Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
833
Views
0
Helpful
3
Replies

CSS CItrix Nfuse Connections Drop

Go to solution
dgahm
Level 8
Level 8

‎02-12-2007 11:12 AM

We are using a CSS-11501 version 7.5 to load balance SSL connections to a pair of Citrix Web Interface servers. The CSS is connected to a DMZ interface of an ASA5520 on one side, and a 3550 with the web interface servers on the other side. Citrix app servers are in the internal network.

The problem is that users are dropped after 45-75 minutes. If the load balancer is bypassed by suspending the service and connecting to the server IP, the drops stop occurring. Sniffer traces indicate it is the Citrix 1494 connection between the Web server and the internal Citrix server that is being dropped.

Tried extending TCP flow, and sticky timeouts but no change.

Is it possible to disable the NAT function on the 1494 backend connection and still allow load balancing of the 443 client connection?

Thanks, Dave

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎02-13-2007 02:24 AM

where and how did you apply the flow-timeout-multiplier ?

You need it under the content rule and under the group.

You can apply nating to a specific port by using ACL.

Instead of doing a 'add destination service' under the group, you leave it empty [except for the vip] and use an acl to decide when to use the group

ie:

acl 1

clause 10 permit tcp any destination content owner/rule sourcegroup

Gilles.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
andreas.larsen
Level 1
Level 1

‎02-13-2007 12:07 AM

You will do a Port translation so however you do it you will be "translating". Have you tried upgrading to a newer version ? 8.X is out. Not sure it will have fix for it but it might well be worth a try.

RR if you find it usefull.

0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎02-13-2007 02:24 AM

where and how did you apply the flow-timeout-multiplier ?

You need it under the content rule and under the group.

You can apply nating to a specific port by using ACL.

Instead of doing a 'add destination service' under the group, you leave it empty [except for the vip] and use an acl to decide when to use the group

ie:

acl 1

clause 10 permit tcp any destination content owner/rule sourcegroup

Gilles.

0 Helpful

Go to solution
dgahm
Level 8
Level 8
In response to Gilles Dufour

‎02-13-2007 02:11 PM

Gilles,

Thanks, I did not apply the multiplier to both. Will try that and the ACL.

Dave

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card