Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
3
Replies

Leaking un-nated packets.

hvd
Level 1
Level 1

‎02-27-2006 01:18 AM

Following problem is occuring to a couple of our css running version 07.40.1.04.

The system is running in redundant configuration active - standby isc interconnected.

The css are configured to handle mutiple url to be loadbalanced to a farm of 8 servers.

At public side we use redundant-vip at the server-end redundant-interface (also def.gw for these servers)

For certain systems outbound connection through the css is needed eg. public DNS server, CA, ftp-updateserver, ...

For these servers a (nat-) group exists; and acl are permitting this outbound traffic.

group outbound_servers

add service server_1

add service server_2

add service server_3

add service server_4

vip address an_internet_routable_ip-address

redundant-index 135

active

The problem is when some of these server perform requests to the a public dns server their packets remain un-nated.

These packets don't travel far, our IDS and firewall detect and halt them, however they won't be able to be routed throught the internet as they are private.

This all causing the request never to be answered. As far sniffing gives more info, appearently these are all udp requests, can this be the cause ?

Any ideas why this happens, or what the cause might be. Any suggestion about how digging further into this would be helpful.

Thanx

HVD.

Labels:
0 Helpful
3 Replies 3

ssoberlik
Level 4
Level 4

‎03-02-2006 02:33 PM

Was this setup working before? Or is this a new installation. Can you post the configuration on the CSS. This one looks like a configuration issue.

0 Helpful

hvd
Level 1
Level 1
In response to ssoberlik

‎03-13-2006 03:10 AM

Sorry for the late reply, I was on holiday last week:

The servers behind our css are using the internet dns, and they don't seem to have any problem with that.

But our firewall and ids's aren't happy with this behaviour, and their logs are running full at immense speed.

The reduced configuration is in attach.

HVD.

Preview file
6 KB
0 Helpful

hnrane
Level 1
Level 1

‎03-14-2006 06:20 AM

We experienced similar behaviour for our CSS load balancing SMTP servers. These servers were NATed on CSS with VIP address on CSS using a group. Once in a while we use to see packets on Internet firewall with server's non-nated IP ADD. On close inspection we found out that when the CSS service pointing to the servers use to go down the CSS use to act as a router and route any packets coming from the SMTP server to its default gateway of Internet Firewall. The SMTP service on the servers was flapping between up/down state due to code problem on the servers.

You may want to see if CSS Service pointing to the servers is up or down when you see the non-nated IP ADD on Firewall.

0 Helpful
Customers Also Viewed These Support Documents