11-18-2020 08:53 AM
Currently have a cisco ASA 5505 Cisco Adaptive Security Appliance Software Version 9.2(4)25
I have an object for a backend server pointed to the internal private IP of the server
Server is an Ubuntu 20.04 running the latest HAproxy service. Load balancing 2 sites to 2 different backend hosts
1 nat statement natting external to internal object with an allow for 80 and 443 only
Issue:
The traffic hits external natted to internal and the traffic is passed an allowed
I then see the traffic come back to the ASA and all works as expected.
After a indeterminant amount of time the ASA inbound traffic sends to the inside host we start seeing a 0 TCP Reset-O and a following duration 0:00:30 bytes 0 SYN timeout
If we restart the host server the traffic seems to pass with zero issues for a while and then does it again.
I have looked into setting the host keepalives. This does not seem to help the problem any.
We have pointed the same nat to a MAC with haproxy running and exhibited no issues.
We have tried CentOS, Ubuntu 20.04, 18.04 and they all seem to exhibit this issue.
Our Nat to windows on 80 and 443 seem to work just fine with zero issues.
Wondering if anyone has seen this issue before
Thank you for any input anyone could provide
11-18-2020 11:53 AM
May sounds like some proxy-arp issue - may be , since we do not know how your reverse proxy configured (ha proxy)
try no proxy-arp and see if that resolves
example :
11-19-2020 09:28 AM
We will test that and see what happens.
11-20-2020 10:46 AM
OK so it looks like I had the no proxy-arp on the object not on the NAT.
I removed the no proy-arp on the object and added it to the NAT rule.
It appears the same issue exists and once I reset the TCP stack on the linux machine everything works for a while. No set time.
Just as an FYI working on this issue we did set the keepalive on the linux system
net.ipv4.tcp.net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 10
11-20-2020 04:05 PM
Linux HAproxy tweaking also required as you have done now by doing that is the resolved?
11-23-2020 11:44 AM - edited 11-23-2020 11:45 AM
I am not aware of any haproxy tweaking needed. Can you point me to a link or some documentation that would help me with those tweaks needed ?
These are the only tweaks we have made to the linux OS
net.ipv4.tcp.net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 10
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: