Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Asymmetric Flows

Hi ,

I hope someone can help me out with this issue I am having with a CSS 11503. We are in the process of setting up an SAP portal with an Oracle backend. This portal consists of two front end Web proxy servers in the DMZ and a couple of Oracle/SAP application servers in the backend ( inside the firewall). We have only one CSS with another being ordered for redundancy purposes. I have one interface connected to the DMZ network while the other interface is connected to the internal network. The DMZ is through an interface on the ASA.

The CSS has been configured for two VIP's one for the front end web proxy servers and one for the backend Oracle/SAP servers.

Traffic flow is as follows.. any request coming in from the internet/LAN will go to the DMZ VIP address which in turn will forward the request on to the Web proxy boxes . These boxes will then iniate a request to the backend Oracle/SAP boxes on the internal VIP.

Default route on the CSS points to the DMZ interface.

The problem I have is of asymmetric routing I guess. When both circuit IP's (internal and DMZ) are configured I can only get to the internal VIP address and not the DMZ . I can however ping everything. When I remove the internal circuit ip I can get to the DMZ and not to the internal vip.

I would appreciate any input on tthis matter.

Thanks ,


Cisco Employee

Re: Asymmetric Flows

do you realize you have a device that can route between the internal network and the dmz .... bypassing the firewall ... this is not really recommended.

If you want the CSS in the DMZ, that's fine, but do not connect it to another segment.

You will need to use either move the servers to the DMZ behind the CSS, or make a one-armed design where the CSS sits alone in the DMZ and contacts the servers through the firewall.

This requires source nating the traffic on the CSS to guarantee that the response goes back to the CSS.

You could also move the CSS on the inside.