I hope someone can help me out with this issue I am having with a CSS 11503. We are in the process of setting up an SAP portal with an Oracle backend. This portal consists of two front end Web proxy servers in the DMZ and a couple of Oracle/SAP application servers in the backend ( inside the firewall). We have only one CSS with another being ordered for redundancy purposes. I have one interface connected to the DMZ network while the other interface is connected to the internal network. The DMZ is through an interface on the ASA.
The CSS has been configured for two VIP's one for the front end web proxy servers and one for the backend Oracle/SAP servers.
Traffic flow is as follows.. any request coming in from the internet/LAN will go to the DMZ VIP address which in turn will forward the request on to the Web proxy boxes . These boxes will then iniate a request to the backend Oracle/SAP boxes on the internal VIP.
Default route on the CSS points to the DMZ interface.
The problem I have is of asymmetric routing I guess. When both circuit IP's (internal and DMZ) are configured I can only get to the internal VIP address and not the DMZ . I can however ping everything. When I remove the internal circuit ip I can get to the DMZ and not to the internal vip.
I would appreciate any input on tthis matter.