15501 CSS rewrites client source IP address with its own

mgierach1 · ‎11-10-2008

We have a CSS that appears to be rewriting the client source IP for HTTP requests with its own IP. This is an issue as we're unable to log the real IPs of the clients requesting HTTP data.

The config is attached.

Any assistance would be appreciated.

mgierach1 · ‎11-10-2008

Configuration

Syed Iftekhar Ahmed · ‎11-10-2008

Its doing it because you configured it to do so.

group commands in the configurations are translating the source IPs.

Since your services & VIPs are on the same subnet, source natting is required for clients sitting in the same subnet.

Syed Iftekhar Ahmed

mgierach1 · ‎11-11-2008

We had just discovered this recently.

Is it possible to log the real source IPs?

Thanks for the input.

mgierach1 · ‎11-12-2008

Seeing as the issue is with the group commands, is there any way to achieve local VIP access without the use of groups (different subnet?), or if not to export the real source IPs in the form of an X-Forwarded-For or other HTTP variable?

Syed Iftekhar Ahmed · ‎11-12-2008

Its possible with ACE to insert headers but X-forwarded-for cannot be inserted for HTTP traffic on CSS.

The only option to get the Source IP is to redesign your topology such that its totally routed.

Your VIPs should be listening on a different Layer 3 network than the Services.

Syed Iftekhar Ahmed

mgierach1 · ‎11-14-2008

Thanks Syed.

Do you have an example of how this would look in our situation? I'm having trouble locating Cisco documentation on this.

Much appreciated,

Mark