Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1957
Views
0
Helpful
6
Replies

ACE PAT to two IP-number

Go to solution
mruuth
Level 1
Level 1

‎09-22-2011 02:28 AM

Hi all,

ACE20 module with A2(3.3)

I have tried to config a NAT-pool with two adresses, but only one is used.

class-map match-all NAT015_VLAN702

  2 match source-address 192.168.137.93 255.255.255.255

  3 match destination-address 192.168.137.0 255.255.255.255

 

policy-map multi-match lb-int-vlan802

  class V13700080

    loadbalance vip inservice

    loadbalance policy V13700080-l7slb

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options PAMHTTP001

    connection advanced-options PAMCONNSV

  class NAT015_VLAN702

    nat dynamic 70203 vlan 702

  interface vlan 702

  bridge-group 802

  no normalization

  access-group input BPDU

  access-group input alla

  access-group output alla

  nat-pool 70202 192.168.32.1 192.168.32.2 netmask 255.255.255.255 pat

  nat-pool 70203 192.168.32.5 192.168.32.6 netmask 255.255.255.255 pat

  nat-pool 70204 192.168.32.9 192.168.32.10 netmask 255.255.255.255 pat

  nat-pool 70205 192.168.32.13 192.168.32.14 netmask 255.255.255.255 pat

  nat-pool 70206 192.168.32.17 192.168.32.18 netmask 255.255.255.255 pat

  nat-pool 70207 192.168.32.21 192.168.32.22 netmask 255.255.255.255 pat

  service-policy input lb-int-vlan802

  no shutdown

Can someone tell me what is wrong?

Regards

Mats

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
chrhiggi
Level 3
Level 3
In response to mruuth

‎10-05-2011 10:09 AM

Mats-

The ARP is up for both IPs:

192.168.32.5    00.0b.fc.fe.1b.01  vlan702   NAT        LOCAL     _         up
- 192.168.32.6 

Here are the global stats:

NAT Pool Alloc [fail]:                        13498             0
NAT Pool Alloc [addr/port]:               954879764           516
NAT Pool Free [addr/port]:                954879609           515


NAT Pool Alloc [fail]:                        19584             0
NAT Pool Alloc [addr/port]:               954728191           298
NAT Pool Free [addr/port]:                954728038           305

Something interesting to note - With NAT, there are 4 types - Static with/without pat and Dynamic with/without pat.

When PAT is not used, ACE times out the xlate in 3 hours by default.  When PAT is used, ACE times out the xlate when the connection closes.

According to your stats - Some of the natpools ran out of resources at some point in time.  However, it has been .00001% of the total translations where that occured.  As you can see in the stats - the allocation vs. the purges are very, very close as expected because you are using PAT on all of your translations. If you were to exhaust the translations for a single IP, you would need to push 16000 cps @ 4 seconds long each. According to what you noted - this will never happen for your current setup.

Regards,

Chris

View solution in original post

0 Helpful
6 Replies 6

Go to solution
chrhiggi
Level 3
Level 3

‎09-26-2011 10:54 AM

Hello Mats-

  How exactly did you verify only 1 of the 2 IPs were in use? ACE actually tries to conserve ports and IP addresses, so it will exhaust all ~64k PAT entries on the first IP before it uses the 2nd address.

Regards,

Chris Higgins

0 Helpful

Go to solution
mruuth
Level 1
Level 1
In response to chrhiggi

‎09-30-2011 04:02 AM

Hi Chris,

Been away a couple of days.

I'm doing show xlate global 192.168.32.5 and 192.168.35.6 and I never see xlate's on 192.168.32.6.

A#1/prod1# sho xlate global 192.168.32.5

TCP PAT from vlan702:192.168.137.93/22524 to vlan702:192.168.32.5/62357

TCP PAT from vlan702:192.168.137.93/22565 to vlan702:192.168.32.5/62396

TCP PAT from vlan702:192.168.137.93/22600 to vlan702:192.168.32.5/62433

TCP PAT from vlan702:192.168.137.93/22686 to vlan702:192.168.32.5/62519

TCP PAT from vlan702:192.168.137.93/22814 to vlan702:192.168.32.5/62645

TCP PAT from vlan702:192.168.137.93/21368 to vlan702:192.168.32.5/61201

TCP PAT from vlan702:192.168.137.93/22514 to vlan702:192.168.32.5/64626

TCP PAT from vlan702:192.168.137.93/22605 to vlan702:192.168.32.5/64720

TCP PAT from vlan702:192.168.137.93/22527 to vlan702:192.168.32.5/64644

TCP PAT from vlan702:192.168.137.93/21935 to vlan702:192.168.32.5/64052

TCP PAT from vlan702:192.168.137.93/22863 to vlan702:192.168.32.5/64978

TCP PAT from vlan702:192.168.137.93/22882 to vlan702:192.168.32.5/64998

TCP PAT from vlan702:192.168.137.93/22893 to vlan702:192.168.32.5/65008

TCP PAT from vlan702:192.168.137.93/22996 to vlan702:192.168.32.5/65113

TCP PAT from vlan702:192.168.137.93/23012 to vlan702:192.168.32.5/65129

A#1/prod1#

A couple of seconds later it start over with low portnumbers

A#1/prod1# sho xlate global 192.168.32.5

TCP PAT from vlan702:192.168.137.93/23673 to vlan702:192.168.32.5/1279

TCP PAT from vlan702:192.168.137.93/23728 to vlan702:192.168.32.5/1334

TCP PAT from vlan702:192.168.137.93/23984 to vlan702:192.168.32.5/1588

TCP PAT from vlan702:192.168.137.93/24113 to vlan702:192.168.32.5/63943

A#1/prod1#

This server has about 140 conn/sec at this moment, but under high load about 250 conn /sec.

As You can see from my show command, that the connectionstime are very short

Regards

Mats Ruuth

0 Helpful

Go to solution
chrhiggi
Level 3
Level 3
In response to mruuth

‎10-03-2011 09:36 AM

Mats-

Can you get a show tech for me? 

@250 CPS, if connections were to hang around for more than 4 minutes, we would expect to see the other IP used - otherwise, ACE will just recycle the existing IP since it is using PAT and controlling the ports.  We can check some of the stats to see if it sees the other IP or not.

Regards,

Chris

0 Helpful

Go to solution
mruuth
Level 1
Level 1
In response to chrhiggi

‎10-04-2011 11:24 PM

Hi Chris,

Connections are very shortlived, so no  connection stays longer than 4 minutes.

I have done a show tech and attached the file.

Regards

Mats

114866-shotechmruuth.txt.zip
0 Helpful

Go to solution
chrhiggi
Level 3
Level 3
In response to mruuth

‎10-05-2011 10:09 AM

Mats-

The ARP is up for both IPs:

192.168.32.5    00.0b.fc.fe.1b.01  vlan702   NAT        LOCAL     _         up
- 192.168.32.6 

Here are the global stats:

NAT Pool Alloc [fail]:                        13498             0
NAT Pool Alloc [addr/port]:               954879764           516
NAT Pool Free [addr/port]:                954879609           515


NAT Pool Alloc [fail]:                        19584             0
NAT Pool Alloc [addr/port]:               954728191           298
NAT Pool Free [addr/port]:                954728038           305

Something interesting to note - With NAT, there are 4 types - Static with/without pat and Dynamic with/without pat.

When PAT is not used, ACE times out the xlate in 3 hours by default.  When PAT is used, ACE times out the xlate when the connection closes.

According to your stats - Some of the natpools ran out of resources at some point in time.  However, it has been .00001% of the total translations where that occured.  As you can see in the stats - the allocation vs. the purges are very, very close as expected because you are using PAT on all of your translations. If you were to exhaust the translations for a single IP, you would need to push 16000 cps @ 4 seconds long each. According to what you noted - this will never happen for your current setup.

Regards,

Chris

0 Helpful

Go to solution
mruuth
Level 1
Level 1
In response to chrhiggi

‎10-05-2011 11:03 PM

Chris,

Thank you for your response to my question.

Regards

Mats

P.S. I want to rate this with three stars. How do I do that?

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card