cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1833
Views
1
Helpful
2
Replies

Load Balance TMG with Cisco CSS

Avery Spates
Level 1
Level 1

I am working with a Customer that is using Cisco CSS to load balance Microsoft TMG 2010.

From the Microsoft TMG, I can see the https probes hitting the TMG Servers. The TMG 2010 recongnizes that the Cisco is trying to establish a 3-way handshake and is dropping every 3rd connection with the following error: "non-SYN packet was dropped because it was sent by a source that does not hane an established connection with the Forefron TMG computer." Since the Microsoft Forefront TMG 2010 Server is Stateful packet inspection firewall, what is the best load balance method for this service? TCP or even worst ICMP.

Below is a snipet of the configuration:

Thank You

Avery

CSS-A# show service Server1-ssl

Name: Server1-ssl  Index: 70   

  Type: Local            State: Alive

  Rule ( x.x.x.x  TCP  443 )

  Session Redundancy: Enabled

  Redundancy Global Index: 206

  Redirect Domain: 

  Redirect String:

  Keepalive: (SSL-443   5   3   5 )

  Keepalive Encryption:      Disabled

  Last Clearing of Stats Counters: 03/05/2012 16:33:14

  Mtu:                       1500        State Transitions:            4

  Total Local Connections:   0           Total Backup Connections:     0

  Current Local Connections: 0           Current Backup Connections:   0

  Total Connections:         0           Max Connections:              65534

  Total Reused Conns:        0           Weight Reporting:             None

  Weight:                    1           Load:                         2

CSS-A#

CSS-A# show service Server2-ssl 

Name: Server2-ssl  Index: 71   

  Type: Local            State: Alive

  Rule ( x.x.x.x  TCP  443 )

  Session Redundancy: Enabled

  Redundancy Global Index: 207

  Redirect Domain: 

  Redirect String:

  Keepalive: (SSL-443   5   3   5 )

  Keepalive Encryption:      Disabled

  Last Clearing of Stats Counters: 03/05/2012 16:53:49

  Mtu:                       1500        State Transitions:            6

  Total Local Connections:   0           Total Backup Connections:     0

  Current Local Connections: 0           Current Backup Connections:   0

  Total Connections:         0           Max Connections:              65534

  Total Reused Conns:        0           Weight Reporting:             None

  Weight:                    1           Load:                         2

1 Accepted Solution

Accepted Solutions

rodrguti_2
Level 1
Level 1

Hi,

It would good to have a capture from the server itself, the TCP keepalive is really simple, as you explained, it is just a 3-way-handshake on port 443.

The CSS is going to use it's vlan IP to generate this keepalive.

So if the server is dropping the connection, it would be good to se the actual behavior of the keepalive.

ICMP is just a ping, and lets say port 443 is not longer open on the server, at the point that the CSS gets the ICMP reply back from the server, the service is going to remain as alive, but the traffic is not going to work, so ICMP is not a good option.

Thanks!

View solution in original post

2 Replies 2

rodrguti_2
Level 1
Level 1

Hi,

It would good to have a capture from the server itself, the TCP keepalive is really simple, as you explained, it is just a 3-way-handshake on port 443.

The CSS is going to use it's vlan IP to generate this keepalive.

So if the server is dropping the connection, it would be good to se the actual behavior of the keepalive.

ICMP is just a ping, and lets say port 443 is not longer open on the server, at the point that the CSS gets the ICMP reply back from the server, the service is going to remain as alive, but the traffic is not going to work, so ICMP is not a good option.

Thanks!

Hi Rodrguti,

  We were able to come up with a resolution. We had to change the Health Monitor to TCP 443 and configure a Close Option "FIN" to close the connection. Once we made that change, the TMG saw the connections as an "Initiate Connection" then "Close Connection".

  I will post the configurations used shortly.

Thank You for the response.

Review Cisco Networking for a $25 gift card