CSS CItrix Nfuse Connections Drop

Answered Question
Feb 12th, 2007

We are using a CSS-11501 version 7.5 to load balance SSL connections to a pair of Citrix Web Interface servers. The CSS is connected to a DMZ interface of an ASA5520 on one side, and a 3550 with the web interface servers on the other side. Citrix app servers are in the internal network.

The problem is that users are dropped after 45-75 minutes. If the load balancer is bypassed by suspending the service and connecting to the server IP, the drops stop occurring. Sniffer traces indicate it is the Citrix 1494 connection between the Web server and the internal Citrix server that is being dropped.

Tried extending TCP flow, and sticky timeouts but no change.

Is it possible to disable the NAT function on the 1494 backend connection and still allow load balancing of the 443 client connection?

Thanks, Dave

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 9 years 7 months ago

where and how did you apply the flow-timeout-multiplier ?

You need it under the content rule and under the group.

You can apply nating to a specific port by using ACL.

Instead of doing a 'add destination service' under the group, you leave it empty [except for the vip] and use an acl to decide when to use the group

ie:

acl 1

clause 10 permit tcp any destination content owner/rule sourcegroup

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
andreas.larsen@... Tue, 02/13/2007 - 00:07

You will do a Port translation so however you do it you will be "translating". Have you tried upgrading to a newer version ? 8.X is out. Not sure it will have fix for it but it might well be worth a try.

RR if you find it usefull.

Correct Answer
Gilles Dufour Tue, 02/13/2007 - 02:24

where and how did you apply the flow-timeout-multiplier ?

You need it under the content rule and under the group.

You can apply nating to a specific port by using ACL.

Instead of doing a 'add destination service' under the group, you leave it empty [except for the vip] and use an acl to decide when to use the group

ie:

acl 1

clause 10 permit tcp any destination content owner/rule sourcegroup

Gilles.

dgahm Tue, 02/13/2007 - 14:11

Gilles,

Thanks, I did not apply the multiplier to both. Will try that and the ACL.

Dave

Actions

This Discussion