cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
333
Views
0
Helpful
1
Replies

CSS11503 NAT failure causing spoofing

inciorange
Level 1
Level 1

Hi,

We have a couple of 11503 set in an active-backup configuration with fate sharing.

They run NAT sucessfully changing web caches ips (behind the CSSs) into CSS redundant VIP when sending responses back to the clients, but sometimes, following a burst pattern, we get many packets discarded as spoffing in the firewall between the CSSs and the clients.

The traffic discarded is all HTTP sent to 8080 and 80 TCP ports.

We reboot both CSS a couple of days ago with no changes.

We are a bit newbies with CSS so, how could we troubleshoot this behavior?

Thank you in advance

BR

1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

This is probably because the flows timed out and the CSS has no flow entry to nat the next packet from the server.

Add a 'flow-timeout-multiplier 50' to all your content rules to reduce the chance for a flow to timeout.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: