05-06-2024 05:42 PM
Hi anyone using radware as loadbalancer for wsa? Do we need to change anything in wsa side? We have given radware LB vip in the proxy settings of users but request is not reaching WSA.anyguide is available for the configurations.
Solved! Go to Solution.
05-09-2024 07:29 AM
Issue resolved had changed the routing in radware and added one route in wsa
Thanks for the support
05-07-2024 12:03 AM
check some guide lines and discussion :
https://community.cisco.com/t5/web-security/cisco-wsa-traffic-flow-with-load-balancer/m-p/4929981
05-07-2024 03:38 AM
Hello @DK9
Thanks for reaching out.
while using Load Balancer, you need to consider:
[1] Network traffic flow ( send and receive )
[2] Authentication ( kindly check section : Creating an Active Directory Realm for Kerberos Authentication Scheme from user guide ) https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa-15-0/user-guide/wsa-userguide-15-0.pdf
[3] WSA to 3rd party services (DNS, Active Directory, NTP ...) network flow.
regarding : ... vip in the proxy settings of users but request is not reaching WSA, I would say please collect a PCAP from WSA and check if the SYN packet is reaching WSA or not. or could be WSA gets the SYN and sending the SYN/ACK, but never reaches Client.
then you can isolate the problem, by following the network traffic and PCAPs.
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
05-07-2024 05:27 AM
Hi @amojarra we have received the syn but ack is not reaching the client thats the issue
05-07-2024 05:29 AM
This syn is received by wsa and wsa is sending the ack but not reaching cleint and its retransmitting
05-07-2024 01:00 PM
Thanks @DK9
You need to check the DST_MAC address of the SYN-ACK packet ( most probably will be WSA's gateway to client, or maybe your LB )
then start PCAP from there, to see if it is sending it to client or no, If not, then you need to review the configuration of that device.
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
05-08-2024 09:31 AM
Ya we are checking the destination mac address device meanwhile which is better method to configure in LB round robin or least connection?
05-08-2024 11:29 AM
That depends on your Web Traffic behavior. I mean some servers are using too much bandwidth, some users having too much requests.
I would say it is best to monitor and adjust
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
05-09-2024 01:46 AM
Do we need to add anyspecific route in wsa if load balancer is using?
05-09-2024 07:29 AM
Issue resolved had changed the routing in radware and added one route in wsa
Thanks for the support
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide