|
On Fri, 2007-11-30 at 12:28 +0000, Steve Drew wrote:
> Load balancing to Realserver1 is working correctly, but when the
> director sends the request to realsever2 I'm seeing the following on the
> PIX:
>
> %PIX-6-106015: Deny TCP (no connection) from host lb0/80 to
> my.external.i.p/1083 flags SYN ACK on interface dmz2-network
>
> I'm presuming because the PIX doesn't know about the connection.
>
> I have disabled reverse-path verification on the dmz2 network.
Hrm...
Turning off reverse-path verification on dmz2 won't work, since the PIX
sees lb0's address on the network attached to dmz1 and is keeping the
connection table for sessions from clients to lb0 locked to that
interface.
What happens if you add an explicit PERMIT rule for traffic from lb0
which is ingress traffic to the dmz2 interface? I'd write one for you
but it's so long since I drove a PIX I'd get it wrong :)
Graeme
|
