Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Routing non-TCP/UDP traffic while using FWLB on CSS 11503s

Hello all,

I've been tasked to setup up FWLB with CSS 11503's as shown below. The issue is that intranet workstations use VPN client software when connecting to certain sites through the Internet and other times they use http or https (for connection to different sites). Because no flow is setup for ipsec and ECMP uses per packet routing for non TCP/UDP traffic, I'm concerned that load balancing through the firewalls will occur on a per packet basis. If that is true, stateful inspection in the firewalls will block asymmetrical traffic flows.

Is my understanding correct? And, if so, is there a way to configure the CSS units to deal with this?

Thanks in advance.

(sorry for the dots in the drawing but the spaces kept getting deleted)

. -------------

.| Internet |

. -------------

..........|

. -------------------

.| CSS-outside |

. -------------------

.............|

.----------------------

........|...............|

.---------......--------

.| FW1 |.....| FW2 |

.---------......--------

.......|................|

.----------------------

............|

..-----------------

.| CSS-inside |

..-----------------

............|

..------------

.| Intranet |

..------------

1 REPLY
Cisco Employee

Re: Routing non-TCP/UDP traffic while using FWLB on CSS 11503s

for non-flowy traffic like IPSEC, we use a hash algorithm to decide where to send the traffic.

So, it's not per packet loadbalancing.

The same source/destination ip/port will always go to the same firewall.

Gilles.

144
Views
0
Helpful
1
Replies