Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSS 11503 - Servers need to initiate sessions

We are just deploying CSS as a replacement to Local Director. A major problem we have concerns the ability of the servers behind the CSS to initiate sessions on their own for such things as dynamic page builds, SQL calls, or routine backup and maintenance. CSS is erratic about permitting this. We were told this could be fixed using groups. We tried it and it did fix the problem. But then it broke other things. With a server defined in a group, (we did groups of 1) now, we can no longer get into the server to perform any admin function. We are effectively locked out of the server unless we have a second NIC or KVM. Has anyone experienced similar problems that can share a fix?????

New Member

Re: CSS 11503 - Servers need to initiate sessions

Post more detail on your config. I'm doing everything your having problems with, I've not encountered such.

New Member

Re: CSS 11503 - Servers need to initiate sessions

I can send a ppt dwg and an extract of the config. email

Cisco Employee

Re: CSS 11503 - Servers need to initiate sessions

the group commands perform source ip translation (nat) for traffic coming from the server and not hitting a rule.

You might not need a group if the real address of the server is well-known in your network (routable). For this, just see the CSS as a router.

The CSS (router) should be known as the gateway the real servers.

If this is not possible to do this, you need a group to nat the real server ip address to another well-known address.

However, now you can't use the ip address of the real server directly.

So, if you need management to access it for management reason, you can use a separate network and a 2nd Nic on each server, or you can create new VIPs on the CSS, or you can remove the group and make sure the real address is well-known through out your network or finally you can use the group differently.

Remove any server from the group and then use an ACL to define when to use this group.

ie: group servers

vip address x.x.x.x


acl 1

clause 10 permit any udp destination any source-group servers

clause 20 permit any tcp destination any

clause 30 ....

In the example above we use the group called 'servers' for udp but not tcp.

You can be more specific ....



New Member

Re: CSS 11503 - Servers need to initiate sessions

We finally managed to solve this ourselves. Using group definitions for each server, we are able to permit the real servers to initiate sessions as needed. To continue to be able to connect to the servbers, without a backdoor NIC or KVM, we defined a new content rule using the ip address we used in the group definition as the vip, we can get back into the server.

Note that our configuration does not terminate the servers on the css. the css is but another part of the vlan.