Forum Discussion

Bhavesh_Kumar's avatar
Bhavesh_Kumar
Icon for Nimbostratus rankNimbostratus
Jul 14, 2014

LB drops reset packet sent by websense

I have websense setup where in websense server sits on one subnet and my client machine sits on another subnet. LB is doing the intervlan routing. When websense sends reset pakcet to client it doesn't reach the client. I know LB is doing statefull inspection and due to that its dropping the packet from websense server.

 

I am trying to find a wayout where in LB should not drop the reset packet.

 

4 Replies

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    Are you using a network VS to do the forwarding to the web sense? If so, there's a bug in 11.4.1 where the RST won't be forwarded if the connection has expired from the connection table. I believe it's fixed somewhere AFTER HF6... (It was a regression. Worked fine in 11.2.1, broken around 11.3.0).

     

    H

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    That bug also requires you to be NOT sending reset on timeout for the network VS tcp profile...

     

    H

     

  • Let me put this in a simple way -

     

    Servers(10.10.10.x(VLAN10) and 10.10.11.x(VLAN11))-->Switch-->LB--->Firewall-->Internet

     

    LB is the default gateway for both the VLAN.

     

    SPAN traffic from both the VLAN is being sent to websense server network port by the switch.

     

    My websense(running in promiscuous mode) sits on 10.10.0.x(VLAN10) subnet and its able to do the URL filter for this subnet, meaning websense is able to send the reset packet directly to the client as the client is on the same subnet as the websense and the reset packet doesn't has to be routed throught the LB. But this is not the case for 10.10.11.x(VLAN11) as the reset packet from websense has to reach the client through LB. When LB receives the Reset pakcet it silently drops it( I am assuming that due to stateful inspection of LB its dropping the packet).

     

    How to prevent this?

     

  • Any help is appriciated on this issue. I am not sure whether this is possible or not on the LB.