Private addresses from CSS being seen on PIX internal interface

Unanswered Question
Mar 31st, 2010

Ok I've been looking at this for three days now and I can seem to fix it.  The short story is we use a CSS11503 code 7.02 as a one armed load balancer for several Proxy servers.  Generally speaking, things are working.  However, when traffic gets heavy, I start seeing the private addresses from behind the CSS (192.168.5.191 & 192) trying to access the internet without being NATed to (165.199.5.191 & 192).  Someone please give me a hint.  The basic config is below cutting out all of the junk..

service ProxyA
  ip address 192.168.5.191
  keepalive type tcp
  keepalive port 8857
  weight 2
  active

service ProxyB
  ip address 192.168.5.192
  keepalive port 8857
  keepalive type tcp
  weight 2
  active

*********************************

owner Proxy

  content ISA
    add service ProxyB
    vip address 165.199.5.193
    add service ProxyA
    flow-timeout-multiplier 225
    advanced-balance sticky-srcip
    balance weightedrr
    active

  content ProxyA
    add service ProxyA
    vip address 165.199.5.191
    flow-timeout-multiplier 225
    active


  content ProxyB
    vip address 165.199.5.192
    add service ProxyB
    flow-timeout-multiplier 225
    active

*****************************************************************

group ProxyA 
  add service ProxyA 
  vip address 165.199.5.191 
  flow-timeout-multiplier 35 
  active

group ProxyB 
  add service ProxyB 
  vip address 165.199.5.192 
  flow-timeout-multiplier 35 
  active

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Pablo Wed, 03/31/2010 - 18:20

Hi,

Have you tried matching the flow-timeout multiplier of the groups with the timeout that is applied on the content rule in question?

hhorton Thu, 04/01/2010 - 06:50

They started out the same.  I forgot to change some of those rules when I was working on this current problem.  In any case, I've updated them all and still see the same results.

I addition, I read a note about the CSS being less efficient as a "one arm" so I connected a second interface and separaged "Internal" and "External" CSS interfaces.  Don't know that it helped at all.  Still getting the 192.168 address flowing out to my PIX.  Wile I was tinkering yesterday, I did notice that by disabling the Group for a proxy server, ALL of his traffic continued to flow into my PIX without NAT.  I didn't know that could happen.  I figured without a Group assigned to a server, it couldn't pass traffic outside the CSS.

Actions

This Discussion