CSS NAT issues

bennytan1 · ‎04-18-2005

HI All...

A quick check if whether you all have encountered this as i'm quite new to CSS.

I currently have this setup with 2 servers (10.0.0.99 & 100). And i have a NTP server on another segment outside the CSS, i wish to time sync these 2 servers with the external NTP server, when i tried to initiate the time sync on 10.0.0.99, it's ok, when i tried with 10.0.0.100, it FAILS. i checked the NAT using "show flow", it shows that the connection is being translated back to 10.0.0.99 instead of 100. Is my configuration wrong as shown below? I heard that it'll be possible to bypass NAT as long as i have a route back to the servers, is it true?

Tks and regards

*********Service***********

service APP1

ip address 10.0.0.99

active

service APP2

ip address 10.0.0.100

active

*********Owner***********

content APP

vip address 10.0.0.49

add service APP1

add service APP2

advanced-balance sticky-srcip

active

*********Group***********

group APP

vip address 10.0.0.49

add service APP1

add service APP2

active

Gilles Dufour · ‎04-18-2005

is your NTP client using source port 123 ?

Some client uses source port 123, and therefore this will create a problem.

If you can change the source port of the client, give it a try.

Do you need nating for ntp ?

If not, you could use acl to define what should be nated and what should not.

Remove the 'add service ...' from the group.

Then create an acl like this

acl 1

clause 10 bypass udp any destination any eq 123

clause 20 bypass tcp any destination any eq 123

clause 30 permit any host 10.0.0.99 destination any sourcegroup APP

clause 40 permit any host 10.0.0.100 destination any sourcegroup APP

clause 99 permit any any destination any

apply all

don't forget to enable acl after that.

Regards,

Gilles.

bennytan1 · ‎04-18-2005

HI Gilles..

Tks for the clarification, yap, my clients are using source udp 123.

IN this case, i may heed your 2nd suggestion and bypass NAT for that.. tks alot, will try it..

Cheers

bennytan1 · ‎04-22-2005

HI Gilles....

Can you tell me what sort of problems will arise when my clients uses udp123 and why does it happens?

cheers

Gilles Dufour · ‎04-22-2005

When you nat client X:123 and client Y:123 to VIP:123, if a packet comes to the CSS with destination IP VIP:123 how can you tell if this is for X or Y ?

If the clients were using different ports that would be no problem, but exactly the same port is an issue.

Gilles.

dtodd · ‎04-22-2005

Ok:

Your client address: 1.1.1.1 srcpt:123 dest: 123

Server address: 2.2.2.2 srcprt: 123 destport: 123

The css has to maintain a table:

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- --------- ---------

1.1.1.1 123 2.2.2.2 123 3.3.3.3 TCP e1 e2

The CSS does NAT and not PAT by default. Thus the translation is swapping the dest address for the service address on the back end.

The server on the back end replies back to the host which passes back through the CSS, who un-nats the address to the VIP address. Thus the client always sees the request coming from the VIP and not the server.

You need to nat the device on the back end. How can the CSS send the packet to the server address with out translating the client's request to the VIP. If you did not translate the client would send the request to the server(s) directly (voiding the need for the CSS). Or the CSS would forward the request unaltered to who, the destination address is the VIP still.

You have people send request to the VIP so you can hide the services from the user. This allows seemless maintanence of devices by using NAT and service intelligence.

The vip getting the request from the client then must pass the packet to the server. As a result the address (destination) MUST change from the VIP address (client request) to the Nat address of the server behind the CSS (css transmitted client request).

How can you load balance a request if the destination address is not changed?

dtodd · ‎04-22-2005

Hi:

I guess I don't understand why you are using a service/service group to setup NTP (unless you are balancing NTP).

Why are you using stickiness with a NAT rule. This is a quick single session where it does not matter which server you connect to? Having stickiness will usually cause one server to get hit much more often.

I would recommend that you remove stickiness since there is no "state" in NTP. If the services you included are for NTP there are no ports in the service or protocols.

Am I missing something?

Besides the tcp flow I would also use the "llama" command "debug" and check to see if you are seeing a sticky session to the ntp service. I would aslo verify that your services are up and running (show service app1)

Lastly,

On the CSS use the ntp/sntp command as specify the servers you are using for ntp. Verify the css CAN use these servers as a NTP service.

I would also verify that you do not have any acls blocking you access to the ntp server. If the CSS can reach both NTP servers then there is an issue just with the service and not with the CSS's ability to reach the servers.