03-31-2010 02:07 PM
Ok I've been looking at this for three days now and I can seem to fix it. The short story is we use a CSS11503 code 7.02 as a one armed load balancer for several Proxy servers. Generally speaking, things are working. However, when traffic gets heavy, I start seeing the private addresses from behind the CSS (192.168.5.191 & 192) trying to access the internet without being NATed to (165.199.5.191 & 192). Someone please give me a hint. The basic config is below cutting out all of the junk..
service ProxyA
ip address 192.168.5.191
keepalive type tcp
keepalive port 8857
weight 2
active
service ProxyB
ip address 192.168.5.192
keepalive port 8857
keepalive type tcp
weight 2
active
*********************************
owner Proxy
content ISA
add service ProxyB
vip address 165.199.5.193
add service ProxyA
flow-timeout-multiplier 225
advanced-balance sticky-srcip
balance weightedrr
active
content ProxyA
add service ProxyA
vip address 165.199.5.191
flow-timeout-multiplier 225
active
content ProxyB
vip address 165.199.5.192
add service ProxyB
flow-timeout-multiplier 225
active
*****************************************************************
group ProxyA
add service ProxyA
vip address 165.199.5.191
flow-timeout-multiplier 35
active
group ProxyB
add service ProxyB
vip address 165.199.5.192
flow-timeout-multiplier 35
active
03-31-2010 06:20 PM
Hi,
Have you tried matching the flow-timeout multiplier of the groups with the timeout that is applied on the content rule in question?
04-01-2010 06:50 AM
They started out the same. I forgot to change some of those rules when I was working on this current problem. In any case, I've updated them all and still see the same results.
I addition, I read a note about the CSS being less efficient as a "one arm" so I connected a second interface and separaged "Internal" and "External" CSS interfaces. Don't know that it helped at all. Still getting the 192.168 address flowing out to my PIX. Wile I was tinkering yesterday, I did notice that by disabling the Group for a proxy server, ALL of his traffic continued to flow into my PIX without NAT. I didn't know that could happen. I figured without a Group assigned to a server, it couldn't pass traffic outside the CSS.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: