CSS11503 - Inbound and outbound traffic on same virtual interface

Answered Question
Sep 19th, 2007

Setup two CSS11503's running 8.10. Running and active/passive config.


Two groups of servers each with a VIP. Both groups of servers on the same VLAN.


The VIP's reside on VLAN1 and the servers are on VLAN2


Problem:


Servers from one group cannot access the other via it's VIP. Servers cannot access themselves via their VIP as well.


Can ping the vip's with out a problem.


I assume that this is because that traffic generated by a client is going in and out of the same interface.


I have come across similar problems on various firewalls.


Is there anyway of getting around this.


Thanks


Julian

Correct Answer by Gilles Dufour about 9 years 5 months ago

Julian,


this is not the same issue as firewall preventing traffic to go in and out the same interface.

The problem here is that the CSS will receive traffic from Server1, it will nat the vip into Server2 and forward traffic keeping the src ip unchanged.

So, when Server2 replies, it sends the response to Server1. Since they are on the same subnet, the response bypass the CSS and Server1 receives a response from Server2 which is unknown to Server1 since it expects a response from the Vip.

The solution is to implement source nat on the CSS for traffic originating from the servers.

This can be done with a group and an ACL.

This was discussed many times, so I think you should be able to find a sample config somewhere.

If you can't let me know.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Wed, 09/19/2007 - 07:59

Julian,


this is not the same issue as firewall preventing traffic to go in and out the same interface.

The problem here is that the CSS will receive traffic from Server1, it will nat the vip into Server2 and forward traffic keeping the src ip unchanged.

So, when Server2 replies, it sends the response to Server1. Since they are on the same subnet, the response bypass the CSS and Server1 receives a response from Server2 which is unknown to Server1 since it expects a response from the Vip.

The solution is to implement source nat on the CSS for traffic originating from the servers.

This can be done with a group and an ACL.

This was discussed many times, so I think you should be able to find a sample config somewhere.

If you can't let me know.


Gilles.

Actions

This Discussion