https web page hangs with NGX and NAT

[paprichaat]

I am at my wits end.

Am using the follwowing setup:

tomcat web server--> Cisco CSS (SLBs) --> NGX R65 --> Internet

Static NAT on the CP gateway (Nokia) for HTTPs from any client to the SLB VIP. On the client browser you get a certificate challenge and then the connection is eventually reset by the server (as seen on TCPDUMP) with no further page updates (just blank page).

This works inside the firewall, just fine. Is it NAT causing the issue? or does the fw dislike a mismatched certificate ...nothing in the logs but green, no smartdefence or rule 0 issues. NAt working ok on both sides according to tcpdump.

Has anyone any suggestions?

Thanks.

[gavvys]

Hi
Well the same problem of resetting the connection was faced by one of my friends.This issue is not with the NATting.
In that case there was also HTTPS communication and he was facing the issue with stateful inspection.

"Drop out of state TCP Packets" refers to instances where the Firewall doesn't recognize a proper three way hand shake of the TCP connection. When this function is on, the firewall expects to see the full TCP connection establishment process of SYN, SYN ACK, etc. While examining the TCP connection establishment, the firewall will check the first SYN packet for authorization against the Firewall-1 Rule Base.
If the firewall receives a SYN-ACK packet, it goes to the state table to look for the connection (the SYN should already be there), if the firewall fails the find the connection reference, the packet will be dropped with the "Drop out of state TCP Packets" message.
When this option is unchecked in Global properties menu (under "Stateful Inspection -> Out of state packets"), it simply allows TCP packets, that the firewall cannot find in the state table to be tested against the Rule Base as a secondary option.

Kindly check the issue.
Let me know if this resolves your issue or not.

Regards
Ranjit