FSWM and Netscaler.

Unanswered Question
Jan 6th, 2010
User Badges:

We have 2 FWSM in Active / Active mode. for one of those context.



The another context, now it's in test mode, and we like to protect some segment of servers, in this segment we have Two Citrix Netscaler to provide

load balance to a web service that we needs, using only one IP Virtual address.(10.11.33.48)


The segment of the servers and netscalers is 10.11.33.xx /24; When we put the segment in the inside interface of the context of FWSM, the Nestcalers don't work. using the virtual ip on any browser the page don't appears.



There any idea of what's wrong ???


The netscaleres needs some type of inspect ??


Thanks



FWSM-1/ctx-salud# sh running-config
: Saved
:
FWSM Version 4.0(6) <context>
!
hostname ctx-salud
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name 10.11.33.70 AS400 description Core Operacion Medicina Prepagada
name 10.11.33.52 Autorizate description Server Linux - AUT-WEB,SEDNA,SAC,Liq Serv, Of Serv Virtuales
name 10.11.33.38 CIKLOS_eth0 description DB Oracle + PHP
name 10.11.33.39 CIKLOS_eth1 description DB Oracle + PHP
name 10.11.33.37 COOEPSII description Server Linux - Web+PHP
name 10.11.33.15 Clementine_SPSS
name 10.11.33.11 Clientes_Delgados
name 10.11.33.13 Cluster_SQL
name 10.11.33.53 Matis description Hospital en Casa
name 10.11.33.45 Netscaler1
name 10.11.33.46 Netscaler2
name 10.11.33.47 Netscaler_Map
name 10.11.33.51 Oficina_Virtual_MP2
name 10.11.33.43 PagosMP description Server Linux -
name 10.11.33.12 Saturno description Server Win - Turnos
name 10.11.33.48 Virtual_Ciklos description Netscaler para CIKLOS
name 10.11.33.49 Virtual_Cooeps description Netscaler para Cooeps
dns-guard    
!
interface Vlan500
nameif outside
security-level 0
ip address 10.52.37.6 255.255.255.240 standby 10.52.37.7
!
interface Vlan61
nameif p-salud
security-level 90
ip address 10.51.33.101 255.255.255.0 standby 10.51.33.102
!
interface Vlan12
nameif salud
security-level 100
ip address 10.11.33.101 255.255.255.0 standby 10.11.33.102
!
passwd 2KFQnbNIdI.2KYOU encrypted
object-group network CIKLOS
description Interfaces server CIKLOS
network-object host CIKLOS_eth0
network-object host CIKLOS_eth1
object-group network Remote_SSH
description Acceso Remoto via SSH
network-object host COOEPSII
network-object host PagosMP
network-object host Oficina_Virtual_MP2
group-object CIKLOS
object-group network Web_Server
description Equipos con Web Server
network-object host Saturno
network-object host COOEPSII
network-object host PagosMP
network-object host Netscaler1
network-object host Netscaler2
network-object host Netscaler_Map
network-object host Virtual_Ciklos
network-object host Virtual_Cooeps
network-object host Oficina_Virtual_MP2
network-object host Autorizate
object-group network Web_Server_Secure
description Equipos con Web Server seguro
network-object host COOEPSII
network-object host PagosMP
network-object host Netscaler1
network-object host Netscaler2
network-object host Netscaler_Map
network-object host Virtual_Ciklos
network-object host Virtual_Cooeps
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rpc tcp
description rpc TCP 32772 + 32774
port-object eq 32772
port-object eq 32774
object-group service sunrpc tcp-udp
description rpcbind - port 111
port-object eq sunrpc
access-list outside_in extended permit udp any any eq ntp inactive
access-list outside_in extended permit tcp any any eq 135 inactive
access-list outside_in extended permit tcp any any eq netbios-ssn inactive
access-list outside_in extended permit udp any any range netbios-ns netbios-dgm inactive
access-list outside_in extended permit tcp any any eq 445 inactive
access-list outside_in extended permit tcp any any eq 3389 inactive
access-list outside_in extended permit udp any host Clientes_Delgados eq isakmp inactive
access-list outside_in extended permit udp any host Clientes_Delgados eq 4500 inactive
access-list outside_in extended permit tcp any host Clientes_Delgados range 49152 49155 inactive
access-list outside_in extended permit tcp any object-group Remote_SSH eq ssh
access-list outside_in extended permit tcp any object-group Web_Server eq www
access-list outside_in extended permit tcp any object-group Web_Server_Secure eq https
access-list outside_in extended permit tcp any host COOEPSII eq 1501 inactive
access-list outside_in extended permit tcp any host COOEPSII eq 1054 inactive
access-list outside_in extended permit tcp any object-group CIKLOS object-group rpc
access-list outside_in extended permit tcp any object-group CIKLOS eq 1501 inactive
access-list outside_in extended permit tcp any object-group CIKLOS eq 1054 inactive
access-list outside_in extended permit object-group TCPUDP any object-group CIKLOS object-group sunrpc
access-list outside_in extended permit udp any host Clementine_SPSS eq isakmp inactive
access-list outside_in extended permit udp any host Clementine_SPSS range 1027 1028 inactive
access-list outside_in extended permit tcp any host Clementine_SPSS eq 1029 inactive
access-list outside_in extended permit udp any host Clementine_SPSS eq 4500 inactive
access-list outside_in extended permit tcp any host Autorizate range 49152 49155 inactive
access-list outside_in extended permit tcp any host Autorizate range 9090 9091 inactive
access-list outside_in extended permit tcp any host Autorizate eq 7070 inactive
access-list outside_in extended permit tcp any host Autorizate eq 7443 inactive
access-list outside_in extended permit tcp any host Autorizate eq 7777 inactive
access-list outside_in extended permit tcp any host Autorizate eq 5222 inactive
access-list outside_in extended permit tcp any host Autorizate eq 5269 inactive
access-list outside_in extended permit tcp any host Autorizate eq 3306 inactive
access-list outside_in extended permit tcp any host Cluster_SQL range 49152 49155 inactive
access-list outside_in extended permit tcp any host Cluster_SQL eq www inactive
access-list outside_in extended permit udp any host Cluster_SQL eq isakmp inactive
access-list outside_in extended permit tcp any host Cluster_SQL eq 1094 inactive
access-list outside_in extended permit udp any host Cluster_SQL eq 1434 inactive
access-list outside_in extended permit tcp any host Cluster_SQL eq 2382 inactive
access-list outside_in extended permit udp any host Cluster_SQL eq 4500 inactive
access-list outside_in extended permit tcp any host Cluster_SQL eq 49324 inactive
access-list outside_in extended permit udp any host PagosMP eq sunrpc inactive
access-list outside_in extended permit icmp any any
access-list outside_in extended permit ip any any
access-list salud_in extended permit icmp any any
access-list salud_in extended permit ip any any
access-list p-salud_in extended permit icmp any any
access-list p-salud_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging standby
logging monitor debugging
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu salud 1500
mtu p-salud 1500
icmp permit any outside
no asdm history enable
arp timeout 14400
access-group outside_in in interface outside
access-group salud_in in interface salud
access-group p-salud_in in interface p-salud
route outside 0.0.0.0 0.0.0.0 10.52.37.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username desca password ci9jkLeed3cPxSSg encrypted privilege 15
username banm7970 password mCuFDqKh/mYI2y2q encrypted privilege 15
username dncapr11 password JbmDdwc8I32IjGbz encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 2
!
class-map inspection_default
match default-inspection-traffic
!
!            
policy-map global_policy
class inspection_default
  inspect ftp
  inspect dns
!
service-policy global_policy global
Cryptochecksum:e4264b2a118ff35838322fad50b54d99
: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Wed, 01/06/2010 - 12:25
User Badges:
  • Cisco Employee,

Seems like pretty simple config. Citrix directly connected to the higher security interface which has permit ip any any.


What do the logs say when this breaks when you try to access the virtual IP from the other side of the firewall?


sh logg | i 10.11.33.x


I am assuming you have no nat-control.


sh run all | i nat-control


-KS

k.mattson Wed, 05/18/2011 - 13:33
User Badges:

Any luck?  We are seeing the same problem.  When we have the Netscaler interfaces are behind the FWSM, we can't connect.  When we move the Netscaler interfaces behind a plain old routed link they work great.  We also did some packet captures and can see that the Netscaler is sending a RST back to the inquiring host.  We are doing captures on the Netscaler and on the host, and both agree that the Netscaler is sending the RST.  Once the Netscaler is moved to a routed network not behind the fwsm, everything works fine.


Also we do not see anything in the logs about something being blocked.  We also tried it with http inspect on and off.

brquinn Thu, 05/19/2011 - 06:32
User Badges:
  • Bronze, 100 points or more

There are a few things the FWSM does to the draffic by default.


1) TCP Sequence number randomization. You can disable this:


access-list no_tcp_seq_rand_acl permit tcp x.x.x.0 255.255.255.0 y.y.y.0 255.255.255.0
!
class-map no_tcp_seq_rand_class
   match access-list no_tcp_seq_rand_acl
!
policy-map global_policy
   class no_tcp_seq_rand_class
   set connection random-sequence-number disable


2) Change the TCP MSS to 1380.  To disable this:

sysopt connection tcpmss 0


If neither of these help, I would run some captures and make sure there is no asymmetric routing. Any irregularites in the TCP flows will be dropped by the FWSM and as soon as that connection is reset, all subsequent traffic will be dropped until a new 3-way handshake starts a new session.


I hope this helps.


Thanks,

Brendan

And a complete wild stab in the dark from me. We had a similar issue using some encryption devices behind an ASA which worked fine behind a 3800 router. Turns out the ASA was stripping some of the TCP options from the handshake. We had to write a service policy to put them back in.


We worked it out by performing a wireshark capture on the inside and outside interfaces at the same time and looking at how the packets differed before and after they had been processed by the ASA.


Barry

Actions

This Discussion

Related Content