03-31-2010 02:07 PM
Ok I've been looking at this for three days now and I can seem to fix it. The short story is we use a CSS11503 code 7.02 as a one armed load balancer for several Proxy servers. Generally speaking, things are working. However, when traffic gets heavy, I start seeing the private addresses from behind the CSS (192.168.5.191 & 192) trying to access the internet without being NATed to (165.199.5.191 & 192). Someone please give me a hint. The basic config is below cutting out all of the junk..
service ProxyA
ip address 192.168.5.191
keepalive type tcp
keepalive port 8857
weight 2
active
service ProxyB
ip address 192.168.5.192
keepalive port 8857
keepalive type tcp
weight 2
active
*********************************
owner Proxy
content ISA
add service ProxyB
vip address 165.199.5.193
add service ProxyA
flow-timeout-multiplier 225
advanced-balance sticky-srcip
balance weightedrr
active
content ProxyA
add service ProxyA
vip address 165.199.5.191
flow-timeout-multiplier 225
active
content ProxyB
vip address 165.199.5.192
add service ProxyB
flow-timeout-multiplier 225
active
*****************************************************************
group ProxyA
add service ProxyA
vip address 165.199.5.191
flow-timeout-multiplier 35
active
group ProxyB
add service ProxyB
vip address 165.199.5.192
flow-timeout-multiplier 35
active
03-31-2010 06:20 PM
Hi,
Have you tried matching the flow-timeout multiplier of the groups with the timeout that is applied on the content rule in question?
04-01-2010 06:50 AM
They started out the same. I forgot to change some of those rules when I was working on this current problem. In any case, I've updated them all and still see the same results.
I addition, I read a note about the CSS being less efficient as a "one arm" so I connected a second interface and separaged "Internal" and "External" CSS interfaces. Don't know that it helped at all. Still getting the 192.168 address flowing out to my PIX. Wile I was tinkering yesterday, I did notice that by disabling the Group for a proxy server, ALL of his traffic continued to flow into my PIX without NAT. I didn't know that could happen. I figured without a Group assigned to a server, it couldn't pass traffic outside the CSS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide