cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1266
Views
2
Helpful
9
Replies

Proxying on P2 Interface

Hi,

To acheive some level of network layer redundancy, we would like to have at least two nics that are used to proxy on our s650 (other than the management port). Therefore, it would be logical to just patch another nic into P2 (however I am aware that the Ironport system does not recognise this configuration, as P2 is currently only used as an outbound port for passthrough proxying, I beleive.)

I've just noticed this post on the thread announcing GA of 5.6.0;

To enhance the security of the WSA, we explicitly prevent the WSA from proxying requests on the P2 interface. Customers who need this functionality may want to wait for the 5.6.2 release, which will support this configuration. 


So, I take it then that under 5.6.2 (when it is released) I'll be able to set up the dual nic situation as I mentioned above; with both P1 and P2 patched in, so that if one nic / cable / etc dies, it will continue to run merrily on the other port?

Here's hoping ... :)

Cheers,

Shane

9 Replies 9

jowolfer
Level 1
Level 1

Shane,

It sounds like what you're looking for is dual homing. This is not what the functionality of 5.6 calls for.

Let me clarify what it is that you're asking for, before I file an enhancement. :D

Which are you looking to do:

1. Both P1 and P2 are plugged into your . Only one IP address is assigned to BOTH interfaces. P1 one will be used unless it goes down, in which P2 will take over.

or

2. Both P1 and P2 are plugged in and assigned their own IPs on their own respective subnets. Each able to accept client HTTP requests to proxy.

Hi Josh,

Thanks for the response. Yes, we are after option 1. I should've just mentioned dual-homing, and saved the confusion.

For us, it seems a bit of a waste to have the P2 port sitting there unused. We have already had an instance where a contractor knocked the cable that plugs into P1, and it disconnected. Obiviously, this resulted in an outage of our internet. Had the P2 port been provisioned with dual homing, this would not have occured.

It seems to be a logical step to me ... we do it with all our other servers in our environment. Any service that is even remotely important is setup with teamed nics, quite often with each nic patched into a different switch (but on the same subnet, with the same ip). This also prevents outages of the service if one switch fails. With all of the other redundancy in the s650 (power supplies, raid etc), the single proxying nic is the obvious possible point of failure for us.

Cheers ....

Shane

jowolfer
Level 1
Level 1

Shane,

I have filed the following enhancement request for proper dual homing: 45270.

It is in our database and will be tracked. Please communicate with your sales representative and inform them of your desire for this feature.

wage_ironport
Level 1
Level 1

Shane, 

It sounds like what you're looking for is dual homing. This is not what the functionality of 5.6 calls for.

Let me clarify what it is that you're asking for, before I file an enhancement. :D

Which are you looking to do:

1. Both P1 and P2 are plugged into your . Only one IP address is assigned to BOTH interfaces. P1 one will be used unless it goes down, in which P2 will take over.

or

2. Both P1 and P2 are plugged in and assigned their own IPs on their own respective subnets. Each able to accept client HTTP requests to proxy.



what about option 2 listed above?

jowolfer
Level 1
Level 1

Wage,

You should be able to proxy using M1 and P1 without any problems. P2 does not listen for clients by default (to prevent having an open proxy - P2 is intended to be the "outside / public" interface).

wage_ironport
Level 1
Level 1

i would like to connect one interface to a certain vlan and another interface to another vlan, is this possible?

jowolfer
Level 1
Level 1

Wage,

There is no reason why it wouldn't work, assuming proper routing. Be aware that certain services, like authentication traffic to an AD server will use the M1 interface.

I have the same problem as you,

I have just deployed a pair of swa s395 units and have used P1 for internet/interface outside and P2 for internal interface/users.

When I point to the VIP proxy interface IP or interface IP directly, this P2 does not respond to HTTP/S requests.

With support we enable listening, with the following CLI configuration.

configuration >advancedproxyconfig>MISCELLANEOUS>Do you want proxy to listen on P2? [N]> yes

I still have the same problem again.

 

amojarra
Cisco Employee
Cisco Employee

@karimmohamedtelefonica 

 

can you please try to get Packet capture , with no filter in the WSA and try to generate both HTTP and HTTPS traffic from browser which is pointing at Virtual IP and same test with the browser pointing at P2 interface IP address please, 

 

kindly share your finding or PCAP with us.

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++        If you find this answer helpful, please rate it as such      ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: