[c-nsp] IP SLA through NAT Firewall

Eric Helm helmwork at ruraltel.net
Fri Apr 22 10:27:26 EDT 2005 

I'm having problems getting the following IP SLA configuration to work 
behind a Sonicwall Firewall.

ip sla monitor responder
ip sla monitor 10
  type jitter dest-ipaddr 24.225.XXX.XXX dest-port 16384 codec g729a 
advantage-factor 2
  tos 184
  tag Test
ip sla monitor schedule 10 life forever start-time now

The firewall is doing NAT, established connections are allowed back 
through the Sonicwall and I have port forwarded the udp port that is 
defined in the SLA configuration.

However, I get the following message from debug ip sla monitor trace:
003315: Apr 22 14:07:23.186: IP SLA Monitor(10) jitter operation: 
Starting jitter operation
003316: Apr 22 14:07:23.186: IP SLA Monitor(10) CtrlMsg: Sending msg, 
ver=1, id=49, len=52, cmd=4, ip=24.225.XXX.XXX, port=16384, duration=25000ms
003317: Apr 22 14:07:23.270: IP SLA Monitor(10) CtrlMsg: Receive status = 0
003318: Apr 22 14:07:48.274: IP SLA Monitor(10) jitter operation: Timeout
003319: Apr 22 14:07:48.274: IP SLA Monitor(10) Scheduler: Updating result

A packet trace on the router reveals the following:
009586: Apr 22 14:15:43.655: IP: tableid=0, s=192.168.0.2 (local), 
d=24.225.XXX.XXX (FastEthernet0/0), routed via FIB
009587: Apr 22 14:15:43.655: IP: s=192.168.0.2 (local), d=24.225.XXX.XXX 
(FastEthernet0/0), len 60, sending
009588: Apr 22 14:15:43.655:     UDP src=50526, dst=16384
009596: Apr 22 14:15:43.659: IP: s=192.168.0.2 (local), d=24.225.XXX.XXX 
(FastEthernet0/0), len 60, sending
009597: Apr 22 14:15:43.659:     UDP src=50526, dst=16384
009598: Apr 22 14:15:44.471: IP: tableid=0, s=24.225.XXX.XXX 
(FastEthernet0/0), d=192.168.0.2 (FastEthernet0/0), routed via RIB
009599: Apr 22 14:15:44.471: IP: s=24.225.XXX.XXX (FastEthernet0/0), 
d=192.168.0.2 (FastEthernet0/0), len 56, rcvd 3
009600: Apr 22 14:15:44.471:     ICMP type=3, code=3u all

Additionally, I see from an ethereal capture in front of the IP SLA 
responder router (24.225.XXX.XXX) that the packets from the source 
router arrive OK, but the responder router sends back an ICMP Port 
Unreachable error.

There are several other routers using this responder without issue.

Does NAT just break the IP SLA feature? Or is this a firewall problem?

Thanks in advance,
Eric

More information about the cisco-nsp mailing list