cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
369
Views
0
Helpful
2
Replies

Private addresses from CSS being seen on PIX internal interface

hhorton
Level 1
Level 1

Ok I've been looking at this for three days now and I can seem to fix it.  The short story is we use a CSS11503 code 7.02 as a one armed load balancer for several Proxy servers.  Generally speaking, things are working.  However, when traffic gets heavy, I start seeing the private addresses from behind the CSS (192.168.5.191 & 192) trying to access the internet without being NATed to (165.199.5.191 & 192).  Someone please give me a hint.  The basic config is below cutting out all of the junk..

service ProxyA
  ip address 192.168.5.191
  keepalive type tcp
  keepalive port 8857
  weight 2
  active

service ProxyB
  ip address 192.168.5.192
  keepalive port 8857
  keepalive type tcp
  weight 2
  active

*********************************

owner Proxy

  content ISA
    add service ProxyB
    vip address 165.199.5.193
    add service ProxyA
    flow-timeout-multiplier 225
    advanced-balance sticky-srcip
    balance weightedrr
    active

  content ProxyA
    add service ProxyA
    vip address 165.199.5.191
    flow-timeout-multiplier 225
    active


  content ProxyB
    vip address 165.199.5.192
    add service ProxyB
    flow-timeout-multiplier 225
    active

*****************************************************************

group ProxyA 
  add service ProxyA 
  vip address 165.199.5.191 
  flow-timeout-multiplier 35 
  active

group ProxyB 
  add service ProxyB 
  vip address 165.199.5.192 
  flow-timeout-multiplier 35 
  active

2 Replies 2

Pablo
Cisco Employee
Cisco Employee

Hi,

Have you tried matching the flow-timeout multiplier of the groups with the timeout that is applied on the content rule in question?

They started out the same.  I forgot to change some of those rules when I was working on this current problem.  In any case, I've updated them all and still see the same results.

I addition, I read a note about the CSS being less efficient as a "one arm" so I connected a second interface and separaged "Internal" and "External" CSS interfaces.  Don't know that it helped at all.  Still getting the 192.168 address flowing out to my PIX.  Wile I was tinkering yesterday, I did notice that by disabling the Group for a proxy server, ALL of his traffic continued to flow into my PIX without NAT.  I didn't know that could happen.  I figured without a Group assigned to a server, it couldn't pass traffic outside the CSS.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: