Solved: Cisco ACE incorrect translation src port

CSCO117775131 · ‎11-14-2014

Dear Experts please HELP!

I have one VIP IP 172.17.10.55:9082 for loadbalance between rservers with different ports(172.17.10.18:9083, 172.17.10.19:9087, 172.17.10.20:9084...)

class-map match-all VS_PP_9082
  2 match virtual-address 172.17.10.55 tcp eq 9082

serverfarm host SF_PRIZPRIV_9082
predictor leastconns
probe PR_PP_9082
rserver 172.17.10.18 9083
inservice
rserver 172.17.10.19 9087
....

Problem: ACE incorrect translate src port. The src port 47016, but ACE replace to 1092(or it can be 1280,1092,1278)

When port Vip and port rserver in serverfarm the same it works correct.

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
488907     2  in  TCP   21   172.17.1.17:47016     172.17.10.55:9082     ESTAB
205377     2  out TCP   5    172.17.10.18:9083     172.17.1.17:1092      ESTAB

ACE Version A5(3.0)

How to solve it ? PLS give your recommendations.

BR,

Denis

Kanwaljeet Singh · ‎11-20-2014

Hi Denis,

Do you actually see that port was not changed in pcaps or on the basis of "show conn" output you are saying that?

So IN and OUT actually correspond to ICM(Inbound connection manager) and OCM(outbound connection manager).

2085856 3 in TCP 21 172.17.1.17:46983 172.17.10.55:9081 ESTAB

Above represents the incoming leg of the connection where client comes on VIP.

2040930 3 out TCP 5 172.17.10.18:9082 172.17.1.17:1037 ESTAB

Above represents the leg of the connection where ACE forwarded the connection to server i.e 172.17.10.18. But in representation it is reversed. So when ACE forwarded the connection server .18, it changed the source port to 1037. This is what it represents.

If you have packet capture on client side indicating that the ACE didn't rewrite the source port before forwarding the packet to client, then that would be a bug. I doubt that is the case but then pcaps are our best friend to confirm that.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

View solution in original post

Kanwaljeet Singh · ‎11-14-2014

Hi Denis,

You have class map matching on port 9082 and you have serverfarm listening on 9083. So ACE, changes the destination port to 9083 before forwarding it to the server but remember it will also change the source port and that is FAD. Are you facing any issues with that?

When the reply from server i.e 172.17.10.18 from src port 9083 will hit the ACE, ACE will change the dst port from 1092 back to 47016 and fwd the request back to client. Shouldn't be a problem.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

CSCO117775131 · ‎11-20-2014

Thank you Kanwal

In this situation, class map matching on port 9081 and serverfarm listening on 9082.
----------------------------------------------------------------------------------
ACE30-1/VC_FRONT_SRV# show conn serverfarm SF_PRIZPRIV_9082

conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
2085856 3 in TCP 21 172.17.1.17:46983 172.17.10.55:9081 ESTAB
2040930 3 out TCP 5 172.17.10.18:9082 172.17.1.17:1037 ESTAB

ACE30-1/VC_FRONT_SRV# show conn ipv4 | include 172.17.1.17
2085856 3 in TCP 21 172.17.1.17:46983 172.17.10.55:9081 ESTAB
2040930 3 out TCP 5 172.17.10.18:9082 172.17.1.17:1037 ESTAB

serverfarm host SF_PRIZPRIV_9082
predictor leastconns slowstart 500
rserver 172.17.10.18 9082
cookie-string "priz01"
inservice
-----------------------------------------------------------------------------------

When ACE send back answer the port not changed to 46983

Cisco sent to us new FW Version A5(3.1a) but the problem not gone

PLZ reply me if you have any ideas

BR,

Denis

Kanwaljeet Singh · ‎11-20-2014

Hi Denis,

Do you actually see that port was not changed in pcaps or on the basis of "show conn" output you are saying that?

So IN and OUT actually correspond to ICM(Inbound connection manager) and OCM(outbound connection manager).

2085856 3 in TCP 21 172.17.1.17:46983 172.17.10.55:9081 ESTAB

Above represents the incoming leg of the connection where client comes on VIP.

2040930 3 out TCP 5 172.17.10.18:9082 172.17.1.17:1037 ESTAB

Above represents the leg of the connection where ACE forwarded the connection to server i.e 172.17.10.18. But in representation it is reversed. So when ACE forwarded the connection server .18, it changed the source port to 1037. This is what it represents.

If you have packet capture on client side indicating that the ACE didn't rewrite the source port before forwarding the packet to client, then that would be a bug. I doubt that is the case but then pcaps are our best friend to confirm that.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

CSCO117775131 · ‎11-29-2014

Hello Kanwal

I check again, the port translation work is correct, you are right.

In our configuration we use S NAT, so the reply comes back through the ACE.

The scheme is Front--->LB--->APP, but with different ports APP it not work.

Q. ACE can work with different ports (Vip port not the same like in service-farm) ?

class-map match-all CM_LB_APP
2 match virtual-address 172.17.10.55 tcp eq 9081

serverfarm host SF_APP_EPZ
predictor leastconns
rserver APP 9082

I attach my configuration, if YOU have a time PLZ look on it.

BR

Denis

Kanwaljeet Singh · ‎11-29-2014

Hi Denis,

I haven't checked the configuration but what you have demonstrated above should work just fine. Any request that comes on 9081 would be forwarded to 9082 since you have mentioned 9082 port in front of real server in the farm.

Is this not working?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

CSCO117775131 · ‎12-09-2014

Thank you, Kanwal

I used capture packets directly on ACE, so it helped me.

BR

Denis