cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3952
Views
0
Helpful
10
Replies

Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710

Ethen Daniel
Level 1
Level 1

One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.

Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710

Traffic flow as follows

===============

ACE 4710                                                       FWSM (Firewall static NAT)                    Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)

                                             VIP

Rserver 1   - 10.1.104.80       10.1.246.32           10.1.246.32  < - > 2.2.2.2                              1.1.1.1

Rserver 2   - 10.1.104.81c

---------------------------------------------------------->           ------------------------------->                      - traffic flow from server to the device when we send msg

Configs:

======

rserver host server1

  ip address 10.1.104.80

  inservice

rserver host server2

  ip address 10.1.104.81

  inservice

serverfarm host SFARM

  failaction purge

  probe ICMP

  rserver server1

    inservice

  rserver server2

    inservice

access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any

access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any

parameter-map type connection UDP_TIMEOUT

  set timeout inactivity 3600

sticky ip-netmask 255.255.255.255 address source STKY-SFARM

  serverfarm SFARM

  timeout 180

  replicate sticky

class-map match-all CLS-SFARM

  2 match virtual-address 10.1.246.32 udp eq 1120

class-map match-all SERVERNAT

  2 match access-list TEST-1120

policy-map type loadbalance first-match POL-SFARM

  class class-default

    sticky-serverfarm STKY-SFARM

policy-map multi-match POL-LB

class CLS-SFARM

    loadbalance vip inservice

    loadbalance policy POL-SFARM

    loadbalance vip icmp-reply active

    connection advanced-options UDP_TIMEOUT

class SERVERNAT

   nat dynamic 1 vlan 244

int vlan 244

ip address 10.1.246.2 255.255.255.0

service-policy input POL-LB

nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255

  mac-sticky enable

  no icmp-guard

no shut

interface vlan 2506

ip address 10.1.104.2 255.255.255.0

service-policy input POL-LB

  mac-sticky enable

  no icmp-guard

no shut

10 Replies 10

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Ethen,

If you are not using PAT then you would one more IP in the pool. If both servers need to communicate simultaneously we should have two IP's or we need to use PAT.  This is how it is suppose to work.

Regards,

Kanwal

Hi Kanwal,

Thank you for your reply. If I use the NAT with 2 ip address, I have the challenges to NAT it with the same public ip and same source port while it leaves the firewall.

In CSM, when the traffic leaves, it maintains the same source port and VIP address when the traffic egressess. Is there any way i can replicate in Ace 4710 ?

Do you know how the transparent command works with the serverfarm ?

Thanks,

Ethen

Hi Ethen,

Transparent command will mean that ACE will not do the destination NAT that it does by default when forwarding the packet to real server. It will not help in your scenario. For one server it should work in ACE 4710 as well but as you said when both servers will try to communicate it will be a problem.

Regards,

Kanwal

Hi Ethen,

If you look at it logically if both the servers use same IP and same src port to go out , when the traffic will come back, how will ACE differentiate which packet shall go to which real server? That can be differentiated if you have PAT because it will have different destination ports when the traffic comes back.

Regards,

Kanwal

Hi Kanwal,

You are right. I understand that. I dont know what logic is been used by CSM to behave like this and why not. We are in the process of migrating everything from CSM to ACE 4710 due to EOL but knda stuck in the middle.

If you know of any alternate solution, please let me know... Thanks again for your help.

Regards,

Ethen

Hi Ethen,

Thought about it but out of ideas:). May be someone else can throw some light on it but it is strange that it is working in CSM.

Regards,

Kanwal

Ethen Daniel
Level 1
Level 1

I see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement

portmap disable in ACE 4710

Disabling Port Mapping

By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.

For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services,

Hi Ethen,

Can you paste the configuration done in CSM which you say is working?

Regards,

Kanwal

Hi Kanwal,

This is the configuration I see in CSS, I will add the configurations from CSM as well later....

group VIP-NAT

vip address 10.1.246.32

portmap disable

active

acl 15

  clause 10 permit udp 10.1.104.80 eq 1120 destination 1.0.0.0 255.0.0.0 sourcegroup VIP-NAT

  clause 20 permit udp 10.1.104.81 eq 1120 destination 1.0.0.0 255.0.0.0 sourcegroup VIP-NAT

apply circuit-(VLANX)

Regards,

Ethen


Hi Ethen,

I don't see any option in ACE to disable port mapping. By default it doesn't do port mapping unless you define PAT.  What is baffling here is that destination is same and when traffic comes back how does CSS or CSM decide to which server packet should be given unless that doesn't matter.

I would suggest to open a TAC case as well. If it works for CSM it should for ACE module/appliance. Since it is isn't it would be helpful to know why this functionality was removed or not given. May be they can add a new feature in future releases but with ACE phasing out i doubt it will happen.

Regards,

Kanwal

Review Cisco Networking for a $25 gift card