Cisco Support Community
Community Member

Leaking un-nated packets.

Following problem is occuring to a couple of our css running version

The system is running in redundant configuration active - standby isc interconnected.

The css are configured to handle mutiple url to be loadbalanced to a farm of 8 servers.

At public side we use redundant-vip at the server-end redundant-interface (also for these servers)

For certain systems outbound connection through the css is needed eg. public DNS server, CA, ftp-updateserver, ...

For these servers a (nat-) group exists; and acl are permitting this outbound traffic.

group outbound_servers

add service server_1

add service server_2

add service server_3

add service server_4

vip address an_internet_routable_ip-address

redundant-index 135


The problem is when some of these server perform requests to the a public dns server their packets remain un-nated.

These packets don't travel far, our IDS and firewall detect and halt them, however they won't be able to be routed throught the internet as they are private.

This all causing the request never to be answered. As far sniffing gives more info, appearently these are all udp requests, can this be the cause ?

Any ideas why this happens, or what the cause might be. Any suggestion about how digging further into this would be helpful.




Re: Leaking un-nated packets.

Was this setup working before? Or is this a new installation. Can you post the configuration on the CSS. This one looks like a configuration issue.

Community Member

Re: Leaking un-nated packets.

Sorry for the late reply, I was on holiday last week:

The servers behind our css are using the internet dns, and they don't seem to have any problem with that.

But our firewall and ids's aren't happy with this behaviour, and their logs are running full at immense speed.

The reduced configuration is in attach.


Community Member

Re: Leaking un-nated packets.

We experienced similar behaviour for our CSS load balancing SMTP servers. These servers were NATed on CSS with VIP address on CSS using a group. Once in a while we use to see packets on Internet firewall with server's non-nated IP ADD. On close inspection we found out that when the CSS service pointing to the servers use to go down the CSS use to act as a router and route any packets coming from the SMTP server to its default gateway of Internet Firewall. The SMTP service on the servers was flapping between up/down state due to code problem on the servers.

You may want to see if CSS Service pointing to the servers is up or down when you see the non-nated IP ADD on Firewall.

CreatePlease to create content