Hi
We have a Citrix ADC (Netscaler) cluster that sits behind a Cisco ASA cluster. The ADC cluster now has 1 interface for management traffic and 1 interface for user traffic, both interfaces have the ASA has their next-hop. On the ADC, we have over 20 different content switch servers along with 90+ load balance vservers. The ASA has 50 vlan interfaces.
This is a rough diagram
Network --> ASA (DMZ Access interface) --> DMZ server Interfaces (various vlans) --> DMZ server
Used to route to DMZ servers includes ADC LB backend servers
At present, in normal operations, there are no issues with this configuration, i.e. all ADC services are up and all user access to servers (email, web sites, Webacces) run fine.
However, the issues are when I upgrade the ASA cluster. As soon as I upgrade and the members reboot, The ADC loses connection to many of the backend servers. Some appear to be down permanently and some seem to be intermittent. These servers are also sitting behind the ASA, on different vlans. When looking through logs, I see traffic going from the ADC to the ASA via the ADC LB interface. But the return traffic seems to be coming back via the DMZ Access interface. and it is getting denied with
"Deny TCP (no connection) from 10.x.x.x/2083 to 10.y.y.y/443 flags FIN PSH ACK on interface DC-DMZ-Access"
It looks like some sort of timeout issue but I don't know where this could be. Anyway, why does it all work fine until I upgrade the ASA firmware?
Before the upgrade the ASA is running 9.1. I am trying to upgrade to 9.10 but have also tried upgrading to 9.8. The ADC is on 12.1.55.18. The ADC has been upgraded several times in the past 6 months with no issues. The problems only occur when I try to upgrade the ASA. If revert back to v.9.1, then everything works again. Does 9.10 have different timeout or connection settings compared to 9.1?
This is a strange issue and I'm pulling my hair trying to understand why it is happening and how to fix it. Any ideas would be gratefully appreciated
Thanks
Roy
