Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSS11503 NAT failure causing spoofing

Hi,

We have a couple of 11503 set in an active-backup configuration with fate sharing.

They run NAT sucessfully changing web caches ips (behind the CSSs) into CSS redundant VIP when sending responses back to the clients, but sometimes, following a burst pattern, we get many packets discarded as spoffing in the firewall between the CSSs and the clients.

The traffic discarded is all HTTP sent to 8080 and 80 TCP ports.

We reboot both CSS a couple of days ago with no changes.

We are a bit newbies with CSS so, how could we troubleshoot this behavior?

Thank you in advance

BR

1 REPLY
Cisco Employee

Re: CSS11503 NAT failure causing spoofing

This is probably because the flows timed out and the CSS has no flow entry to nat the next packet from the server.

Add a 'flow-timeout-multiplier 50' to all your content rules to reduce the chance for a flow to timeout.

Gilles.

146
Views
0
Helpful
1
Replies