03-14-2007 07:23 AM
The public interface of my content switch is mapped to a vlan with public addresses. My servers are on a diffent VLAN --> private address schema. On the VLAN where i define my VIP addresses i also have an intrusion detection system installed. We often see packets on the sniffer that have a private address, this should not be happening. The content switch should only forward packets with an ip = to the VIP and not the actual ip of the server.
It looks like to content switch often doesn't do nat to the vip address.
Can anybody help me on the problem.
03-14-2007 07:56 AM
the packet that you see is most probably a FIN.
When the client closes the connection, the CSS keeps it open a few more sec to allow the FIN from the server to go through nated.
But if the FIN comes later, it will be forwarded un-nated.
This is well-known.
There is no way to prevent this.
Gilles.
03-14-2007 08:29 AM
Thank you gilles, is there any official documentation on this? You ar right when you say it is always a FIN.
Kind regards,
Frederik
03-14-2007 09:24 AM
Frederik,
I do not know if this was documented or not.
It might be but I do not have a link.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide