Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Third Party reporting-referrer address

Unanswered Question


We are running redundant CSS's in one armed mode, and we use the group command. We have one group of servers that has content from third parties (search Engines). Since putting the group command on (to correct one issue) the source address is now being changed by the CSS (which is correct) however when the link on the internal web servers is clicked the third party gets the report and the referrer address shows up as the VIP not the Internet user.

Is there anyway to get this original source address back or into the packet(s) that hits the web server soas to send to the third party?

Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Sun, 03/21/2004 - 00:26
User Badges:
  • Cisco Employee,

no - there is no way if you use the group.

That's the problem with one-armed design.

We try a smuch as we can to recommend not to use one-armed design unless there is really no other way to do so.

In your case, you can get rid of the group command if you make sure the CSS sees the server response.

This can be done if the CSS is the default gateway of the server or if there is a device doing policy routing to redirect the response to the CSS.




Thanks for your response, this is what I figured. I assume that in a non one armed config, the source address would still be present and the CSS would just flow the traffic.

As far as the default gateway, would the CSS not strip the source address anyway regardless if it's the default gateway or not?


Gilles Dufour Mon, 03/22/2004 - 00:50
User Badges:
  • Cisco Employee,

if the CSS is the default gateway for the servers, then there is no need of the group configuration.

Without the group, the CSS does not modify the client ip address.


barnettt Mon, 03/22/2004 - 20:41
User Badges:

If you're not aware, there is a gotcha not using groups.You cannot access the server from a client address on the same subnet. Without the group the packet will be forwarded to the server (via a VIP on the CSS). The server will see the client address as being on the same subnet and will try to send the data directly and not through the CSS. Obviously this gets rejected by the client as it doesn't have a matching TCP session. As long as the source is on a different subnet to the server there is no problem.



This Discussion