Showing results for 
Search instead for 
Did you mean: 
Ivan Kovacevic
Cisco Employee
Cisco Employee




The purpose of this document is to explain how to configure ACE for TFTP load-balancing. Load-balancing TFPT can be tricky as the TFTP server opens a random UDP port to send data from. Because of this we need a catch-all VIP to source NAT the new connection in the opposite direction. For more info please refer to RFC 1350. TFTP uses two flows and we dont have tftp inpect/fix available in ACE. See below steps to understand the issue.


1) Client initiate the session using  UDP flow to port 69 from a random port,  lets say  X.

2) server replies with data, opening a new UDP flow towards the client. Server's  source port is random, while destination  port for this response  is X .

3) Now ACE has no clue about TFTP flows (lack of tftp fix/inspect), hence client will recieve tftp response from Real server directly.Since the response is not from VIP (where client sent the request),Client will drop the response.


Real Server and Server Farm

Real servers are dedicated physical servers that you typically configure in groups called server farms. These servers provide services to clients, such as HTTP or XML content, streaming media (video or audio), TFTP or FTP uploads and downloads, and so on. You identify real servers with names and characterize them with IP addresses, connection limits, and weight values..
Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location in a data center. Web sites often comprise groups of servers configured in a server farm. Load-balancing software distributes client requests for content or services among the real servers based on the configured policy and traffic classification, server availability and load, and other factors. If one server goes down, another server can take its place and continue to provide the same content to the clients who requested it.



Here is a sample config. The colored part is what is specific for TFTP scenario - this is the config that NATs all UDP connections originated from the servers and sets the VIP address as the source. The rest is classical L4 load-balancing on ACE.


// access-list to catch all traffic

access-list ANYONE line 10 extended permit ip any any

probe icmp PING

// define the tftp servers
rserver host tftp-server1
   ip address

rserver host tftp-server2
   ip address

// allocate tftp servers to serverfarm
serverfarm host TFTP-SFARM
   probe PING
   rserver tftp-server1
   rserver tftp-server2

// create class map to match traffic to tftp server VIP
class-map match-any TO-TFTP-VIP
   description class-map for client to TFTP VIP traffic
   match virtual-address udp eq 69

// create class map to match all return traffic from tftp server
class-map match-any FROM-TFTP-REAL
   description class-map from tftp server to client
   match virtual-address udp eq any

policy-map type loadbalance first-match TFTP-POLICY
   class class-default
    serverfarm TFTP-SFARM

// create policy map to define action for traffic to the tftp server
policy-map multi-match CLIENT-VLAN-VIPS
   class TO-TFTP-VIP
    loadbalance vip inservice
    loadbalance policy TFTP-POLICY
    loadbalance vip icmp-reply active

// create policy map to define action for return traffic from tftp server
policy-map multi-match SERVER-VLAN-VIPS
    nat dynamic 100 vlan 20

// define the client side and server side vlans
interface vlan 20
   description CLIENT-VLAN
   ip address
   access-group input ANYONE
   access-group output ANYONE
   nat-pool 100 netmask   service-policy input CLIENT-VLAN-VIPS
   no shutdown

interface vlan 30
   description SERVER-VLAN
   ip address
   access-group input ANYONE
   access-group output ANYONE
   service-policy input SERVER-VLAN-VIPS   no shutdown



The SERVER-VLAN-VIPS service-policy will NAT all UDP connections from this VLAN to the VIP. If this needs to be done only for certain source IPs, a more creative FROM-TFTP-REAL class-map needs to be configured.


Related Information

ACE Loadbalancing-TFTP server

ACE in HA Mode for FTP Traffic Loadbalancing

Server Load-Balancing Guide vA4(2.0)

Community Member

shouldn't "loadbalance policy APP1-POLICY" be "loadbalance policy TFTP-POLICY" ?

Ivan Kovacevic
Cisco Employee
Cisco Employee

Good catch, thanks! The error was occurred while I was changing policy names to something meaningful...

It should be correct now.



Could you please elaborate how to configure this when there is a lot of realservers/serverfarms/VIP's and only these mentioned in this example should loadbalance TFTP.



Ivan Kovacevic
Cisco Employee
Cisco Employee


I am not sure I understand your questions. The TFTP VIP on the front end id defined with IP address and with UDP port 69, like any ohther VIPs. This works in a usual way as any other VIP.

The problem with TFTP is when the server openes a new UDP connection. Thos connections need to be NATed to VIP address and this document shows how to do it. If the only application that needs to open UDP connection from inside is TFTP than you can leave as is. However, if there are some other UDP connections that need to initated from the server they will be NATed to VIP address. If this is a problem then you need to change the FROM-TFTP-REAL class-maps so it refern only to TFTP server IPs.

I hope this clarifies the idea.



Hi Ivan,

I append out config to let you review it. We don't seem to be able to get a connection through the ACE. The addition to your config is that we do source-NAT on the incoming connections. Hope you can help.

probe udp TFTP

  port 69

  interval 5

  passdetect interval 5

  receive 5

rserver host RADINLB-SITE1

  ip address


rserver host RADINLB-SITE2

  ip address


rserver host RADINLB-SITE3

  ip address


rserver host RADINLB-SITE4

  ip address


rserver host RADINLB-SITE5

  ip address


serverfarm host RADINLB-TFTP

  probe TFTP

  rserver RADINLB-SITE1 69


  rserver RADINLB-SITE2 69


  rserver RADINLB-SITE3 69


  rserver RADINLB-SITE4 69


  rserver RADINLB-SITE5 69


sticky ip-netmask address source RADINLB-TFTP

  timeout 60

  replicate sticky

class-map match-any CLIENT-TRAFFIC

  description source-NAT client

  4 match destination-address

  5 match destination-address

  6 match destination-address

  7 match destination-address

  8 match destination-address

  9 match destination-address

  10 match destination-address

  11 match destination-address

  12 match destination-address

  13 match destination-address

  14 match destination-address

  15 match destination-address

  16 match destination-address

  17 match destination-address

  18 match destination-address

  19 match destination-address

  20 match destination-address

  21 match destination-address

class-map match-any FROM-TFTP-REAL

  description class-map from tftp server to client

  2 match virtual-address udp any

class-map match-all RADINLB-TFTP

  2 match virtual-address udp eq 69

policy-map type loadbalance first-match RADINLB-TFTP

  class class-default

    sticky-serverfarm RADINLB-TFTP

policy-map multi-match CLIENT-VIPS


    loadbalance vip inservice

    loadbalance policy RADINLB-TFTP

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options CASE_PARAM

policy-map multi-match NAT-CLIENTS


    nat dynamic 1 vlan 100

policy-map multi-match SERVER-VIPS


    nat dynamic 2 vlan 10

interface vlan 10

  description op_pr_vip_lb

  ip address


  peer ip address

  access-group input anyone

  nat-pool 2 netmask

  service-policy input remote-mgmt

  service-policy input CLIENT-VIPS

  service-policy input NAT-CLIENTS

  no shutdown

interface vlan 100

  description op_pr_data_lb_srv

  ip address


  peer ip address

  access-group input anyone

  nat-pool 1 netmask pat

  service-policy input remote-mgmt

  service-policy input CLIENT-VIPS-INSIDE

  service-policy input SERVER-VIPS

  no shutdown


The only thing I see in the connection table is on the server-vlan:

lb-cdc01-stt/PROD1# sh conn | i UDP

127327     1  in  UDP   100        -- 

82451      1  out UDP   100    -- 

175861     1  in  UDP   100    -- 

226828     1  out UDP   100     -- 

778728     2  in  UDP   100        -- 

906746     2  out UDP   100    -- 

1200654    3  in  UDP   100        -- 

1240634    3  out UDP   100    -- 

1232464    3  in  UDP   100    -- 

1248321    3  out UDP   100     -- 

1272611    3  in  UDP   100    -- 

1232908    3  out UDP   100     -- 

1261618    3  in  UDP   100    -- 

1261190    3  out UDP   100     -- 

643974     4  in  UDP   100        -- 

604642     4  out UDP   100    --

lb-cdc01-stt/PROD1# sh service-policy CLIENT-VIPS class-map RADINLB-TFTP det

Status     : ACTIVE

Description: -----------------------------------------

Interface: vlan 10

  service-policy: CLIENT-VIPS

    class: RADINLB-TFTP

     VIP Address:    Protocol:  Port:     udp        eq    69  


        L7 loadbalance policy: RADINLB-TFTP

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: ENABLED

        curr conns       : 0         , hit count        : 535      

        dropped conns    : 0        

        conns per second    : 0        

        client pkt count : 535       , client byte count: 39295              

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        L7 Loadbalance policy : RADINLB-TFTP

          class/match : class-default

            LB action: :

               sticky group: RADINLB-TFTP

                  primary serverfarm: RADINLB-TFTP


                  backup serverfarm : -

            hit count        : 535      

            dropped conns    : 0        

            compression      : off


        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        




Ivan Kovacevic
Cisco Employee
Cisco Employee

There is one error in your config. You should add the bolded line:

sticky ip-netmask address source RADINLB-TFTP

timeout 60

replicate sticky

serverfarm RADINLB-TFTP

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links