Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

CSS 11000 Clients' Src IP replaced with VIP's IP

Dear all,

Topology:

10.1.101.X/24 ---CSS11000--- 10.1.103.X/24(Server Farm)

Configuration:

########### Service ###########

service LBS_AP-11:11111

ip address 10.1.103.11

keepalive type tcp

keepalive port 11111

port 11111

active

service LBS_AP-12:11111

ip address 10.1.103.12

keepalive type tcp

keepalive port 11111

port 11111

active

########### Owner ###########

owner Customer-6

content LBS_AP-10:11111

vip address 10.1.103.10

add service LBS_AP-11:11111

add service LBS_AP-12:11111

port 11111

protocol tcp

active

Problem:

We notice that the traffic's Src IP address from the Client side(10.1.101.X)has been replaced by the CSS's VIP address = 10.1.103.10 (through Sniffer)

Is that correct or reasonable ?

The configuration was implemented by another Cisco Partner.

Our customer wants me to find out why they cannot see the Client's IP address as the Src IP address when the traffic is from 101.X to 103.X

Is there still anything that I have to provide to you experts, plz let me know this.

Appreciate ^__^

CSS# show version

Version: ap0610107a (6.10 Build 107)

Flash (Locked): 6.10 Build 107

Flash (Operational): 6.10 Build 107

Type: PRIMARY

Licensed Cmd Set(s): Standard Feature Set

5 REPLIES
Cisco Employee

Re: CSS 11000 Clients' Src IP replaced with VIP's IP

the client nat is done when you have a group configured. - you forgot to provide this part of the config, but I'm certain you have a group in your config.

If the person who configured the CSS thought a group was needed, there might be a reason.

Most ofthen it is required when you have a one-armed scenario. It is being used to guarantee that the response from the server will go back to the CSS first and not directly to the client - which would break connectivity.

You should verify if indeed you're in one-armed.

In one-armed, you can get rid of the group if you can find another way to guarantee the response from the server to go to the CSS.

This can be done by changing the server default gateway or by configuring policy routing on the current default gateway.

Gilles.

Community Member

Re: CSS 11000 Clients' Src IP replaced with VIP's IP

Dear Gilles,

Yes, we do have a group statement as follow:

########## Group ##########

group LBS

vip address 10.1.103.10

add destination service LBS_AP-11:11111

add destination service LBS_AP-12:11111

active

###########################

The question is . . . when we remove the group statement as mentioned above, the patron can finally see the traffic definitely from the client side(101.X/24) and destined to the VIP(10.1.103.10).

But, unfortunately, there are some DB servers on the same side of the Server Farm(103.X) having no access to the VIP(10.1.103.10).

(They could & did access to the VIP when the group statment was configured.)

What can I do now for this situation?

I am totally confused with "sourcegroup", "one-armed scenario",& "ACL".

The patron said they want to see the true Src IP addresses from 101.X and still have the DBs on the 103.X network access to the VIP 10.1.103.10.

DBs IP Addresses range from 10.1.103.15 to 10.1.103.20, etc.

If there is still anything that I should provide to you experts, plz let me know that.

Appreciate ^__^

########## Relevant Configuration ##########

circuit VLAN101

redundancy

description "SC-SAA-3548 VLAN101"

ip address 10.1.101.30 255.255.255.0

circuit VLAN103

redundancy

description "SC-SAA-3548 VLAN103"

ip address 10.1.103.254 255.255.255.0

acl 20

clause 10 permit tcp any destination any

clause 20 permit any any destination any

apply circuit-(VLAN101)

apply circuit-(VLAN103)

Best Regards

Sincerely,

Community Member

Re: CSS 11000 Clients' Src IP replaced with VIP's IP

Dear Gilles,

I replaced the "add destination service" by "add service" statement, and it seems to work what we want.

"add service" statement NAT"s" the source IP & Port for flows originating from the server on the server farm side (103.X/24).

So we can get the real client's IP from 101.X/24 and have the DBs servers access to the VIP(10.1.103.10) without any trouble.

But ~~~~~~ >"<

The LBS_AP_11(12) has an application that needs to use it's original IP (10.1.103.11(12)) to access another Application Server ouside the CSS_SLB domain(10.8.128.X).

Can we use the ACL to bypass those traffic as follow?

########### ACL ###########

acl 30

clause 10 bypass any 10.1.103.0 255.255.255.0 destination 10.8.128.0 255.255.255.0

clause 20 permit any any destination any

apply circuit-(VLAN103)

Of course, we must remove the "circuit-(VLAN103)" from ACL#20 and add the new one "ACL#30".

Best Regards

Sincerey,

Cisco Employee

Re: CSS 11000 Clients' Src IP replaced with VIP's IP

I'm not sure the bypass will work.

I thought it should but somebody said on this list very recently that it wasn't.

So, the proper solution that I use myself, is to setup an ACL to define when to use the group.

ie:

acl 30

clause 10 permit any 10.1.103.0 255.255.255.0 destination 10.8.128.0 255.255.255.0

clause 20 permit any 10.1.103.0 255.255.255.0 destination any sourcegroup

apply ....

Make sure to then remove all the 'add service ...' commands from under the group.

Gilles.

Community Member

Re: CSS 11000 Clients' Src IP replaced with VIP's IP

Dear,

Unfortunately, the "bypass" solution did not work as we expected.

This is a production environment, so the patron could not let us try & error too many times.

Probably the next time, when we have some spare equipment or another implementation project, we can try to find out the problem it is.

Thanks, Cisco & Gilles . . .

Very Appreciate ^__^

200
Views
5
Helpful
5
Replies
CreatePlease to create content