CSS Server initiated flows, NAT Bypass

Unanswered Question
May 25th, 2007
User Badges:

Hello,

I've been trying for two days to understand how no to NAT server initiated flows.


The IPERF servers always sees the VIP as source address. I would like to see the real server's IP as source address.

I don't see what wrong in my config.


Here's what I got :




vlan 101, 10.0.2.0/24. PC 10.0.2.220. The pc Is running iperf as server on port tcp 5001. DFGW is the CSS.

|

|

|

CSS : see below for config.

|

|

|

VLAN 100, 10.0.1.0/24. server 10.0.1.101 initiates a tcp connection to 10.0.2.220 on port 5001.



!Generated on 05/25/2007 15:53:44

!Active version: sg0810109s


configure



!*************************** GLOBAL ***************************

acl enable


logging subsystem natmgr level debug-7

logging subsystem portmapper level debug-7


!************************* INTERFACE *************************

interface 1/1

trunk


vlan 1

default-vlan


vlan 100


vlan 101


!************************** CIRCUIT **************************

circuit VLAN100


ip address 10.0.1.200 255.255.255.0

ip virtual-router 1 priority 150 preempt

ip redundant-interface 1 10.0.1.1

ip critical-reporter 1 r1


circuit VLAN101


ip address 10.0.2.200 255.255.255.0

ip virtual-router 2 priority 150 preempt

ip redundant-interface 2 10.0.2.100

ip redundant-vip 2 10.0.2.50

ip critical-reporter 2 r1


!************************** REPORTER **************************

reporter r1

type vrid-peering

vrid 10.0.2.200 2

vrid 10.0.1.200 1

active


!************************** SERVICE **************************

service web1

ip address 10.0.1.101

keepalive type ssl

active


service web2

ip address 10.0.1.102

keepalive type ssl

active


!*************************** OWNER ***************************

owner lab


content web

add service web1

add service web2

port 443

protocol tcp

advanced-balance sticky-srcip

sticky-inact-timeout 120

vip address 10.0.2.50

active


!*************************** GROUP ***************************

group lab

add service web1

vip address 10.0.2.50

active


!**************************** ACL ****************************

acl 1

clause 10 permit any any destination any sourcegroup lab

clause 3 bypass tcp any destination any eq 5001

apply circuit-(VLAN100)


acl 2

clause 1 permit any any destination any

apply circuit-(VLAN101)




Here's what I have in iperf (client side)

D:\iperf>iperf.exe -s

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size: 8.00 KByte (default)

------------------------------------------------------------

[1860] local 10.0.2.220 port 5001 connected with 10.0.2.50 port 3174

[ ID] Interval Transfer Bandwidth

[1860] 0.0-10.0 sec 35.8 MBytes 29.9 Mbits/sec


Server side :

C:\>iperf -c 10.0.2.220

------------------------------------------------------------

Client connecting to 10.0.2.220, TCP port 5001

TCP window size: 8.00 KByte (default)

------------------------------------------------------------

[884] local 10.0.1.101 port 1116 connected with 10.0.2.220 port 5001

[ ID] Interval Transfer Bandwidth

[884] 0.0-10.0 sec 35.8 MBytes 29.9 Mbits/sec




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lionellemaire Tue, 05/29/2007 - 03:50
User Badges:

Problem solved by Cisco TAC.

I had to remove the add service in the group config and

change the ACL with

acl 1

clause 100 permit any any destination any sourcegroup lab

apply circuit-(VLAN100)

clause 3 bypass any 10.0.1.105 255.255.255.255 destination 10.0.2.221 255.255.255.255



Actions

This Discussion