Reset Search
 

 

Article

KB44837 - Implications of using Single NAT in Pulse Connect Secure (PCS) deployments.

« Go Back

Information

 
Last Modified Date10/7/2021 9:05 AM
Synopsis
This article describes the demerits of using NAT in PCS deployments.
Problem or Goal
When Load Balancer or a Firewall is configured with Single NAT, all the end user connections reaching PCS would show the same Source IP Address.

End Point Device -> Internet -> DMZ (LB/FW) Single NAT -> PCS

PCS will in turn treat all the incoming connections as coming from the same source and direct all these requests to a Single CPU core. This overloads a single CPU core affecting the performance and sometimes can cause an outage too.

This condition can be confirmed by checking the User Access logs as shown in the below example,
 
info - [ 10.10.10.10] - User1(Pulse Secure Realm)[][] - 2021/09/09 11:20:51 - PSA-LAB - Primary authentication successful for User1/LDAP from  10.10.10.10
info - [ 10.10.10.10] -  User2(Pulse Secure Realm)[][] - 2021/09/09 11:20:58 - PSA-LAB - Primary authentication successful for User2/LDAP from  10.10.10.10
info - [ 10.10.10.10] - User3(Test)[][] - 2021/09/09 11:21:00 - PSA-LAB - Primary authentication successful for User3/LDAP from  10.10.10.10
info - [ 10.10.10.10] - User4(TEST)[][] - 2021/09/09 11:21:02 - PSA-LAB - Primary authentication successful for User4/LDAP from  10.10.10.10
info - [ 10.10.10.10] - User5(TEST)[][] - 2021/09/09 11:21:07 - PSA-LAB - Primary authentication successful for User5/LDAP from  10.10.10.10
info - [ 10.10.10.10] - User6(TEST)[][] - 2021/09/09 11:21:18 - PSA-LAB - Primary authentication successful for User6/LDAP from  10.10.10.10
info - [ 10.10.10.10] - User7(TEST)[][] - 2021/09/09 11:21:22 - PSA-LAB - Primary authentication successful for User7/LDAP from  10.10.10.10
info - [ 10.10.10.10] - User8(TEST)[][] - 2021/09/09 11:21:23 - PSA-LAB - Primary authentication successful for User8/LDAP from  10.10.10.10
info - [ 10.10.10.10] - User9(Pulse Secure Realm)[][] - 2021/09/09 11:22:30 - PSA-LAB - Primary authentication successful for User9/LDAP from  10.10.10.10




 
Cause
Solution
Configure the LB/Firewall to use multiple Source IP Addresses or enable Source IP transparency.
Related Links
Attachment 1 
Created ByRaghu Kumar

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255