08-13-2012 10:20 AM - edited 03-11-2019 04:41 PM
Hi all,
I am facing a typical issue.
I have two router router x and router y.connected to one firewall.
For particular vlan i have diverted the traffic from firewall to a diffrent router(with a dedicated link for vlan).
Just asuume gmail ,hotmail etc all traffic flows fromfireall is diverted router x.
And for one http trraafic (http application given by client flows through router y from firewall)
Link is of 2 Mbps for 10 users.
The problem is the user who connects first connects to that aplication via http traffic has no problem.
But when other two to thrre users connects to that application via hhtp traffic than all the users starts facing problem including the first user.
The recomended bandwidth for 10 users is 1mbps. But we have dedicated 2 Mbps bandwidth for that traffic.
Note- client have provided some public ip for that hhtp traffic.
And for that public ip we have given diffrent route from firewall.
08-13-2012 10:02 PM
Dear Prashant ,
kindly let me for following things ,
1) Is this same vlan need to access open internet & http application
2) Are you familar with application server IP address ??
3) Are you doing PATing or Static NATing for your LAN segment
4) Does your firewall has been defined with specfic route pointing to your application server to use your 2Mbps circuit .
your firewall should have static routing with application server subnet to use your 2Mbps circuit .
Let me know on this
HTH
Thks
Santhosh Sarav
08-15-2012 07:41 AM
HI ,
Thanks for your response.
As i already mentioned with one user evertthing work fine for 20 to 25 vminutes and than suddenly gets hanged.
When i captured the packect i found some duplicate packet along with retransmission of packet.
It is related anyrhing to MTU Or mss settings.
Bandwidth is never the issue,
08-15-2012 07:06 PM
Dear Prashant ,
My insight over here is suspecting something on your NATing ,if you have done Static Nating or dynamic nating this will allow only one user session , if you have only 1 public IP address in your global pool for your internal network transalation to external world .
Try to configure PATing , if you have already configured PATing check for port utilisation , if it exceeds 64000 then u ll have problem , for our scenarion we have only 10 user so there should not be any problem for PATing .
Similalry check at client side http application server , does it allow multiple user session from a single public routable IP address , if it has got restriction to 1 then u need to have multiple induidual routable IP address for each user or Customer owned IP Private IP address for this resolution .
Dynamic NAT has these disadvantages:
•If the mapped pool has fewer addresses than the real group, you could run out of addresses if the amount of traffic is more than expected.
Use PAT if this event occurs often because PAT provides over 64,000 translations using ports of a single address.
•You have to use a large number of routable addresses in the mapped pool; if the destination network requires registered addresses, such as the Internet, you might encounter a shortage of usable addresses.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_dynamic.html#wp1078484
HTH
Thks
Santhosh Sarav
08-16-2012 07:25 AM
Hi santosh,
Today one activity was carried out by me .
With same dynamic nat policy it worked well for 10 users.The onething change was i bypassed the firewall in between of that.
But with same firewall it works well for one user.
On firewall I have an access-list permit ip any any.I donot know what exactly the problem is on firewall.
There is no ips module on it also.
08-16-2012 07:28 PM
Dear Prashant ,
where you are performing your dynamic nating in same firewall or in some other device ??
1) My insight is on your firewall config , as you said already your firewall is servcing for internet with global PATing . so over here your firewall is performing same PATing for your Application HTTP server .
2) To Avoid usage of global PATing , uses access-list based dynamic NATing on your firewall .
If possible post your firewall system configuration it will be greatful for the resolution . This only configuration error ..
HTH
Thks
Santhosh Sarav
08-16-2012 08:23 PM
Hi
I have directed the traffic from firewall and natted on router.
08-16-2012 09:02 PM
Dear Prashant ,
Could you please share your firewall configuration . Does your firewall is running PATing for general internet access ??? .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide