[c-nsp] ACE & load-balancing of DNS / ALG / inspection

Fri Jun 19 13:52:57 EDT 2009

Not sure if these are applicable but may be worth looking into. Just a
shot in the dark as I don't have ACEs to test with and I have not run
into this particular problem myself. 

I think each feature is mutually exclusive. 
UDP booster (high connection rates for UDP) and UDP fast-age (UDP
per-packet load balancing) 

http://cco.cisco.com/en/US/docs/app_ntwk_services/data_center_app_servic
es/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1157547
http://cco.cisco.com/en/US/docs/app_ntwk_services/data_center_app_servic
es/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1281598

Vijay Ramcharan  

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
Sent: June 19, 2009 11:22
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ACE & load-balancing of DNS / ALG / inspection

All,

We've recently deployed config on our ACE (blades in 6500s) to provide 
resilient DNS.

However, the ACE seems to be doing some kind of DNS inspection, and is 
(incorrectly I think) closing the SLB session the instant a DNS answer 
comes back. This causes problems with clients that make 2 lookups very 
quickly, from the same source port.

i.e. I am seeing:

client sport=5000 dport=53 query id=2346 hostname A
client sport=5000 dport=53 query id=4646 hostname AAAA
server dport=5000 sport=53 reply id=2346 A=192.168.x.y

...and that's it. The 2nd reply is dropped. If the client makes the 
queries "slowly" they work fine:

client sport=5000 dport=53 query id=2346 hostname A
server dport=5000 sport=53 reply id=2346 A=192.168.x.y
client sport=5000 dport=53 query id=4646 hostname AAAA
server dport=5000 sport=53 reply id=4646 AAAA=...

Our old DNS servers (via static anycast routes) and a different service 
(via eBGP multipath anycast) don't exhibit the problem, so I'm certain 
it's the ACE.

FYI, this causes problems with the glibc changes present in 2.10 & 
Fedora 11 - the glibc always tries two queries in quick succession for A

and AAAA records, and the timeouts can destroy kerberos/ldap logins...

I'm aware of the "inspect" commands, but they're off by default and I 
can't "no inspect"; it tells me it's already turned off.

Does anyone know if and how I can persuade the ACE to stop being so 
"clever" and just treat the DNS as "plain old UDP"?

version info is:

Software
   loader:    Version 12.2[120]
   system:    Version A2(1.1) [build 3.0(0)A2(1.1) 
adbuild_00:25:02-2008/06/05_/auto/adbu-rel3/rel_a2_1_1_throttle/REL_3_0_
0_A2_1_1]
   system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_1.bin
   installed license: ACE-08G-LIC ACE-SEC-LIC-K9

...and the config we're using is:

serverfarm host RECURSIVE-DNS
   transparent
   predictor leastconns
   probe TCP_53
   rserver xxx 53
     inservice
   rserver yyy 53
     inservice
   rserver www 53
     inservice
   rserver zzz 53
     inservice

class-map match-any VIP_SPONCON-DNS
   2 match virtual-address 192.168.a.b udp eq domain
   3 match virtual-address 192.168.a.b tcp eq domain

policy-map type loadbalance first-match SLB_RECURSIVE-DNS
   class class-default
     serverfarm RECURSIVE-DNS

policy-map multi-match VIPS_VLANxx
   !.. various config, then
   class VIP_SPONCON-DNS
     loadbalance vip inservice
     loadbalance policy SLB_RECURSIVE-DNS
     loadbalance vip icmp-reply
     loadbalance vip advertise

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

______________________________________________________________________
This e-mail has been scanned by Verizon Managed Email Content Service,
using Skeptic(tm) technology powered by MessageLabs. For more
information on Verizon Managed Email Content Service, visit
http://www.verizonbusiness.com.
______________________________________________________________________