Forum Discussion
NimbostratusLB drops reset packet sent by websense
I have websense setup where in websense server sits on one subnet and my client machine sits on another subnet. LB is doing the intervlan routing. When websense sends reset pakcet to client it doesn't reach the client. I know LB is doing statefull inspection and due to that its dropping the packet from websense server.
I am trying to find a wayout where in LB should not drop the reset packet.
4 Replies
HamishCirrocumulus
Are you using a network VS to do the forwarding to the web sense? If so, there's a bug in 11.4.1 where the RST won't be forwarded if the connection has expired from the connection table. I believe it's fixed somewhere AFTER HF6... (It was a regression. Worked fine in 11.2.1, broken around 11.3.0).
H
- Hamish
That bug also requires you to be NOT sending reset on timeout for the network VS tcp profile...
H
- Bhavesh_Kumar
Let me put this in a simple way -
Servers(10.10.10.x(VLAN10) and 10.10.11.x(VLAN11))-->Switch-->LB--->Firewall-->Internet
LB is the default gateway for both the VLAN.
SPAN traffic from both the VLAN is being sent to websense server network port by the switch.
My websense(running in promiscuous mode) sits on 10.10.0.x(VLAN10) subnet and its able to do the URL filter for this subnet, meaning websense is able to send the reset packet directly to the client as the client is on the same subnet as the websense and the reset packet doesn't has to be routed throught the LB. But this is not the case for 10.10.11.x(VLAN11) as the reset packet from websense has to reach the client through LB. When LB receives the Reset pakcet it silently drops it( I am assuming that due to stateful inspection of LB its dropping the packet).
How to prevent this?
- Bhavesh_Kumar
Any help is appriciated on this issue. I am not sure whether this is possible or not on the LB.
