Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

odd behaviour with l4payload..

Hi all,

i've got a pretty strange problem with load balancing with some l4payload criteria. i'll show you configuration (DNS stuff):

class-map type generic match-any dns_regex

  5 match layer4-payload offset 20 regex ".*corp100.100.*"

class-map type generic match-any dns_regex2

  5 match layer4-payload offset 20 regex ".*corp099.100.*"

class-map match-all DNS_VIP

  5 match virtual-address udp eq domain

parameter-map type dns DAS_TEST
  timeout query 2

policy-map type loadbalance generic first-match dns_regex

  class dns_regex

    serverfarm DNS

  class dns_regex2

    serverfarm DNS

  class DNS_VIP
    loadbalance vip inservice
    loadbalance policy dns_regex
    loadbalance vip icmp-reply active
    appl-parameter dns advanced-options DAS_TEST
    inspect dns maximum-length 2048

quite easy...configuration, quite hard behaviour .
if i do first query with stuff like corp099.100 all works and i can see some hit on service policy. Strange thing is that if i do query with corp100.100 i cannot see any new hit on other server farm, most strange is that if i do a query for corp091.100 all works (is not allowed from class-map) if i perform a clear conn all and i try again to query to corp091.100 does'n't work. Odd again, if i do another query to allowed regex expression like corp100.100 all works (of course) and if i try again to unallowed query i can perform it. So if a conn is open other connection use same socket or it seems so...
DO you thing is a bug?
PS: ace module release A2.1(0)

New Member

Re: odd behaviour with l4payload..

hi all,

i've update release to  A2(2.3) but same i've put fast-age on policy mm under class and all seem to work.

By now i have no idea if is a bug or expected ACE module behaviour.


New Member

Re: odd behaviour with l4payload..

so...just for resume:

if i put fast-age class-map works properly, but if a generate lots of query (dnsperf) almost all queries fail....without fast-age class-maps don't work properly but if i generate lots of queries i can see all response.



Re: odd behaviour with l4payload..

From the udp-fast-age Guide: "By default, the ACE could load balance UDP packets using the same tuple to the same real server on an existing connection. " My effort to interpret it: in other sections,  'tuple' contains (dst VIP, dst port, protocol). A connection contains also the client src IP. Requests from another client might be directed to another farm (provided  you don't use the same farm in both classes). Have you tested it from another client IP too? It may well be a documented feature.


Re: odd behaviour with l4payload..

Have you omitted some lines from the config? Is 'class DNS_VIP' section really under 'policy-map type loadbalance generic first-match dns_regex' ? I guess it should fit under a multi-match policy-map.

New Member

Re: odd behaviour with l4payload..

Hi Peter,

yes it is under policy MM.


Cisco Employee

Re: odd behaviour with l4payload..


same problem as for your other query.

You have to understand that ACE by default only check the first query of a connection.

Once the server is identified, we assume we have to continue with that server until the connection is closed.

Therefore, we stop inspecting queries.

This is why if your first query hit server #1, all subsequent queries will also go to server #1 even those that are not allowed.

Byt enabling fast-age, you tell ACE to kill the connection after the first query/response.

Therefore the next query is like a new connection and ACE will need to make a new decision.

All this is normal.


New Member

Re: odd behaviour with l4payload..


of course it makes sense but just if the full socket is the same.

Difficult thing is doing some test with queryperf or dnsperf 'cause client srcip/srcport --> and (of course) server dstip /dstport<53> is always the same.

With fast-age teorically all packet are inspected BUT for some reasons queryperf and fast-age enabled don't work as expected. maybe using always same socket get ACE stuck.

thx a lot