03-11-2008 12:24 PM
We have a CSS11501 which do the load balance and SSL proxy for mail cluster. Mail servers behind CSS need originate traffic to outside through different tcp and udp ports. We setup source group which nat private ip adderss to public ip for outbound connection. It works fine for year until yesterday. Some application broken. The sniiffer at outside server saw the private ip address from mail servers. This is only for UDP packet. The TCP looks ok. Rebooting CSS didn't fix the problem. For workaround, we have to route UDP packet to second interface which doesn't got through CSS. Does anyone know why CSS leak un-natted ip address to outside.
Thanks
Haiying
03-12-2008 08:30 AM
If it worked for years and a reboot didn't fix the issue, than the config must have changed.
I'd like to see it and now source/destination ip/ports of the traffic that you see un-nated.
Gilles.
03-12-2008 09:19 AM
Gilles;
Thanks for your reply! We haven't changed anything as I know. We had problem with UDP packets before. When backend servers tried connect to outside DNS servers through udp 53, we saw packet drop. We rerouted DNS traffic bypass CSS.
This time backend email servers initiate connection to external authentication server through udp 989. This application works for year until Monday. The external server is on public network 128.143.2.x subnet The backend servers are on private network 192.168.1.x subnet. Backend servers' default gateway point to CSS. Sniffing at external servers, we saw udp989 traffic from backend nodes through private ip 192.168.1.x. We have source group configured for outbound traffic. I am including some of our example configuration.
Our CSS run at 7.40.2.02. I am thinking upgrade to 8.20.2.01
!************************** SERVICE **************************
service guppy
ip address 192.168.1.x
redundant-index 211
keepalive type none
active
service neon
ip address 192.168.1.x
redundant-index 210
keepalive type none
active
service tetra
ip address 192.168.1.x
redundant-index 212
keepalive type none
active
!*************************** GROUP ***************************
group tetra
add service tetra
vip address 128.143.2.x
redundant-index 242
active
group neon
add service neon
vip address 128.143.2.x
redundant-index 240
active
group guppy
vip address 128.143.2.x
redundant-index 241
add service guppy
active
Haiying
11-13-2008 07:53 PM
Check the flow-state nat-enable for DNS UDP 53 setting, use 'show flow-state-table Command' to check whether disable nat.
detail information refer to the following web link:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide