Content switch 11500 and IDS

Unanswered Question
Mar 14th, 2007

The public interface of my content switch is mapped to a vlan with public addresses. My servers are on a diffent VLAN --> private address schema. On the VLAN where i define my VIP addresses i also have an intrusion detection system installed. We often see packets on the sniffer that have a private address, this should not be happening. The content switch should only forward packets with an ip = to the VIP and not the actual ip of the server.

It looks like to content switch often doesn't do nat to the vip address.

Can anybody help me on the problem.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Wed, 03/14/2007 - 07:56

the packet that you see is most probably a FIN.

When the client closes the connection, the CSS keeps it open a few more sec to allow the FIN from the server to go through nated.

But if the FIN comes later, it will be forwarded un-nated.

This is well-known.

There is no way to prevent this.


Frederik1980 Wed, 03/14/2007 - 08:29

Thank you gilles, is there any official documentation on this? You ar right when you say it is always a FIN.

Kind regards,


Gilles Dufour Wed, 03/14/2007 - 09:24


I do not know if this was documented or not.

It might be but I do not have a link.



This Discussion