Solved: Load Balance TMG with Cisco CSS

Avery Spates · ‎03-06-2012

I am working with a Customer that is using Cisco CSS to load balance Microsoft TMG 2010.

From the Microsoft TMG, I can see the https probes hitting the TMG Servers. The TMG 2010 recongnizes that the Cisco is trying to establish a 3-way handshake and is dropping every 3rd connection with the following error: "non-SYN packet was dropped because it was sent by a source that does not hane an established connection with the Forefron TMG computer." Since the Microsoft Forefront TMG 2010 Server is Stateful packet inspection firewall, what is the best load balance method for this service? TCP or even worst ICMP.

Below is a snipet of the configuration:

Thank You

Avery

CSS-A# show service Server1-ssl

Name: Server1-ssl Index: 70

Type: Local State: Alive

Rule ( x.x.x.x TCP 443 )

Session Redundancy: Enabled

Redundancy Global Index: 206

Redirect Domain:

Redirect String:

Keepalive: (SSL-443 5 3 5 )

Keepalive Encryption: Disabled

Last Clearing of Stats Counters: 03/05/2012 16:33:14

Mtu: 1500 State Transitions: 4

Total Local Connections: 0 Total Backup Connections: 0

Current Local Connections: 0 Current Backup Connections: 0

Total Connections: 0 Max Connections: 65534

Total Reused Conns: 0 Weight Reporting: None

Weight: 1 Load: 2

CSS-A#

CSS-A# show service Server2-ssl

Name: Server2-ssl Index: 71

Type: Local State: Alive

Rule ( x.x.x.x TCP 443 )

Session Redundancy: Enabled

Redundancy Global Index: 207

Redirect Domain:

Redirect String:

Keepalive: (SSL-443 5 3 5 )

Keepalive Encryption: Disabled

Last Clearing of Stats Counters: 03/05/2012 16:53:49

Mtu: 1500 State Transitions: 6

Total Local Connections: 0 Total Backup Connections: 0

Current Local Connections: 0 Current Backup Connections: 0

Total Connections: 0 Max Connections: 65534

Total Reused Conns: 0 Weight Reporting: None

Weight: 1 Load: 2

rodrguti_2 · ‎03-07-2012

Hi,

It would good to have a capture from the server itself, the TCP keepalive is really simple, as you explained, it is just a 3-way-handshake on port 443.

The CSS is going to use it's vlan IP to generate this keepalive.

So if the server is dropping the connection, it would be good to se the actual behavior of the keepalive.

ICMP is just a ping, and lets say port 443 is not longer open on the server, at the point that the CSS gets the ICMP reply back from the server, the service is going to remain as alive, but the traffic is not going to work, so ICMP is not a good option.

Thanks!

View solution in original post

rodrguti_2 · ‎03-07-2012

Hi,

It would good to have a capture from the server itself, the TCP keepalive is really simple, as you explained, it is just a 3-way-handshake on port 443.

The CSS is going to use it's vlan IP to generate this keepalive.

So if the server is dropping the connection, it would be good to se the actual behavior of the keepalive.

ICMP is just a ping, and lets say port 443 is not longer open on the server, at the point that the CSS gets the ICMP reply back from the server, the service is going to remain as alive, but the traffic is not going to work, so ICMP is not a good option.

Thanks!

Avery Spates · ‎03-08-2012

Hi Rodrguti,

We were able to come up with a resolution. We had to change the Health Monitor to TCP 443 and configure a Close Option "FIN" to close the connection. Once we made that change, the TMG saw the connections as an "Initiate Connection" then "Close Connection".

I will post the configurations used shortly.

Thank You for the response.