Default source IP address used by Edge SWG (ProxySG) with multiple physical IPs configured
search cancel

Default source IP address used by Edge SWG (ProxySG) with multiple physical IPs configured

book

Article ID: 262543

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy SG-VA

Issue/Introduction

When multiple IP addresses are configured on the same subnet as the default gateway, you want to know which IP address the Edge SWG (ProxySG) chooses as a source IP address.

The IP source address selection has changed from SGOS version 6.7 to 7.3 and later, by default.

Environment

Edge SWG (ProxySG) with multiple IP addresses configured on a network interface on the same subnet as the default gateway.

 

 

 

Resolution

For SGOS version 7.3 and later, Edge SWG (ProxySG) will use the first IP configured when connecting to a server or the best match based on the route entry.

For SGOS version 6.7 and earlier, Edge SWG (ProxySG) automatically load-balances the source IP address based on an client IP hash.     

To mimic SGOS 6.7 behavior on SGOS 7.3 and later, the IP  source selection can be changed to client IP hash by running the "address-selection ipv4-source-hash" CLI command on the Edge SWG (ProxySG) outbound (egress) interface. 

 

Additional Information

The  "address-selection ipv4-source-hash" is a load-balancing technique that extracts the last octet of the client's IP address and uses a modulo index operation to determine which source IP address to use.

To address TCP port exhaustion issues, assign multiple IP addresses to a network interface using a load-balancing client IP hash for the outgoing IP address, increase available source ports, and lower the 2MSL timer.

Other options can override the source IP selection such as "Reflect client IP".

Examples of the different settings for source IP selections

Example configuration:

The default behavior for SGOS 7. using first IP configured on interface 1:0 referring to the example configuration 

With "address-selection ipv4-source-hash" enabled: