Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

CSS 11500 Responds for any Port

Hopefully this is an easy question but I am having a heck of a time finding an answer.

We have multiple CSS 11500 clusters.  We have found that on all of them, if you try to open a session on any port to an IP address on the backend of the CSS, the CSS will complete the SYN-ACK-ACK session with the client.  This happens regardless of whether there is something on that IP address or not.

Example:

Front                           Back

10.1.1.0/24 --- CSS --- 10.2.2.0/24

Coming from any IP, if I try to telnet to ANY IP on the 10.2.2.0 subnet (whether or not there is an actual server on that IP) on any port (whether or not that port is open or not), the CSS will complete the initial connection.  I have verified this using telnet to numerous ports and viewing the transaction in a packet capture.

Is there any way to shut this off?  This is causing some licensing issues for our security folks that use a vulnerability scanner licensed on number of IP addresses.

Thanks for any input!

4 REPLIES
Bronze

Re: CSS 11500 Responds for any Port

Hi Scott,

The only thing that comes to mind is that you have a content rule VIP with a broad mask configured, without port and it has at least one active service configured on it, just to make sure can you attached your configuration so we can take a quick look?

Tnx

__ __

Pablo

New Member

Re: CSS 11500 Responds for any Port

Thanks for your reply and I apologize for not responding sooner - I've been out on vacation. 

There is no mask configured under content rules.

Also, we have a very large environment and have 5 different sets of CSS content switches.  Every single one behaves in this manner so if this were a configuration error, it would have to have been made on every set of content switches.

Hall of Fame Super Silver

Re: CSS 11500 Responds for any Port

You should be able to set up ACLs (on the CSS) such that only traffic destined for defined back end servers is allowed to be passed through the CSS. See this reference.

Be careful to note the "apply" convention used with ACLs in CSS software. It's a bit different from normal Cisco ACLs you may be familiar with. The guide covers it but unless you've done it a couple times, it takes some getting used to.

New Member

Re: CSS 11500 Responds for any Port

Thanks for your reply Marvin.

We actually use ACLs already - primarily for purposes of allowing backend servers to reach load-balanced services on the CSS they sit behind or for reverse proxy services. 

I have tried specifically blocking access to backend IP addresses that are not used but oddly enough the CSS still replies and opens the initial TCP session just like any other.

I think I'm going to have to open a TAC case on this one.  If they can't answer it, I may be forced to put all of these behind firewalls - which is doable but not ideal.

687
Views
0
Helpful
4
Replies
CreatePlease to create content