Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco CSS 11503

Hello,

I have a problem with configuring Content Rule on Cisco Content Services Switch.

I am configuring Redundancy for NTP, but it doesn't work correct.

Here is the config:

service NTP-Redundancy01

  ip address 10.0.139.17

  active


service NTP-Redundancy02

  ip address 10.0.139.18

  active


owner NTP

        

  content NTP-RED

    add service NTP-Redundancy01

    add service NTP-Redundancy02

    vip address 10.0.139.119

    port 123

    protocol udp

    active


group NTP-RED

  add destination service NTP-Redundancy01

  add destination service NTP-Redundancy02

  vip address 10.0.139.119

  active

What is wrong with this config?

14 REPLIES
Community Member

Re: Cisco CSS 11503

This is the output of show flows command:

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address     SPort Dst Address     DPort NAT Dst Address Prt InPort  OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

10.0.139.18     123   10.0.139.119    123   10.0.139.17     UDP  1/1-139   1/1-139

10.0.153.153    123   10.0.139.119    123   10.0.139.18     UDP  1/1-139   1/1-139

Community Member

Re: Cisco CSS 11503

Pleeease Help !

Community Member

Re: Cisco CSS 11503

10.0.153.153 - client
10.0.139.119 - VIP address
10.0.139.17 - NTP Server
10.0.139.18 - NTP Server

Community Member

Re: Cisco CSS 11503

I created ACL and removed services from the group, but it still doesn't work corret.

  clause 5 permit udp any eq 123 destination any eq 123
  clause 6 permit udp any destination any sourcegroup NTP-RED

Silver

Re: Cisco CSS 11503

Hi,

could you explain your setup?

- Bridged mode (client-side and server-side VLAN is same IP Subnet but different VLAN ID)

- One-arm mode (only 1 VLAN which contains VIP and servers)?

can you copy your config?

Dario

Community Member

Re: Cisco CSS 11503

I have two NTP servers (10.0.139.17 and 10.0.139.18) and many clients. I use CSS to load balance and share requests between two NTP servers. Clients send ntp requests (source port 123, destination port 123) to the configured VIP (10.0.139.119), but don't get replies back.

Everything is OK, then ntp request come from unprivileged port (>1024)

CSS11503# sh run

!Generated on 02/02/2010 02:47:47

!Active version: sg0810106

configure

!*************************** GLOBAL ***************************

  no restrict web-mgmt

  bridge priority 0

  ip redundancy master

  acl enable

  app

  app session 172.7.6.2

  ip management route 10.0.100.0 255.255.255.0 10.0.95.254

  ip route 0.0.0.0 0.0.0.0 10.0.139.254 1

!************************* INTERFACE *************************

interface  1/1

  trunk

  description " *** Trunk to 4000 *** "

  vlan 139

interface  2/1

  bridge vlan 2

  description " *** CSS Redundancy VRRP Heartbeat *** "

!************************** CIRCUIT **************************

circuit VLAN1

  redundancy

circuit VLAN139

  redundancy

  ip address 10.0.139.200 255.255.255.0

circuit VLAN2

  ip address 172.7.6.1 255.255.255.0

    redundancy-protocol

!************************** SERVICE **************************

service NTP-Redundancy01

  ip address 10.0.139.17

  keepalive type none

  active

service NTP-Redundancy02

  ip address 10.0.139.18

  keepalive type none

  active

        

!*************************** OWNER ***************************

owner NTP

  content NTP-RED

    add service NTP-Redundancy01

    add service NTP-Redundancy02

    vip address 10.0.139.119

    active

!*************************** GROUP ***************************

group NTP-RED

  vip address 10.0.139.119

  active

!**************************** ACL ****************************

acl 6

 

  clause 5 permit udp any eq 123 destination any eq 123

  clause 6 permit udp any destination any sourcegroup NTP-RED

  clause 10 permit any any destination 10.0.139.119

  apply circuit-(VLAN139)

        

acl 10

  clause 10 permit any any destination any

  apply circuit-(VLAN1)

  apply circuit-(VLAN2)

Cisco Employee

Re: Cisco CSS 11503

The problem is that yoru group does nat the request and by default the CSS also modifies the src port.

Under the group, you can try "portmap disable" to prevent the src port translation.

See if it helps.

Gilles.

Community Member

Re: Cisco CSS 11503

"portmap disable" didn't help.

If it helps, debug on CSS shows:

FEB  2 03:25:23 2/1 5606 FLOWMGR-4: UDP in 10.0.153.153:123->10.0.139.119:123

FEB  2 03:25:23 2/1 5607 FLOWMGR-4: UDP out 10.0.153.153:123->10.0.139.17:123

Silver

Re: Cisco CSS 11503

You are not source NATting.

Reconfigure your source group and add your services as destination service.

Community Member

Re: Cisco CSS 11503

I added destination service before, the same result.

group NTP-RED

  add destination service NTP-Redundancy01

  add destination service NTP-Redundancy02

  vip address 10.0.139.119

  active

Silver

Re: Cisco CSS 11503

Can you post the flows again when the destination services are active.

Community Member

Re: Cisco CSS 11503

Then destination services are active:

--------------- ----- --------------- ----- --------------- --- ------- ------
Src Address     SPort Dst Address     DPort NAT Dst Address Prt
--------------- ----- --------------- ----- --------------- --- ------- ------
10.0.153.153    123   10.0.139.119    123   10.0.139.17     UDP
10.0.139.17     123   10.0.139.119    123   10.0.139.18     UDP

It doesn't do source port mapping for ports less than 1024.

Silver

Re: Cisco CSS 11503

OK, I see the problem.

You use your VIP address to Source NAT (NO PAT!)

This means that the reply from your server is send back to the CSS to the NATted address (which is also the VIP), and the same port (123), which in its turn is load-balanced again.

Try using a different address for the source NAT then your VIP address.

HTH,

Dario

Community Member

Re: Cisco CSS 11503

I made a change to 10.0.139.222   No reply.

group NTP-RED

  add destination service NTP-Redundancy01

  add destination service NTP-Redundancy02

  vip address 10.0.139.222

  active

CSS11503# sh flows
10.0.153.153    123   10.0.139.119    123   10.0.139.17     UDP

But it works fine then the source is greater than 1024.

10.0.153.153    39146 10.0.139.119    123   10.0.139.18     UDP
10.0.139.18     123   10.0.139.119    5985  10.0.153.153    UDP

2094
Views
0
Helpful
14
Replies
CreatePlease to create content