Solved: Wsa with radware load balancer

DK9 · ‎05-06-2024

Hi anyone using radware as loadbalancer for wsa? Do we need to change anything in wsa side? We have given radware LB vip in the proxy settings of users but request is not reaching WSA.anyguide is available for the configurations.

DK9 · ‎05-09-2024

Issue resolved had changed the routing in radware and added one route in wsa

Thanks for the support

View solution in original post

balaji.bandi · ‎05-07-2024

check some guide lines and discussion :

https://community.cisco.com/t5/web-security/cisco-wsa-traffic-flow-with-load-balancer/m-p/4929981

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

amojarra · ‎05-07-2024

Hello @DK9

Thanks for reaching out.

while using Load Balancer, you need to consider:

[1] Network traffic flow ( send and receive )

[2] Authentication ( kindly check section : Creating an Active Directory Realm for Kerberos Authentication Scheme from user guide ) https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa-15-0/user-guide/wsa-userguide-15-0.pdf

[3] WSA to 3rd party services (DNS, Active Directory, NTP ...) network flow.

regarding : ... vip in the proxy settings of users but request is not reaching WSA, I would say please collect a PCAP from WSA and check if the SYN packet is reaching WSA or not. or could be WSA gets the SYN and sending the SYN/ACK, but never reaches Client.

then you can isolate the problem, by following the network traffic and PCAPs.

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

DK9 · ‎05-07-2024

Hi @amojarra we have received the syn but ack is not reaching the client thats the issue

DK9 · ‎05-07-2024

This syn is received by wsa and wsa is sending the ack but not reaching cleint and its retransmitting

amojarra · ‎05-07-2024

Thanks @DK9

You need to check the DST_MAC address of the SYN-ACK packet ( most probably will be WSA's gateway to client, or maybe your LB )

then start PCAP from there, to see if it is sending it to client or no, If not, then you need to review the configuration of that device.

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

DK9 · ‎05-08-2024

Ya we are checking the destination mac address device meanwhile which is better method to configure in LB round robin or least connection?

amojarra · ‎05-08-2024

@DK9

That depends on your Web Traffic behavior. I mean some servers are using too much bandwidth, some users having too much requests.

I would say it is best to monitor and adjust

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

DK9 · ‎05-09-2024

Do we need to add anyspecific route in wsa if load balancer is using?

DK9 · ‎05-09-2024

Issue resolved had changed the routing in radware and added one route in wsa

Thanks for the support