool 70206 192.168.32.17 192.168.32.18 netmask 255.255.255.255 pat

nat-pool 70207 192.168.32.21 192.168.32.22 netmask 255.255.255.255 pat

service-policy input lb-int-vlan802

no shutdown

Can someone tell me what is wrong?

Regards

Mats

ACE PAT to two IP-number

chrhiggi — Mon, 26 Sep 2011 17:54:51 GMT

Hello Mats-

How exactly did you verify only 1 of the 2 IPs were in use? ACE actually tries to conserve ports and IP addresses, so it will exhaust all ~64k PAT entries on the first IP before it uses the 2nd address.

Regards,

Chris Higgins

ACE PAT to two IP-number

mruuth — Fri, 30 Sep 2011 11:02:50 GMT

Hi Chris,

Been away a couple of days.

I'm doing show xlate global 192.168.32.5 and 192.168.35.6 and I never see xlate's on 192.168.32.6.

A#1/prod1# sho xlate global 192.168.32.5

TCP PAT from vlan702:192.168.137.93/22524 to vlan702:192.168.32.5/62357

TCP PAT from vlan702:192.168.137.93/22565 to vlan702:192.168.32.5/62396

TCP PAT from vlan702:192.168.137.93/22600 to vlan702:192.168.32.5/62433

TCP PAT from vlan702:192.168.137.93/22686 to vlan702:192.168.32.5/62519

TCP PAT from vlan702:192.168.137.93/22814 to vlan702:192.168.32.5/62645

TCP PAT from vlan702:192.168.137.93/21368 to vlan702:192.168.32.5/61201

TCP PAT from vlan702:192.168.137.93/22514 to vlan702:192.168.32.5/64626

TCP PAT from vlan702:192.168.137.93/22605 to vlan702:192.168.32.5/64720

TCP PAT from vlan702:192.168.137.93/22527 to vlan702:192.168.32.5/64644

TCP PAT from vlan702:192.168.137.93/21935 to vlan702:192.168.32.5/64052

TCP PAT from vlan702:192.168.137.93/22863 to vlan702:192.168.32.5/64978

TCP PAT from vlan702:192.168.137.93/22882 to vlan702:192.168.32.5/64998

TCP PAT from vlan702:192.168.137.93/22893 to vlan702:192.168.32.5/65008

TCP PAT from vlan702:192.168.137.93/22996 to vlan702:192.168.32.5/65113

TCP PAT from vlan702:192.168.137.93/23012 to vlan702:192.168.32.5/65129

A#1/prod1#

A couple of seconds later it start over with low portnumbers

A#1/prod1# sho xlate global 192.168.32.5

TCP PAT from vlan702:192.168.137.93/23673 to vlan702:192.168.32.5/1279

TCP PAT from vlan702:192.168.137.93/23728 to vlan702:192.168.32.5/1334

TCP PAT from vlan702:192.168.137.93/23984 to vlan702:192.168.32.5/1588

TCP PAT from vlan702:192.168.137.93/24113 to vlan702:192.168.32.5/63943

A#1/prod1#

This server has about 140 conn/sec at this moment, but under high load about 250 conn /sec.

As You can see from my show command, that the connectionstime are very short

Regards

Mats Ruuth

ACE PAT to two IP-number

chrhiggi — Mon, 03 Oct 2011 16:36:58 GMT

Mats-

Can you get a show tech for me?

@250 CPS, if connections were to hang around for more than 4 minutes, we would expect to see the other IP used - otherwise, ACE will just recycle the existing IP since it is using PAT and controlling the ports. We can check some of the stats to see if it sees the other IP or not.

Regards,

Chris

Re: ACE PAT to two IP-number

mruuth — Wed, 05 Oct 2011 06:24:05 GMT

Hi Chris,

Connections are very shortlived, so no connection stays longer than 4 minutes.

I have done a show tech and attached the file.

Regards

Mats

Re: ACE PAT to two IP-number

chrhiggi — Wed, 05 Oct 2011 17:09:30 GMT

Mats-

The ARP is up for both IPs:

192.168.32.5 00.0b.fc.fe.1b.01 vlan702 NAT LOCAL _ up
- 192.168.32.6

Here are the global stats:

NAT Pool Alloc [fail]:                        13498             0
NAT Pool Alloc [addr/port]:               954879764           516
NAT Pool Free [addr/port]:                954879609           515

NAT Pool Alloc [fail]:                        19584             0
NAT Pool Alloc [addr/port]:               954728191           298
NAT Pool Free [addr/port]:                954728038           305

Something interesting to note - With NAT, there are 4 types - Static with/without pat and Dynamic with/without pat.

When PAT is not used, ACE times out the xlate in 3 hours by default. When PAT is used, ACE times out the xlate when the connection closes.

According to your stats - Some of the natpools ran out of resources at some point in time. However, it has been .00001% of the total translations where that occured. As you can see in the stats - the allocation vs. the purges are very, very close as expected because you are using PAT on all of your translations. If you were to exhaust the translations for a single IP, you would need to push 16000 cps @ 4 seconds long each. According to what you noted - this will never happen for your current setup.

Regards,

Chris

Re: ACE PAT to two IP-number

mruuth — Thu, 06 Oct 2011 06:03:46 GMT

Chris,

Thank you for your response to my question.

Regards

Mats

P.S. I want to rate this with three stars. How do I do that?