Re: Why are NFS connections centralized in ASA/FTD cluster?

tvotna · ‎09-29-2023

By any chance, does anybody know why NFS connections become centralized in a cluster if "inspect sunrpc" is enabled? This doesn't make any sense to me, because they're not child connections in the same sense as FTP data connections or SIP media connections are. They can live without portmapper connections just happily.

For centralized connections all traffic needs to be forwarded to the control (master) unit over CCL and for NFS this affects performance as the volume of the traffic can be huge.

UDP outside: 10.119.217.3/111 (10.119.217.3/111) inside: 10.112.74.101/34308 (10.112.74.101/34308), flags Rc, idle 9m55s, uptime 9m55s, timeout 10m0s, bytes 84, cluster sent/rcvd bytes 0/0, owners (1,255)
  Traffic received at interface outside
        Locally received: 28 (0 byte/s)
  Traffic received at interface inside
        Locally received: 56 (0 byte/s)

TCP outside: 10.119.217.3/2049 (10.119.217.3/2049) inside: 10.112.74.101/1023 (10.112.74.101/1023), flags UIOc, idle 8s, uptime 66D17h, timeout 3h0m, bytes 11535565384, cluster sent/rcvd bytes 0/2942206484, owners (1,255)
  Traffic received at interface outside
        Locally received: 1841536 (0 byte/s)
        From director/backup unit-7-1: 1914068 (0 byte/s)
        From most recent forwarder unit-6-1: 360112556 (62 byte/s)
        From 2nd recent forwarder unit-5-1: 172 (0 byte/s)
  Traffic received at interface inside
        Locally received: 1582772 (0 byte/s)
        From director/backup unit-7-1: 1644404 (0 byte/s)
        From most recent forwarder unit-6-1: 896715124 (155 byte/s)
        From 2nd recent forwarder unit-5-1: 148 (0 byte/s)

Milos_Jovanovic · ‎10-03-2023

Hi @tvotna,

I don't know much about SunRPC, but I found this article, which clearly states that SunRPC is actually the same as SIP or FTP, where it keeps control connection over TCP/UDP 111, and opens a dynamic connection over different port.

I believe you should not take a look at this from the standpoint of NFS, but rather as SunRPC, as ASA recognizes it based on port. I don't know if you can change your NFS port?

Kind regards,

Milos

tvotna · ‎10-03-2023

Hi @Milos_Jovanovic

Thank you for the reply.

Well, I agree that SunRPC is somewhat similar to SIP from inspection point of view. In both cases ASA analyzes control connection (e.g. SIP of SunRPC) in order to open pinholes for child connections (e.g. SIP media or NFS or MOUNT protocol). On the other hand, FTP, SIP and SunRPC are implemented differently in ASA cluster, which is not easy to explain: FTP is fully distributed (i.e. data connection need not reside on the control connection owner), SIP is semi-distributed (i.e. all SIP media connections are forwarded to control connection owner, although any unit is a cluster can become control connection owner) and SunRPC is fully centralized (i.e. master unit always becomes connection owner for both SunRPC UDP/111 connection and NFS or MOUNT connections).

For SunRPC control and "data" connections are loosely coupled with each other: SunRPC is UDP/111 and dies quickly by timeout; MOUNT protocol uses dynamic ports and NFS is TCP/2049 by default (for historical reasons SunRPC is still used by clients to request NFS port number on the server, but the response is always TCP/2049 and I'm not really sure if this can be changed).

If I disable "inspect sunrpc", the problem is solved and NFS becomes distributed in a cluster, but this affects other protocols, e.g. MOUNT whose ports are truly dynamic. In this case I would need to allow communications by IP in outside ACL, if client is on the outside and NFS server is on the inside.

Milos_Jovanovic · ‎10-03-2023

Meanwhile, I managed to find Cisco article on this. By this description, I would date to assume it is not necessarily related to TCP/UDP/111 port.

As I mentioned, I don't really have much real-world experience with SunRPC, so I can't provide useful advice on this.

Kind regards,

Milos