Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
898
Views
0
Helpful
3
Replies

CSS leak un-natted ip address to outside.

haiyingwei
Level 1
Level 1

‎03-11-2008 12:24 PM

We have a CSS11501 which do the load balance and SSL proxy for mail cluster. Mail servers behind CSS need originate traffic to outside through different tcp and udp ports. We setup source group which nat private ip adderss to public ip for outbound connection. It works fine for year until yesterday. Some application broken. The sniiffer at outside server saw the private ip address from mail servers. This is only for UDP packet. The TCP looks ok. Rebooting CSS didn't fix the problem. For workaround, we have to route UDP packet to second interface which doesn't got through CSS. Does anyone know why CSS leak un-natted ip address to outside.

Thanks

Haiying

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎03-12-2008 08:30 AM

If it worked for years and a reboot didn't fix the issue, than the config must have changed.

I'd like to see it and now source/destination ip/ports of the traffic that you see un-nated.

Gilles.

0 Helpful

haiyingwei
Level 1
Level 1
In response to Gilles Dufour

‎03-12-2008 09:19 AM

Gilles;

Thanks for your reply! We haven't changed anything as I know. We had problem with UDP packets before. When backend servers tried connect to outside DNS servers through udp 53, we saw packet drop. We rerouted DNS traffic bypass CSS.

This time backend email servers initiate connection to external authentication server through udp 989. This application works for year until Monday. The external server is on public network 128.143.2.x subnet The backend servers are on private network 192.168.1.x subnet. Backend servers' default gateway point to CSS. Sniffing at external servers, we saw udp989 traffic from backend nodes through private ip 192.168.1.x. We have source group configured for outbound traffic. I am including some of our example configuration.

Our CSS run at 7.40.2.02. I am thinking upgrade to 8.20.2.01

!************************** SERVICE **************************

service guppy

ip address 192.168.1.x

redundant-index 211

keepalive type none

active

service neon

ip address 192.168.1.x

redundant-index 210

keepalive type none

active

service tetra

ip address 192.168.1.x

redundant-index 212

keepalive type none

active

!*************************** GROUP ***************************

group tetra

add service tetra

vip address 128.143.2.x

redundant-index 242

active

group neon

add service neon

vip address 128.143.2.x

redundant-index 240

active

group guppy

vip address 128.143.2.x

redundant-index 241

add service guppy

active

Haiying

0 Helpful

jefferyshi
Level 1
Level 1
In response to haiyingwei

‎11-13-2008 07:53 PM

Check the flow-state nat-enable for DNS UDP 53 setting, use 'show flow-state-table Command' to check whether disable nat.

detail information refer to the following web link:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/content_lb/guide/flow.html#wp1038255

0 Helpful
Customers Also Viewed These Support Documents