CSS leak un-natted ip address to outside.

Unanswered Question
Mar 11th, 2008
User Badges:

We have a CSS11501 which do the load balance and SSL proxy for mail cluster. Mail servers behind CSS need originate traffic to outside through different tcp and udp ports. We setup source group which nat private ip adderss to public ip for outbound connection. It works fine for year until yesterday. Some application broken. The sniiffer at outside server saw the private ip address from mail servers. This is only for UDP packet. The TCP looks ok. Rebooting CSS didn't fix the problem. For workaround, we have to route UDP packet to second interface which doesn't got through CSS. Does anyone know why CSS leak un-natted ip address to outside.


Thanks

Haiying

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Wed, 03/12/2008 - 08:30
User Badges:
  • Cisco Employee,

If it worked for years and a reboot didn't fix the issue, than the config must have changed.

I'd like to see it and now source/destination ip/ports of the traffic that you see un-nated.


Gilles.

haiyingwei Wed, 03/12/2008 - 09:19
User Badges:

Gilles;


Thanks for your reply! We haven't changed anything as I know. We had problem with UDP packets before. When backend servers tried connect to outside DNS servers through udp 53, we saw packet drop. We rerouted DNS traffic bypass CSS.


This time backend email servers initiate connection to external authentication server through udp 989. This application works for year until Monday. The external server is on public network 128.143.2.x subnet The backend servers are on private network 192.168.1.x subnet. Backend servers' default gateway point to CSS. Sniffing at external servers, we saw udp989 traffic from backend nodes through private ip 192.168.1.x. We have source group configured for outbound traffic. I am including some of our example configuration.


Our CSS run at 7.40.2.02. I am thinking upgrade to 8.20.2.01


!************************** SERVICE **************************


service guppy

ip address 192.168.1.x

redundant-index 211

keepalive type none

active


service neon

ip address 192.168.1.x

redundant-index 210

keepalive type none

active


service tetra

ip address 192.168.1.x

redundant-index 212

keepalive type none

active

!*************************** GROUP ***************************


group tetra

add service tetra

vip address 128.143.2.x

redundant-index 242

active



group neon

add service neon

vip address 128.143.2.x

redundant-index 240

active


group guppy

vip address 128.143.2.x

redundant-index 241

add service guppy

active



Haiying

Actions

This Discussion