CSS11503 NAT failure causing spoofing

Unanswered Question
Jun 26th, 2008
User Badges:


We have a couple of 11503 set in an active-backup configuration with fate sharing.

They run NAT sucessfully changing web caches ips (behind the CSSs) into CSS redundant VIP when sending responses back to the clients, but sometimes, following a burst pattern, we get many packets discarded as spoffing in the firewall between the CSSs and the clients.

The traffic discarded is all HTTP sent to 8080 and 80 TCP ports.

We reboot both CSS a couple of days ago with no changes.

We are a bit newbies with CSS so, how could we troubleshoot this behavior?

Thank you in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Thu, 06/26/2008 - 07:19
User Badges:
  • Cisco Employee,

This is probably because the flows timed out and the CSS has no flow entry to nat the next packet from the server.

Add a 'flow-timeout-multiplier 50' to all your content rules to reduce the chance for a flow to timeout.



This Discussion