15501 CSS rewrites client source IP address with its own

Unanswered Question
Nov 10th, 2008

We have a CSS that appears to be rewriting the client source IP for HTTP requests with its own IP. This is an issue as we're unable to log the real IPs of the clients requesting HTTP data.

The config is attached.

Any assistance would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Syed Iftekhar Ahmed Mon, 11/10/2008 - 21:33

Its doing it because you configured it to do so.

group commands in the configurations are translating the source IPs.

Since your services & VIPs are on the same subnet, source natting is required for clients sitting in the same subnet.

Syed Iftekhar Ahmed

mgierach1 Tue, 11/11/2008 - 09:11

We had just discovered this recently.

Is it possible to log the real source IPs?

Thanks for the input.

mgierach1 Wed, 11/12/2008 - 12:52

Seeing as the issue is with the group commands, is there any way to achieve local VIP access without the use of groups (different subnet?), or if not to export the real source IPs in the form of an X-Forwarded-For or other HTTP variable?

Syed Iftekhar Ahmed Wed, 11/12/2008 - 21:30

Its possible with ACE to insert headers but X-forwarded-for cannot be inserted for HTTP traffic on CSS.

The only option to get the Source IP is to redesign your topology such that its totally routed.

Your VIPs should be listening on a different Layer 3 network than the Services.

Syed Iftekhar Ahmed

mgierach1 Fri, 11/14/2008 - 08:22

Thanks Syed.

Do you have an example of how this would look in our situation? I'm having trouble locating Cisco documentation on this.

Much appreciated,



This Discussion