SNA Enterprise Extender through ACE

Fernando Sacristan Navarro · ‎12-28-2011

Hi,

Any experience configuring ACE to NAT and forward SNA Enterprise Extender traffic?

Thanks in advance.

mwinnett · ‎01-13-2012

Fernando

I set this up in the lab and I can't get the EE peers to connect. EE uses UDP 12000-12005. The initial XID exchange uses UDP 12000. Connecting from the EE client to the vip, you can see that the ACE NATs the dest-ip towards the rserver, it also takes a source port from the ephemeral range. Client is 1.2.1.1, vip 1.9.1.209, rserver 1.3.1.5. Note that the EE server responds to port 12000 (not 28192)

cdn-ace-1/mwinnett# cap msw start

17:17:31.733579 0:13:60:30:fe:89 0:b:fc:fe:1b:cc 0800 45: 1.2.1.1.12000 > 1.9.1.209.12000: [udp sum ok] udp 3 [tos 0xc0] (ttl 254, id 43876, len 31)

17:17:31.733751 0:b:fc:fe:1b:cc 0:13:60:30:fe:89 0800 45: 1.2.1.1.28192 > 1.3.1.5.12000: [bad udp cksum c191!] udp 3 [tos 0xc0] (ttl 254, id 43876, len 31, bad cksum bcd!)

17:17:31.736979 0:13:60:30:fe:89 0:b:fc:fe:1b:cc 0800 45: 1.3.1.5.12000 > 1.2.1.1.12000: [udp sum ok] udp 3 [tos 0xc0] (ttl 254, id 1815, len 31)

17:17:31.737134 0:b:fc:fe:1b:cc 0:13:60:30:fe:89 0800 45: 1.3.1.5.12000 > 1.2.1.1.12000: [udp sum ok] udp 3 [tos 0xc0] (ttl 254, id 1815, len 31)

However, when I check back at the EE client, you can see that the source IP address is not natted

*Jan 13 17:25:30.407 METDST: IP: tableid=0, s=1.3.1.5 (Tunnel99), d=1.2.1.1 (Tunnel99), routed via RIB

*Jan 13 17:25:30.411 METDST: IP: s=1.3.1.5 (Tunnel99), d=1.2.1.1 (Tunnel99), len 31, rcvd 3

4420A410: 45C0001F 08160000 FC11B1ED 01030105 E@......|.1m....

4420A420: 01020101 2EE02EE0 000BDB07 0405BF .....`.`..[...?

The issue is that the EE server does not respect the incoming source port and uses 12000 instead. This means that the ACE will not NAT the response.

Can you give more details of what you are trying to achieve ?

Matthew

Fernando Sacristan Navarro · ‎01-23-2012

Hi Matthew,

Thanks for your answer. Could you send me the configuration you used on your lab?

Fernando

mwinnett · ‎01-23-2012

Fernando

Nothing really magic here. I uses Cisco snasw routers as client and server and the issues that I encountered relating to port usage are probably specific to how we implement EE. Bearing mind that the basis of our Snasw implementation is the same as that used by the MS Sna server, its likely that any other implementation will have the same issues.

If you want to share more details of what you are trying to achieve, maybe I can help further.

Matthew

access-list anyany line 10 extended permit ip any any

probe icmp ping-test

interval 20

faildetect 2

passdetect interval 20

passdetect count 2

rserver host dymock

ip address 1.3.1.5

inservice

rserver host kilcot

ip address 1.3.1.1

inservice

serverfarm host snas-serverfarm

probe ping-test

rserver dymock

inservice

rserver kilcot

inservice

class-map type management match-any remote-mgmt

10 match protocol ssh any

20 match protocol telnet any

30 match protocol icmp any

40 match protocol http any

50 match protocol https any

class-map match-all snasw-class

10 match virtual-address 1.9.1.209 any

policy-map type management first-match remote-access

class remote-mgmt

permit

policy-map type loadbalance first-match round-robin-snasw

class class-default

serverfarm snas-serverfarm

policy-map multi-match lb-vip

class snasw-class

loadbalance vip inservice

loadbalance policy round-robin-snasw

loadbalance vip icmp-reply

interface vlan 468

description Server vlan

ip address 1.8.1.201 255.255.255.0

alias 1.8.1.200 255.255.255.0

peer ip address 1.8.1.202 255.255.255.0

access-group input anyany

service-policy input remote-access

no shutdown

interface vlan 469

description Client vlan

ip address 1.9.1.201 255.255.255.0

alias 1.9.1.200 255.255.255.0

peer ip address 1.9.1.202 255.255.255.0

access-group input anyany

service-policy input remote-access

service-policy input lb-vip

no shutdown

ip route 1.2.1.0 255.255.255.0 1.9.1.211

ip route 1.3.1.0 255.255.255.0 1.8.1.211

Fernando Sacristan Navarro · ‎01-23-2012

Hi Matthew,

Below you can see our configuration. As you can see, we perform a NAT for the connections exiting vlans 61 and 150.

The SNA traffic is load balanaced, bu it's extremely slow, making impossible to work with the application:

probe icmp ICMP_SARA
interval 20
faildetect 2
passdetect interval 20
passdetect count 2

rserver host ls60ca
ip address 172.20.1.221
inservice

serverfarm host CL4_udp_SARA
probe ICMP_SARA
rserver ls60ca
inservice

class-map match-any sal_ls60ca
2 match source-address 172.20.1.221 255.255.255.255

class-map match-any vip_CL4_udp_SARA
4 match virtual-address 10.25.23.221 any

policy-map type loadbalance first-match LB_CL4_udp_SARA
class class-default
serverfarm CL4_udp_SARA

policy-map multi-match INT_150
class vip_CL4_udp_SARA insert-before FW1_SEC_VIP
    loadbalance vip inservice
    loadbalance policy LB_CL4_udp_SARA
    loadbalance vip icmp-reply active
    loadbalance vip advertise active

policy-map multi-match INT_61
class vip_CL4_udp_SARA insert-before FW1_SEC_VIP
    loadbalance vip inservice
    loadbalance policy LB_CL4_udp_SARA
    loadbalance vip icmp-reply active
    loadbalance vip advertise active

policy-map multi-match SNATS_150
class sal_ls60ca
nat dynamic 73 vlan 61
nat dynamic 75 vlan 150

interface vlan 61

service-policy input INT_61
nat-pool 73 10.25.23.221 10.25.23.221 netmask 255.255.255.255

interface vlan 150

service-policy input INT_150
nat-pool 75 10.25.23.221 10.25.23.221 netmask 255.255.255.255

Any suggestions,

Thank you very much in advance.

Nando

mwinnett · ‎01-30-2012

Best to open a case and we can take a close look. If you can email me the case number (mwinnett@cisco.com), I'll pick it up.

Fernando Sacristan Navarro · ‎01-30-2012

Hi Matthew,

Nowadays, the contract that we have with our Cisco supplier do not includes this kind of issues, it's just a hardware replacement contract. Anyway, I'm gonna try to convince them to open the case.

As soon as I have any feedback, I'll inform you.

Thanks!!