Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
994
Views
0
Helpful
4
Replies

CSS 11500 Responds for any Port

scottcraig
Level 1
Level 1

‎12-22-2011 09:13 AM

Hopefully this is an easy question but I am having a heck of a time finding an answer.

We have multiple CSS 11500 clusters.  We have found that on all of them, if you try to open a session on any port to an IP address on the backend of the CSS, the CSS will complete the SYN-ACK-ACK session with the client.  This happens regardless of whether there is something on that IP address or not.

Example:

Front                           Back

10.1.1.0/24 --- CSS --- 10.2.2.0/24

Coming from any IP, if I try to telnet to ANY IP on the 10.2.2.0 subnet (whether or not there is an actual server on that IP) on any port (whether or not that port is open or not), the CSS will complete the initial connection.  I have verified this using telnet to numerous ports and viewing the transaction in a packet capture.

Is there any way to shut this off?  This is causing some licensing issues for our security folks that use a vulnerability scanner licensed on number of IP addresses.

Thanks for any input!

Labels:
0 Helpful
4 Replies 4

pablo.nxh
Level 3
Level 3

‎12-22-2011 12:34 PM

Hi Scott,

The only thing that comes to mind is that you have a content rule VIP with a broad mask configured, without port and it has at least one active service configured on it, just to make sure can you attached your configuration so we can take a quick look?

Tnx

__ __

Pablo

0 Helpful

scottcraig
Level 1
Level 1
In response to pablo.nxh

‎12-29-2011 09:11 AM

Thanks for your reply and I apologize for not responding sooner - I've been out on vacation. 

There is no mask configured under content rules.

Also, we have a very large environment and have 5 different sets of CSS content switches.  Every single one behaves in this manner so if this were a configuration error, it would have to have been made on every set of content switches.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to scottcraig

‎01-02-2012 08:53 PM

You should be able to set up ACLs (on the CSS) such that only traffic destined for defined back end servers is allowed to be passed through the CSS. See this reference.

Be careful to note the "apply" convention used with ACLs in CSS software. It's a bit different from normal Cisco ACLs you may be familiar with. The guide covers it but unless you've done it a couple times, it takes some getting used to.

0 Helpful

scottcraig
Level 1
Level 1
In response to Marvin Rhoads

‎01-03-2012 12:19 PM

Thanks for your reply Marvin.

We actually use ACLs already - primarily for purposes of allowing backend servers to reach load-balanced services on the CSS they sit behind or for reverse proxy services. 

I have tried specifically blocking access to backend IP addresses that are not used but oddly enough the CSS still replies and opens the initial TCP session just like any other.

I think I'm going to have to open a TAC case on this one.  If they can't answer it, I may be forced to put all of these behind firewalls - which is doable but not ideal.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents