[c-nsp] IP SLA through NAT Firewall

Luan Nguyen luan.nguyen at mci.com
Fri Apr 22 11:02:17 EDT 2005


Thanks for introduce me to the new command :)
This ip sla monitor thing came out with 12.2SX and 12.2SB already?
I saw on Cisco web, it says coming out to replace rtr in 12.4 and 12.4.T.
Anyhow, for rtr stuffs, first the router will send a control message UDP
high port to the responder udp port 1967.  The responder will respond back
1967 ---> UDP highport.  If this goes through the firewall, then normal
jitter operation will follow, from udp highport to the 16384 specified by
you.
You config seems to specify the router as both the probe and the responder.
IMHO, NAT probably doesn't break your sla...probably the firewall.

Luan


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Helm
Sent: Friday, April 22, 2005 10:27 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IP SLA through NAT Firewall

I'm having problems getting the following IP SLA configuration to work 
behind a Sonicwall Firewall.

ip sla monitor responder
ip sla monitor 10
  type jitter dest-ipaddr 24.225.XXX.XXX dest-port 16384 codec g729a 
advantage-factor 2
  tos 184
  tag Test
ip sla monitor schedule 10 life forever start-time now

The firewall is doing NAT, established connections are allowed back 
through the Sonicwall and I have port forwarded the udp port that is 
defined in the SLA configuration.

However, I get the following message from debug ip sla monitor trace:
003315: Apr 22 14:07:23.186: IP SLA Monitor(10) jitter operation: 
Starting jitter operation
003316: Apr 22 14:07:23.186: IP SLA Monitor(10) CtrlMsg: Sending msg, 
ver=1, id=49, len=52, cmd=4, ip=24.225.XXX.XXX, port=16384, duration=25000ms
003317: Apr 22 14:07:23.270: IP SLA Monitor(10) CtrlMsg: Receive status = 0
003318: Apr 22 14:07:48.274: IP SLA Monitor(10) jitter operation: Timeout
003319: Apr 22 14:07:48.274: IP SLA Monitor(10) Scheduler: Updating result

A packet trace on the router reveals the following:
009586: Apr 22 14:15:43.655: IP: tableid=0, s=192.168.0.2 (local), 
d=24.225.XXX.XXX (FastEthernet0/0), routed via FIB
009587: Apr 22 14:15:43.655: IP: s=192.168.0.2 (local), d=24.225.XXX.XXX 
(FastEthernet0/0), len 60, sending
009588: Apr 22 14:15:43.655:     UDP src=50526, dst=16384
009596: Apr 22 14:15:43.659: IP: s=192.168.0.2 (local), d=24.225.XXX.XXX 
(FastEthernet0/0), len 60, sending
009597: Apr 22 14:15:43.659:     UDP src=50526, dst=16384
009598: Apr 22 14:15:44.471: IP: tableid=0, s=24.225.XXX.XXX 
(FastEthernet0/0), d=192.168.0.2 (FastEthernet0/0), routed via RIB
009599: Apr 22 14:15:44.471: IP: s=24.225.XXX.XXX (FastEthernet0/0), 
d=192.168.0.2 (FastEthernet0/0), len 56, rcvd 3
009600: Apr 22 14:15:44.471:     ICMP type=3, code=3u all

Additionally, I see from an ethereal capture in front of the IP SLA 
responder router (24.225.XXX.XXX) that the packets from the source 
router arrive OK, but the responder router sends back an ICMP Port 
Unreachable error.

There are several other routers using this responder without issue.

Does NAT just break the IP SLA feature? Or is this a firewall problem?

Thanks in advance,
Eric
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list