RADIUS not being NATed to VIP on reply path CSS1150

james.murphy · ‎02-08-2006

Hi there,

any help apprecitated on this one.

We have two CSS11503's configured to loadbalance RADIUS traffic amongst others to two backends (server A and B).

For sever A, it receives the AUTH (1812) and ACCT (1813), for server B it receives mostly AUTH and little ACCT.

However the crux of the problem is that when the RESP is sent out to the originating server, the reply comes from the REAL IP address and not the VIP address of the CSS. This causes issues with the firewall and the RESP is blocked.

This was working fine until about 2 days ago, when it stopped working. No config changes have been made and no network design as changed.

Here's a snip of flow trace_ip:

FEB 7 20:23:17 1/1 3062 FLOWMGR-4: UDP in 172.x.x.11:1812->x.x.193.250:1812

FEB 7 20:23:17 1/1 3063 FLOWMGR-4: UDP out 172.x.x.11:1812->x.x.193.2:1812

FEB 7 20:23:17 1/1 3062 FLOWMGR-4: UDP in x.x.193.2:1812->172.x.x.11:1812

FEB 7 20:23:17 1/1 3063 FLOWMGR-4: UDP out x.x.193.2:1812->172.x.x.11:1812

If someone has any ideas of whats going on, it would be really appreciated.

CSS11500 with s/w ver 7.50

Thanks

Gilles Dufour · ‎02-08-2006

Jim,

I do not see your config, so sorry for the stupid question, but do you have a group to nat the response ?

Could you post your config ?

Thanks,

Gilles.

james.murphy · ‎02-08-2006

Hi Giles,

wow, fast response. I don't have it as part of a NAT group, however my whole issue is that it was working fine without being in the NAT group, up until recently. Also the LB's are not roundrobin load sharing anymore. it's like the CSS has hit some bug. Anyhow, here is my config as an attachment.

Thanks again for your prompt response Giles.

James