Pleeease Help !

I created ACL and removed services from the group, but it still doesn't work corret.

  clause 5 permit udp any eq 123 destination any eq 123
  clause 6 permit udp any destination any sourcegroup NTP-RED

Hi,

could you explain your setup?

- Bridged mode (client-side and server-side VLAN is same IP Subnet but different VLAN ID)

- One-arm mode (only 1 VLAN which contains VIP and servers)?

can you copy your config?

Dario

I have two NTP servers (10.0.139.17 and 10.0.139.18) and many clients. I use CSS to load balance and share requests between two NTP servers. Clients send ntp requests (source port 123, destination port 123) to the configured VIP (10.0.139.119), but don't get replies back.

Everything is OK, then ntp request come from unprivileged port (>1024)

CSS11503# sh run

!Generated on 02/02/2010 02:47:47

!Active version: sg0810106

configure

!*************************** GLOBAL ***************************

  no restrict web-mgmt

  bridge priority 0

  ip redundancy master

  acl enable

  app

  app session 172.7.6.2

  ip management route 10.0.100.0 255.255.255.0 10.0.95.254

  ip route 0.0.0.0 0.0.0.0 10.0.139.254 1

!************************* INTERFACE *************************

interface  1/1

  trunk

  description " *** Trunk to 4000 *** "

  vlan 139

interface  2/1

  bridge vlan 2

  description " *** CSS Redundancy VRRP Heartbeat *** "

!************************** CIRCUIT **************************

circuit VLAN1

  redundancy

circuit VLAN139

  redundancy

  ip address 10.0.139.200 255.255.255.0

circuit VLAN2

  ip address 172.7.6.1 255.255.255.0

    redundancy-protocol

!************************** SERVICE **************************

service NTP-Redundancy01

  ip address 10.0.139.17

  keepalive type none

  active

service NTP-Redundancy02

  ip address 10.0.139.18

  keepalive type none

  active

!*************************** OWNER ***************************

owner NTP

  content NTP-RED

    add service NTP-Redundancy01

    add service NTP-Redundancy02

    vip address 10.0.139.119

    active

!*************************** GROUP ***************************

group NTP-RED

  vip address 10.0.139.119

  active

!**************************** ACL ****************************

acl 6

  clause 5 permit udp any eq 123 destination any eq 123

  clause 6 permit udp any destination any sourcegroup NTP-RED

  clause 10 permit any any destination 10.0.139.119

  apply circuit-(VLAN139)

acl 10

  clause 10 permit any any destination any

  apply circuit-(VLAN1)

  apply circuit-(VLAN2)

The problem is that yoru group does nat the request and by default the CSS also modifies the src port.

Under the group, you can try "portmap disable" to prevent the src port translation.

See if it helps.

Gilles.

"portmap disable" didn't help.

If it helps, debug on CSS shows:

FEB  2 03:25:23 2/1 5606 FLOWMGR-4: UDP in 10.0.153.153:123->10.0.139.119:123

FEB  2 03:25:23 2/1 5607 FLOWMGR-4: UDP out 10.0.153.153:123->10.0.139.17:123

You are not source NATting.

Reconfigure your source group and add your services as destination service.

I added destination service before, the same result.

group NTP-RED

  add destination service NTP-Redundancy01

  add destination service NTP-Redundancy02

  vip address 10.0.139.119

  active

Can you post the flows again when the destination services are active.

Then destination services are active:

--------------- ----- --------------- ----- --------------- --- ------- ------
Src Address     SPort Dst Address     DPort NAT Dst Address Prt
--------------- ----- --------------- ----- --------------- --- ------- ------
10.0.153.153    123   10.0.139.119    123   10.0.139.17     UDP
10.0.139.17     123   10.0.139.119    123   10.0.139.18     UDP

It doesn't do source port mapping for ports less than 1024.

OK, I see the problem.

You use your VIP address to Source NAT (NO PAT!)

This means that the reply from your server is send back to the CSS to the NATted address (which is also the VIP), and the same port (123), which in its turn is load-balanced again.

Try using a different address for the source NAT then your VIP address.

HTH,

Dario