Default source IP address used by Edge SWG (ProxySG) with multiple physical IPs configured
Article ID: 262543
Updated On:
Products
Issue/Introduction
When multiple IP addresses are configured on the same subnet as the default gateway, you want to know which IP address the Edge SWG (ProxySG) chooses as a source IP address.
The IP source address selection has changed from SGOS version 6.7 to 7.3 and later, by default.
Environment
Edge SWG (ProxySG) with multiple IP addresses configured on a network interface on the same subnet as the default gateway.
Resolution
For SGOS version 7.3 and later, Edge SWG (ProxySG) will use the first IP configured when connecting to a server or the best match based on the route entry.
For SGOS version 6.7 and earlier, Edge SWG (ProxySG) automatically load-balances the source IP address based on an client IP hash.
To mimic SGOS 6.7 behavior on SGOS 7.3 and later, the IP source selection can be changed to client IP hash by running the "address-selection ipv4-source-hash" CLI command on the Edge SWG (ProxySG) outbound (egress) interface.
Additional Information
The "address-selection ipv4-source-hash" is a load-balancing technique that extracts the last octet of the client's IP address and uses a modulo index operation to determine which source IP address to use.
To address TCP port exhaustion issues, assign multiple IP addresses to a network interface using a load-balancing client IP hash for the outgoing IP address, increase available source ports, and lower the 2MSL timer.
Other options can override the source IP selection such as "Reflect client IP".
Examples of the different settings for source IP selections
Example configuration:
The default behavior for SGOS 7. using first IP configured on interface 1:0 referring to the example configuration
With "address-selection ipv4-source-hash" enabled:
Feedback
