Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1078
Views
0
Helpful
7
Replies

http traffic

prashantrecon
Level 1
Level 1

‎08-13-2012 10:20 AM - edited ‎03-11-2019 04:41 PM

Hi all,

I am facing a typical issue.

I have two router router x and router y.connected to one firewall.

For particular  vlan  i have diverted the traffic from firewall to a diffrent router(with a dedicated link for vlan).

Just asuume gmail ,hotmail etc all traffic flows fromfireall is diverted router x.

And for one http trraafic (http application given by client flows through router y from firewall)

Link is of 2 Mbps for 10 users.

The problem is  the user who connects first connects to that aplication via http traffic has no problem.

But when other two to thrre users connects to that application via hhtp traffic than all the users starts facing problem including the first user.

The recomended bandwidth for 10 users is 1mbps. But we have dedicated 2 Mbps bandwidth for that traffic.

Note- client have provided some public ip for that hhtp traffic.

And for that public ip we have given diffrent route from firewall. 

Labels:
0 Helpful
7 Replies 7

sansarav720e
Level 1
Level 1

‎08-13-2012 10:02 PM

Dear Prashant ,

                 kindly let me for following things ,

1) Is this same vlan need to access open internet & http application

2) Are you familar with application server IP address ??

3) Are you doing PATing or Static NATing for your LAN segment

4) Does your firewall has been defined with specfic route pointing to your application server to use your 2Mbps circuit .

your firewall should have static routing with application server subnet to use your 2Mbps circuit .

Let me know on this

HTH

Thks

Santhosh Sarav

HTH Regards Santhosh Saravanan
0 Helpful

prashantrecon
Level 1
Level 1
In response to sansarav720e

‎08-15-2012 07:41 AM

HI ,

Thanks for your response.

As i already mentioned with one user evertthing work fine for 20 to 25 vminutes and than suddenly gets hanged.

When i captured the packect i found some duplicate packet along with retransmission of packet.

It is related anyrhing to MTU Or mss settings.

Bandwidth is never the issue,

0 Helpful

sansarav720e
Level 1
Level 1
In response to prashantrecon

‎08-15-2012 07:06 PM

Dear Prashant ,

              My insight over here is suspecting something on your NATing ,if you have done Static Nating or dynamic nating  this will allow only one user session , if you have only 1 public IP address in  your global pool for your internal network transalation to external world .

      Try to configure PATing , if you have already configured PATing check for port utilisation , if it exceeds 64000 then u ll have problem , for our scenarion we have only 10 user so there should not be any problem for PATing .

Similalry check at client side http application server , does it allow multiple user session from a single public routable IP address , if it has got restriction to 1 then u need to have multiple induidual routable IP address for each user  or Customer owned IP Private IP address for this resolution . 

Dynamic NAT has these disadvantages:

If the mapped pool has fewer addresses than the real group, you could run out of addresses if the amount of traffic is more than expected.

Use PAT if this event occurs often because PAT provides over 64,000 translations using ports of a single address.

You have to use a large number of routable addresses in the mapped pool; if the destination network requires registered addresses, such as the Internet, you might encounter a shortage of usable addresses.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_dynamic.html#wp1078484

HTH

Thks

Santhosh Sarav

HTH Regards Santhosh Saravanan
0 Helpful

prashantrecon
Level 1
Level 1
In response to sansarav720e

‎08-16-2012 07:25 AM

Hi santosh,

Today one  activity was carried out by me .

With same dynamic nat policy it worked well for 10 users.The onething change was i bypassed the firewall in between of that.

But with same firewall it works well for one user.

On firewall I have an access-list permit ip any any.I donot know what exactly the problem is on firewall.

There is no ips module on it also.

0 Helpful

sansarav720e
Level 1
Level 1
In response to prashantrecon

‎08-16-2012 07:28 PM

Dear Prashant ,

          where you are performing your dynamic nating in same firewall or in some other device ??

1) My insight is on your firewall config , as you said already your firewall is servcing for internet with global PATing . so over here your firewall is performing same PATing for your Application HTTP server .

2) To Avoid usage of  global PATing , uses access-list based dynamic NATing on your firewall .

If possible post your firewall system configuration it will be greatful for the resolution . This only configuration error ..

HTH

Thks

Santhosh Sarav

HTH Regards Santhosh Saravanan
0 Helpful

prashantrecon
Level 1
Level 1
In response to sansarav720e

‎08-16-2012 08:23 PM

Hi

I have directed the traffic from firewall and natted on router.

0 Helpful

sansarav720e
Level 1
Level 1
In response to prashantrecon

‎08-16-2012 09:02 PM

Dear Prashant ,

                      Could you please share your firewall configuration . Does your firewall is running PATing for general internet access  ??? .

HTH Regards Santhosh Saravanan
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card