ACE - UDP loadbalancing without NAT

Answered Question
Dec 9th, 2009
User Badges:

HI, I want to get source port of client from Real server, but it is changed by ACE

matched port of VIP set to 8070 same as RIP, it is fine.

I want to know is it posible to keep souce port unchanged when port translation is configured

any help will be appreciated



below is the config

------------------------------------------------


probe udp udp-8070
  port 8070
  interval 5


rserver server01
ip address 192.168.1.15
inservice

rserver server02
ip address 192.168.1.16
inservice


serverfarm host sf-UDP-8070
  failaction purge
  probe udp-8070
  rserver server01 8070
    inservice
  rserver server02 8070
    inservice


policy-map type loadbalance  first-match pL7-UDP-8070
  class class-default
    serverfarm sf-UDP-8070


class-map match-any c4-UDP-1270
match virtual-address 192.168.2.100 udp eq 1270


policy-map multi-match pL4-UDP
  class c4-UDP-1270
    loadbalance vip inservice
    loadbalance policy pL7-UDP-8070
    loadbalance vip icmp-reply


interface vlan 211
service-policy input pL4-UDP

Correct Answer by Gilles Dufour about 7 years 3 months ago

This is called implicit pat.  It is happening to guarantee that the response from the server is handled by the same IXP.

The ACE module contains 2 x IXP  and each one of them perform the loadbalancing functions indepently.

So, it is required that the 2 flows of a connection are handled by the same IXP.  The function that select the IXP does it base on the destination and source port.  Therefore it is sometimes required to change the source port.

There is no way to prevent this.

The appliance does not have this problem because there is only a single processor.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Wed, 12/09/2009 - 03:52
User Badges:
  • Cisco Employee,

This is called implicit pat.  It is happening to guarantee that the response from the server is handled by the same IXP.

The ACE module contains 2 x IXP  and each one of them perform the loadbalancing functions indepently.

So, it is required that the 2 flows of a connection are handled by the same IXP.  The function that select the IXP does it base on the destination and source port.  Therefore it is sometimes required to change the source port.

There is no way to prevent this.

The appliance does not have this problem because there is only a single processor.


Gilles.

lukaszkhalil Thu, 01/14/2010 - 02:19
User Badges:

Hello


I have the same problem.


I found that it is possible to disable implicit-PAT for UDP/TCP traffic with the Admin context command "hw-module cde-same-port-hash". There is not information in the documentation about the performance impact of such change. Do you know what I could expect when configuring this option ?


Thank you in advance for your answer.


Regards


Lukas

aljaloudi Mon, 03/15/2010 - 22:32
User Badges:

Dears,


I had this issue with SIP traffic


to solve the Impicit PAT issue you may try the following,

1) Direct Server Return on ACE Configure servers with VIP address as a secondary IP address on interfaces
directly connected to the ACE (that is, interfaces which have an ARP entry
for the ACE.) Then configure the ACE to forward to that VIP address as a
transparent serverfarm.


or 2) Configure the "hw-module cde-same-port-hash" on the Admin context, this will disable Hashing based on Src. and Dst. port the ACE will use a new Hash method

Actions

This Discussion