01-25-2010 06:03 AM
Hello,
I have a problem with configuring Content Rule on Cisco Content Services Switch.
I am configuring Redundancy for NTP, but it doesn't work correct.
Here is the config:
service NTP-Redundancy01
ip address 10.0.139.17
active
service NTP-Redundancy02
ip address 10.0.139.18
active
owner NTP
content NTP-RED
add service NTP-Redundancy01
add service NTP-Redundancy02
vip address 10.0.139.119
port 123
protocol udp
active
group NTP-RED
add destination service NTP-Redundancy01
add destination service NTP-Redundancy02
vip address 10.0.139.119
active
What is wrong with this config?
01-25-2010 06:09 AM
This is the output of show flows command:
--------------- ----- --------------- ----- --------------- --- ------- ------
Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort
--------------- ----- --------------- ----- --------------- --- ------- ------
10.0.139.18 123 10.0.139.119 123 10.0.139.17 UDP 1/1-139 1/1-139
10.0.153.153 123 10.0.139.119 123 10.0.139.18 UDP 1/1-139 1/1-139
01-25-2010 11:23 AM
Pleeease Help !
01-26-2010 11:55 AM
02-02-2010 12:43 AM
I created ACL and removed services from the group, but it still doesn't work corret.
clause 5 permit udp any eq 123 destination any eq 123
clause 6 permit udp any destination any sourcegroup NTP-RED
02-02-2010 01:25 AM
Hi,
could you explain your setup?
- Bridged mode (client-side and server-side VLAN is same IP Subnet but different VLAN ID)
- One-arm mode (only 1 VLAN which contains VIP and servers)?
can you copy your config?
Dario
02-02-2010 01:58 AM
I have two NTP servers (10.0.139.17 and 10.0.139.18) and many clients. I use CSS to load balance and share requests between two NTP servers. Clients send ntp requests (source port 123, destination port 123) to the configured VIP (10.0.139.119), but don't get replies back.
Everything is OK, then ntp request come from unprivileged port (>1024)
CSS11503# sh run
!Generated on 02/02/2010 02:47:47
!Active version: sg0810106
configure
!*************************** GLOBAL ***************************
no restrict web-mgmt
bridge priority 0
ip redundancy master
acl enable
app
app session 172.7.6.2
ip management route 10.0.100.0 255.255.255.0 10.0.95.254
ip route 0.0.0.0 0.0.0.0 10.0.139.254 1
!************************* INTERFACE *************************
interface 1/1
trunk
description " *** Trunk to 4000 *** "
vlan 139
interface 2/1
bridge vlan 2
description " *** CSS Redundancy VRRP Heartbeat *** "
!************************** CIRCUIT **************************
circuit VLAN1
redundancy
circuit VLAN139
redundancy
ip address 10.0.139.200 255.255.255.0
circuit VLAN2
ip address 172.7.6.1 255.255.255.0
redundancy-protocol
!************************** SERVICE **************************
service NTP-Redundancy01
ip address 10.0.139.17
keepalive type none
active
service NTP-Redundancy02
ip address 10.0.139.18
keepalive type none
active
!*************************** OWNER ***************************
owner NTP
content NTP-RED
add service NTP-Redundancy01
add service NTP-Redundancy02
vip address 10.0.139.119
active
!*************************** GROUP ***************************
group NTP-RED
vip address 10.0.139.119
active
!**************************** ACL ****************************
acl 6
clause 5 permit udp any eq 123 destination any eq 123
clause 6 permit udp any destination any sourcegroup NTP-RED
clause 10 permit any any destination 10.0.139.119
apply circuit-(VLAN139)
acl 10
clause 10 permit any any destination any
apply circuit-(VLAN1)
apply circuit-(VLAN2)
02-02-2010 02:15 AM
The problem is that yoru group does nat the request and by default the CSS also modifies the src port.
Under the group, you can try "portmap disable" to prevent the src port translation.
See if it helps.
Gilles.
02-02-2010 02:33 AM
"portmap disable" didn't help.
If it helps, debug on CSS shows:
FEB 2 03:25:23 2/1 5606 FLOWMGR-4: UDP in 10.0.153.153:123->10.0.139.119:123
FEB 2 03:25:23 2/1 5607 FLOWMGR-4: UDP out 10.0.153.153:123->10.0.139.17:123
02-02-2010 02:57 AM
You are not source NATting.
Reconfigure your source group and add your services as destination service.
02-02-2010 03:06 AM
I added destination service before, the same result.
group NTP-RED
add destination service NTP-Redundancy01
add destination service NTP-Redundancy02
vip address 10.0.139.119
active
02-02-2010 03:13 AM
Can you post the flows again when the destination services are active.
02-02-2010 03:37 AM
Then destination services are active:
--------------- ----- --------------- ----- --------------- --- ------- ------
Src Address SPort Dst Address DPort NAT Dst Address Prt
--------------- ----- --------------- ----- --------------- --- ------- ------
10.0.153.153 123 10.0.139.119 123 10.0.139.17 UDP
10.0.139.17 123 10.0.139.119 123 10.0.139.18 UDP
It doesn't do source port mapping for ports less than 1024.
02-02-2010 03:46 AM
OK, I see the problem.
You use your VIP address to Source NAT (NO PAT!)
This means that the reply from your server is send back to the CSS to the NATted address (which is also the VIP), and the same port (123), which in its turn is load-balanced again.
Try using a different address for the source NAT then your VIP address.
HTH,
Dario
02-02-2010 04:08 AM
I made a change to 10.0.139.222 No reply.
group NTP-RED
add destination service NTP-Redundancy01
add destination service NTP-Redundancy02
vip address 10.0.139.222
active
CSS11503# sh flows
10.0.153.153 123 10.0.139.119 123 10.0.139.17 UDP
But it works fine then the source is greater than 1024.
10.0.153.153 39146 10.0.139.119 123 10.0.139.18 UDP
10.0.139.18 123 10.0.139.119 5985 10.0.153.153 UDP
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: