CSS11503-Can not access web service on VIP when source IP is on same subnet

Unanswered Question

Hello All,

I have a CSS11503 setup to provide load balance web traffic to two web servers. I can get to the site from any PC from other subnet but when I try to go to the site from a pc which is on the same subnet as the web servers, I can't connect to the site. I appreciate any input.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Syed Iftekhar Ahmed Tue, 02/24/2009 - 11:18

You will need to use source group to NAT the client's source IP so that the end server doesn't respond directly back to the client but instead goes back to the CSS.

Issue is that when client sends request to VIP configured for web servers the CSS will select either WEB1/WEB2 server and will hand over the traffic to the WEB1/WEB2.

Now from WEB1/WEB2 perspective the source-address of this request is from the same subnet where they reside. Since both WEB server & client share same L2 VLAN it will attempt to send the response back to client directly using ARP(bypassing CSS and making the connection Assymetric).

Since Client sent request to VIP not WEB 1/WEB2 ip , client will drop the response (as it opened a connection to VIP not Web server IP and it has no information about webserver ip in its connection table).


Syed Iftekhar Ahmed

tonybourke Tue, 02/24/2009 - 11:20

Hi Dat,

The problem is that traffic needs to hit the CSS on the way in (VIP) and on the way out (default gateway or Layer 2 path).

Load balancing happens in four steps. Let's take a look at the NAT. Let's assume your server is, and your VIP is, and the client is The server's default gateway is, which is on the CSS. The IPs will be listed as source IP address -> destination IP address.

Client -> CSS: ->

CSS -> Server: ->

Server -> CSS: ->

CSS -> Client ->

This is pretty normal. Note that in step 2, the client's *true source* is preserved. Now, let's do this again with the client being on the same subnet as the web servers (

Client -> CSS: ->

CSS -> Server: ->

Server -> Client: ->

You'll notice the client responded directly to the client, so the 4th step didn't happen. Because the client is on the same subnet as the real server, there was no way to force the traffic back out through the CSS.

There are a couple of ways you can potentially solve this:

1: Do source-NAT. This will hide the true source to your IP addresses, so if you go this route, make sure your server people are OK with that.

2: Plug the servers directly into the CSS. It's been a while since I've played with a CSS, but they did support bridge-path. You force traffic to flow through the CSS on the way out by it being the Layer 2 path, instead of the somewhat more common Layer 3 path (the CSS as the default gateway).

3: Find a way around needing to hit the VIP from the same subnet as the servers.

Hope this helps.


This Discussion