https://community.cisco.com/t5/application-networking/what-does-the-bug-mean/m-p/19511#M208 <P>hello,</P><P></P><P>what is the meaning of that bug?</P><P>===</P><P>CSCdx35082 - When the CSS detects a mid-NAT reject, the RST (reset) going back to the client has a sequence number of 0.</P><P>===</P><P></P><P>at the momement I use CSS 11005 with app v 5.00. </P><P>I have two layers of CSSs: </P><P>-one I use load balancing over a few SSL servers</P><P>-sec I use for firewall load balancing</P><P></P><P>so my topology looks like:</P><P></P><P>SSL</P><P>SSL---CSS11005_B-----PIX-----CSS11005_A-----router_IOS----Internet</P><P>... PIX</P><P>SSL</P><P></P><P>only router_IOS has a public IP address, all other IPs are private</P><P></P><P>on the router_IOS there is a static NAT for VIP from CSS11005_B </P><P>CSS11005_A is used only for firewall loadbalancing and there is not NAT</P><P>PIXs do not make a NAT - only route</P><P>CSS11005_B gives VIP for SSL cluster, so there is a NAT</P><P></P><P>all works fine since over a year. but time to time I recive an information for my support departament, that there is a client who cannot use our SSL.</P><P></P><P>it is always the same situation: client use some kind of address translation at his point of Internet connection; behind his NAT he cannot use my SSL; If he connect directly to the Internet all works fine.</P><P></P><P>I am wondering is it possible to tunne something at my side to fix that kind of problems?</P><P></P><P>regards</P> Mon, 21 Oct 2002 07:04:01 GMT p.kodzis 2002-10-21T07:04:01Z https://community.cisco.com/t5/application-networking/what-does-the-bug-mean/m-p/19511#M208 <P>hello,</P><P></P><P>what is the meaning of that bug?</P><P>===</P><P>CSCdx35082 - When the CSS detects a mid-NAT reject, the RST (reset) going back to the client has a sequence number of 0.</P><P>===</P><P></P><P>at the momement I use CSS 11005 with app v 5.00. </P><P>I have two layers of CSSs: </P><P>-one I use load balancing over a few SSL servers</P><P>-sec I use for firewall load balancing</P><P></P><P>so my topology looks like:</P><P></P><P>SSL</P><P>SSL---CSS11005_B-----PIX-----CSS11005_A-----router_IOS----Internet</P><P>... PIX</P><P>SSL</P><P></P><P>only router_IOS has a public IP address, all other IPs are private</P><P></P><P>on the router_IOS there is a static NAT for VIP from CSS11005_B </P><P>CSS11005_A is used only for firewall loadbalancing and there is not NAT</P><P>PIXs do not make a NAT - only route</P><P>CSS11005_B gives VIP for SSL cluster, so there is a NAT</P><P></P><P>all works fine since over a year. but time to time I recive an information for my support departament, that there is a client who cannot use our SSL.</P><P></P><P>it is always the same situation: client use some kind of address translation at his point of Internet connection; behind his NAT he cannot use my SSL; If he connect directly to the Internet all works fine.</P><P></P><P>I am wondering is it possible to tunne something at my side to fix that kind of problems?</P><P></P><P>regards</P> Mon, 21 Oct 2002 07:04:01 GMT https://community.cisco.com/t5/application-networking/what-does-the-bug-mean/m-p/19511#M208 p.kodzis 2002-10-21T07:04:01Z https://community.cisco.com/t5/application-networking/what-does-the-bug-mean/m-p/19512#M209 <HTML><HEAD></HEAD><BODY><P>I am not sure if there is something to tune or not but according to the following release notes, that bug is fixed in v.5.20. You may need to get with Cisco to see if there is a workaround.</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_release_note09186a00800e03a6.html" target="_blank">http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_release_note09186a00800e03a6.html</A></P></BODY></HTML> Fri, 25 Oct 2002 15:52:42 GMT https://community.cisco.com/t5/application-networking/what-does-the-bug-mean/m-p/19512#M209 lisa.hall 2002-10-25T15:52:42Z