Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Content switch 11500 and IDS

The public interface of my content switch is mapped to a vlan with public addresses. My servers are on a diffent VLAN --> private address schema. On the VLAN where i define my VIP addresses i also have an intrusion detection system installed. We often see packets on the sniffer that have a private address, this should not be happening. The content switch should only forward packets with an ip = to the VIP and not the actual ip of the server.

It looks like to content switch often doesn't do nat to the vip address.

Can anybody help me on the problem.

Cisco Employee

Re: Content switch 11500 and IDS

the packet that you see is most probably a FIN.

When the client closes the connection, the CSS keeps it open a few more sec to allow the FIN from the server to go through nated.

But if the FIN comes later, it will be forwarded un-nated.

This is well-known.

There is no way to prevent this.


New Member

Re: Content switch 11500 and IDS

Thank you gilles, is there any official documentation on this? You ar right when you say it is always a FIN.

Kind regards,


Cisco Employee

Re: Content switch 11500 and IDS


I do not know if this was documented or not.

It might be but I do not have a link.