topic Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710 in Application Networking

Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710

Ethen Daniel — Thu, 06 Feb 2014 19:10:50 GMT

One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.

Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710

Traffic flow as follows

===============

ACE 4710 FWSM (Firewall static NAT) Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)

VIP

Rserver 1 - 10.1.104.80 10.1.246.32 10.1.246.32 < - > 2.2.2.2 1.1.1.1

Rserver 2 - 10.1.104.81c

----------------------------------------------------------> -------------------------------> - traffic flow from server to the device when we send msg

Configs:

======

rserver host server1

ip address 10.1.104.80

inservice

rserver host server2

ip address 10.1.104.81

inservice

serverfarm host SFARM

failaction purge

probe ICMP

rserver server1

inservice

rserver server2

inservice

access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any

access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any

parameter-map type connection UDP_TIMEOUT

set timeout inactivity 3600

sticky ip-netmask 255.255.255.255 address source STKY-SFARM

serverfarm SFARM

timeout 180

replicate sticky

class-map match-all CLS-SFARM

2 match virtual-address 10.1.246.32 udp eq 1120

class-map match-all SERVERNAT

2 match access-list TEST-1120

policy-map type loadbalance first-match POL-SFARM

class class-default

sticky-serverfarm STKY-SFARM

policy-map multi-match POL-LB

class CLS-SFARM

loadbalance vip inservice

loadbalance policy POL-SFARM

loadbalance vip icmp-reply active

connection advanced-options UDP_TIMEOUT

class SERVERNAT

nat dynamic 1 vlan 244

int vlan 244

ip address 10.1.246.2 255.255.255.0

service-policy input POL-LB

nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255

mac-sticky enable

no icmp-guard

no shut

interface vlan 2506

ip address 10.1.104.2 255.255.255.0

service-policy input POL-LB

mac-sticky enable

no icmp-guard

no shut

Rservers initiated traffic not sourcing the traffic as VIP in Ac

Kanwaljeet Singh — Thu, 06 Feb 2014 20:35:48 GMT

Hi Ethen,

If you are not using PAT then you would one more IP in the pool. If both servers need to communicate simultaneously we should have two IP's or we need to use PAT. This is how it is suppose to work.

Regards,

Kanwal

Rservers initiated traffic not sourcing the traffic as VIP in Ac

Ethen Daniel — Thu, 06 Feb 2014 21:15:25 GMT

Hi Kanwal,

Thank you for your reply. If I use the NAT with 2 ip address, I have the challenges to NAT it with the same public ip and same source port while it leaves the firewall.

In CSM, when the traffic leaves, it maintains the same source port and VIP address when the traffic egressess. Is there any way i can replicate in Ace 4710 ?

Do you know how the transparent command works with the serverfarm ?

Thanks,

Ethen

Rservers initiated traffic not sourcing the traffic as VIP in Ac

Kanwaljeet Singh — Thu, 06 Feb 2014 21:21:16 GMT

Hi Ethen,

Transparent command will mean that ACE will not do the destination NAT that it does by default when forwarding the packet to real server. It will not help in your scenario. For one server it should work in ACE 4710 as well but as you said when both servers will try to communicate it will be a problem.

Regards,

Kanwal

Rservers initiated traffic not sourcing the traffic as VIP in Ac

Kanwaljeet Singh — Thu, 06 Feb 2014 21:23:58 GMT

Hi Ethen,

If you look at it logically if both the servers use same IP and same src port to go out , when the traffic will come back, how will ACE differentiate which packet shall go to which real server? That can be differentiated if you have PAT because it will have different destination ports when the traffic comes back.

Regards,

Kanwal

Rservers initiated traffic not sourcing the traffic as VIP in Ac

Ethen Daniel — Thu, 06 Feb 2014 21:27:49 GMT

Hi Kanwal,

You are right. I understand that. I dont know what logic is been used by CSM to behave like this and why not. We are in the process of migrating everything from CSM to ACE 4710 due to EOL but knda stuck in the middle.

If you know of any alternate solution, please let me know... Thanks again for your help.

Regards,

Ethen

Rservers initiated traffic not sourcing the traffic as VIP in Ac

Kanwaljeet Singh — Thu, 06 Feb 2014 22:30:46 GMT

Hi Ethen,

Thought about it but out of ideas:). May be someone else can throw some light on it but it is strange that it is working in CSM.

Regards,

Kanwal

Rservers initiated traffic not sourcing the traffic as VIP in Ac

Ethen Daniel — Thu, 06 Feb 2014 23:05:33 GMT

I see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement

portmap disable in ACE 4710

Disabling Port Mapping

By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.

For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services,

Rservers initiated traffic not sourcing the traffic as VIP in Ac

Kanwaljeet Singh — Fri, 07 Feb 2014 01:40:28 GMT

Hi Ethen,

Can you paste the configuration done in CSM which you say is working?

Regards,

Kanwal

Rservers initiated traffic not sourcing the traffic as VIP in Ac

Ethen Daniel — Fri, 07 Feb 2014 16:49:43 GMT

Hi Kanwal,

This is the configuration I see in CSS, I will add the configurations from CSM as well later....

group VIP-NAT

vip address 10.1.246.32

portmap disable

active

acl 15

clause 10 permit udp 10.1.104.80 eq 1120 destination 1.0.0.0 255.0.0.0 sourcegroup VIP-NAT

clause 20 permit udp 10.1.104.81 eq 1120 destination 1.0.0.0 255.0.0.0 sourcegroup VIP-NAT

apply circuit-(VLANX)

Regards,

Ethen

Rservers initiated traffic not sourcing the traffic as VIP in Ac

Kanwaljeet Singh — Fri, 07 Feb 2014 17:02:07 GMT

Hi Ethen,

I don't see any option in ACE to disable port mapping. By default it doesn't do port mapping unless you define PAT. What is baffling here is that destination is same and when traffic comes back how does CSS or CSM decide to which server packet should be given unless that doesn't matter.

I would suggest to open a TAC case as well. If it works for CSM it should for ACE module/appliance. Since it is isn't it would be helpful to know why this functionality was removed or not given. May be they can add a new feature in future releases but with ACE phasing out i doubt it will happen.

Regards,

Kanwal