Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

SNA Enterprise Extender through ACE

Hi,

Any experience configuring ACE to NAT and forward SNA Enterprise Extender traffic?

Thanks in advance.

6 REPLIES
Bronze

SNA Enterprise Extender through ACE

Fernando

I set this up in the lab and I can't get the EE peers to connect. EE uses UDP 12000-12005. The initial XID exchange uses UDP 12000. Connecting from the EE client to the vip, you can see that the ACE NATs the dest-ip towards the rserver, it also takes a source port from the ephemeral range. Client is 1.2.1.1, vip 1.9.1.209, rserver 1.3.1.5. Note that the EE server responds to port 12000 (not 28192)

cdn-ace-1/mwinnett# cap msw start

17:17:31.733579 0:13:60:30:fe:89 0:b:fc:fe:1b:cc 0800 45: 1.2.1.1.12000 > 1.9.1.209.12000:  [udp sum ok] udp 3 [tos 0xc0]  (ttl 254, id 43876, len 31)

17:17:31.733751 0:b:fc:fe:1b:cc 0:13:60:30:fe:89 0800 45: 1.2.1.1.28192 > 1.3.1.5.12000:  [bad udp cksum c191!] udp 3 [tos 0xc0]  (ttl 254, id 43876, len 31, bad cksum bcd!)

17:17:31.736979 0:13:60:30:fe:89 0:b:fc:fe:1b:cc 0800 45: 1.3.1.5.12000 > 1.2.1.1.12000:  [udp sum ok] udp 3 [tos 0xc0]  (ttl 254, id 1815, len 31)

17:17:31.737134 0:b:fc:fe:1b:cc 0:13:60:30:fe:89 0800 45: 1.3.1.5.12000 > 1.2.1.1.12000:  [udp sum ok] udp 3 [tos 0xc0]  (ttl 254, id 1815, len 31)

However, when I check back at the EE client, you can see that the source IP address is not natted

*Jan 13 17:25:30.407 METDST: IP: tableid=0, s=1.3.1.5 (Tunnel99), d=1.2.1.1 (Tunnel99), routed via RIB

*Jan 13 17:25:30.411 METDST: IP: s=1.3.1.5 (Tunnel99), d=1.2.1.1 (Tunnel99), len 31, rcvd 3

4420A410: 45C0001F 08160000 FC11B1ED 01030105  E@......|.1m....

4420A420: 01020101 2EE02EE0 000BDB07 0405BF    .....`.`..[...?

The issue is that the EE server does not respect the incoming source port and uses 12000 instead. This means that the ACE will not NAT the response.

Can you give more details of what you are trying to achieve ?

Matthew

SNA Enterprise Extender through ACE

Hi Matthew,

Thanks for your answer. Could you send me the configuration you used on your lab?

Fernando

Bronze

SNA Enterprise Extender through ACE

Fernando

Nothing really magic here. I uses Cisco snasw routers as client and server and the issues that I encountered relating to port usage are probably specific to how we implement EE. Bearing mind that the basis of our Snasw implementation is the same as that used by the MS Sna server, its likely that any other implementation will have the same issues.

If you want to share more details of what you are trying to achieve, maybe I can help further.

Matthew

access-list anyany line 10 extended permit ip any any

probe icmp ping-test

  interval 20

  faildetect 2

  passdetect interval 20

  passdetect count 2

rserver host dymock

  ip address 1.3.1.5

  inservice

rserver host kilcot

  ip address 1.3.1.1

  inservice

serverfarm host snas-serverfarm

  probe ping-test

  rserver dymock

    inservice

  rserver kilcot

    inservice

class-map type management match-any remote-mgmt

  10 match protocol ssh any

  20 match protocol telnet any

  30 match protocol icmp any

  40 match protocol http any

  50 match protocol https any

class-map match-all snasw-class

  10 match virtual-address 1.9.1.209 any

policy-map type management first-match remote-access

  class remote-mgmt

    permit

policy-map type loadbalance first-match round-robin-snasw

  class class-default

    serverfarm snas-serverfarm

policy-map multi-match lb-vip

  class snasw-class

    loadbalance vip inservice

    loadbalance policy round-robin-snasw

    loadbalance vip icmp-reply

interface vlan 468

  description Server vlan

  ip address 1.8.1.201 255.255.255.0

  alias 1.8.1.200 255.255.255.0

  peer ip address 1.8.1.202 255.255.255.0

  access-group input anyany

  service-policy input remote-access

  no shutdown

interface vlan 469

  description Client vlan

  ip address 1.9.1.201 255.255.255.0

  alias 1.9.1.200 255.255.255.0

  peer ip address 1.9.1.202 255.255.255.0

  access-group input anyany

  service-policy input remote-access

  service-policy input lb-vip

  no shutdown

ip route 1.2.1.0 255.255.255.0 1.9.1.211

ip route 1.3.1.0 255.255.255.0 1.8.1.211

SNA Enterprise Extender through ACE

Hi Matthew,

Below you can see our configuration. As you can see, we perform a NAT for the connections exiting vlans 61 and 150.

The SNA traffic is load balanaced, bu it's extremely slow, making impossible to work with the application:

probe icmp ICMP_SARA
  interval 20
  faildetect 2
  passdetect interval 20
  passdetect count 2

rserver host ls60ca
  ip address 172.20.1.221
  inservice

serverfarm host CL4_udp_SARA
probe ICMP_SARA
  rserver ls60ca
    inservice
 
class-map match-any sal_ls60ca
  2 match source-address 172.20.1.221 255.255.255.255

class-map match-any vip_CL4_udp_SARA
  4 match virtual-address 10.25.23.221 any

policy-map type loadbalance first-match LB_CL4_udp_SARA
  class class-default
    serverfarm CL4_udp_SARA

policy-map multi-match INT_150
class vip_CL4_udp_SARA insert-before FW1_SEC_VIP
    loadbalance vip inservice
    loadbalance policy LB_CL4_udp_SARA
    loadbalance vip icmp-reply active
    loadbalance vip advertise active

policy-map multi-match INT_61
class vip_CL4_udp_SARA insert-before FW1_SEC_VIP
    loadbalance vip inservice
    loadbalance policy LB_CL4_udp_SARA
    loadbalance vip icmp-reply active
    loadbalance vip advertise active

policy-map multi-match SNATS_150
class sal_ls60ca
    nat dynamic 73 vlan 61
    nat dynamic 75 vlan 150

interface vlan 61

service-policy input INT_61
nat-pool 73 10.25.23.221 10.25.23.221 netmask 255.255.255.255

interface vlan 150

service-policy input INT_150
nat-pool 75 10.25.23.221 10.25.23.221 netmask 255.255.255.255

Any suggestions,

Thank you very much in advance.

Nando

Bronze

SNA Enterprise Extender through ACE

Best to open a case and we can take a close look. If you can email me the case number (mwinnett@cisco.com), I'll pick it up.

SNA Enterprise Extender through ACE

Hi Matthew,

Nowadays, the contract that we have with our Cisco supplier  do not includes this kind of issues, it's just a hardware replacement contract. Anyway, I'm gonna try to convince them to open the case.

As soon as I have any feedback, I'll inform you.

Thanks!!

761
Views
0
Helpful
6
Replies