Re: RPC UDP 111 on CSS 11503

telebsb · ‎05-11-2004

I´ve been trying to run Load Balance on CSS11503 with an application which uses RPC UDP (port 111), but I haven´t found the correct configuration yet. I´m running 7.10 Build 305 version. I´m using the following:

Service Server1

ip address 192.168.250.18

active

service Server2

ip address 192.168.250.19

active

----

owner APP1

content Server1_Server2

add service Server1

add service Server2

vip address 192.168.250.17

active

-----

group Server1_Server2

vip address 192.168.250.17

add destination service Server1

add destination service Server2

active

------

I´ve enabled the "debug" and when the machine 10.1.1.1 makes a FTP to the VIP address 192.168.250.17 the service works fine, but when the same machine makes a RPC UDP 111 to the same VIP address it doesn´t work, as you can see below:

FTP:

-------

MAY 11 10:31:45 2/1 139 FLOWMGR-4: TCP in 10.1.1.1:1533->192.168.250.17:21 SYN

MAY 11 10:31:45 2/1 140 FLOWMGR-4: TCP out 192.168.250.17:6020->192.168.250.19:21

SYN

MAY 11 10:31:45 2/1 141 FLOWMGR-4: TCP in 192.168.250.19:21->192.168.250.17:6020 S

YN ACK

MAY 11 10:31:45 2/1 142 FLOWMGR-4: TCP out 192.168.250.17:21->10.1.1.1:1533 SY

N ACK

RPC UDP 111:

---------------------

MAY 11 10:24:42 1/1 1245 FLOWMGR-4: UDP in 10.1.1.1:972->192.168.250.17:111

MAY 11 10:24:42 1/1 1246 FLOWMGR-4: UDP out 192.168.250.17:972->192.168.250.19:111

MAY 11 10:24:42 1/1 1247 FLOWMGR-4: UDP in 192.168.250.19:111->192.168.250.17:972

MAY 11 10:24:42 1/1 1248 FLOWMGR-4: UDP out 192.168.250.17:111->192.168.250.18:972

--->>> In this point the destination should be 10.1.1.1:972. I´d like to know why this doesn´t happen.

I´d appreciate any suggestions about this problem.

Regards,

Ana

Gilles Dufour · ‎05-12-2004

Ana,

what happened is that the response from the server also hit the content rule and it was loadbalanced.

One of the problem is the group config.

Do you need to nat the client ip address ?

What you could do is create a content rule more specific - type :

protocol udp

port 111

Then if you don't need to nat the client ip, replace the group config with the following one :

group

vip address x.x.x.x

add service

active

This group will nat the udp response from the server.

But you can't have both this group and the one you have configured at the same time.

If you need to nat client ip addresses, we will have to play with ACL to define how to use the group.

This is a bit complex, so I first want to know if this is needed before describing it.

Regards,

Gilles.

telebsb · ‎05-12-2004

Hi Gilles,

Thank you for your suggestions.

In fact, I need to nat client ip addresses because we have an one-armed configuration as explained in document "Cisco - CSS Load Balancing Using One Interface Configuration Example".

Could you explain why we don´t have problems with FTP ? Is there any restriction in using one-armed configuration and UDP ports, regards "portmap" ?

I would appreciate some hints to solve this problem playing with ACL.

Regards,

Ana

Gilles Dufour · ‎05-13-2004

ftp is a tcp protocol and considered by the CSS as a bidirectional flows.

UDP however is considered a one way traffic.

Therefore, when you configure the content rule you only take care of the traffic from client to server.

You need a group to also translate the response from the server to the client.

Check the following url for understanding udp on the css:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a00801e05ee.shtml

Gilles.