Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
482
Views
0
Helpful
4
Replies

CSS 11503 - Servers need to initiate sessions

jwamsley
Level 1
Level 1

‎05-15-2003 10:04 AM

We are just deploying CSS as a replacement to Local Director. A major problem we have concerns the ability of the servers behind the CSS to initiate sessions on their own for such things as dynamic page builds, SQL calls, or routine backup and maintenance. CSS is erratic about permitting this. We were told this could be fixed using groups. We tried it and it did fix the problem. But then it broke other things. With a server defined in a group, (we did groups of 1) now, we can no longer get into the server to perform any admin function. We are effectively locked out of the server unless we have a second NIC or KVM. Has anyone experienced similar problems that can share a fix?????

Labels:
0 Helpful
4 Replies 4

d-olds
Level 1
Level 1

‎05-15-2003 03:33 PM

Post more detail on your config. I'm doing everything your having problems with, I've not encountered such.

0 Helpful

jwamsley
Level 1
Level 1
In response to d-olds

‎05-16-2003 05:35 AM

I can send a ppt dwg and an extract of the config. email jim_wamsley@stortek.com

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee

‎05-17-2003 10:56 PM

the group commands perform source ip translation (nat) for traffic coming from the server and not hitting a rule.

You might not need a group if the real address of the server is well-known in your network (routable). For this, just see the CSS as a router.

The CSS (router) should be known as the gateway the real servers.

If this is not possible to do this, you need a group to nat the real server ip address to another well-known address.

However, now you can't use the ip address of the real server directly.

So, if you need management to access it for management reason, you can use a separate network and a 2nd Nic on each server, or you can create new VIPs on the CSS, or you can remove the group and make sure the real address is well-known through out your network or finally you can use the group differently.

Remove any server from the group and then use an ACL to define when to use this group.

ie: group servers

vip address x.x.x.x

active

acl 1

clause 10 permit any udp destination any source-group servers

clause 20 permit any tcp destination any

clause 30 ....

In the example above we use the group called 'servers' for udp but not tcp.

You can be more specific ....

Regards,

Gilles.

0 Helpful

jwamsley
Level 1
Level 1

‎05-22-2003 12:22 PM

We finally managed to solve this ourselves. Using group definitions for each server, we are able to permit the real servers to initiate sessions as needed. To continue to be able to connect to the servbers, without a backdoor NIC or KVM, we defined a new content rule using the ip address we used in the group definition as the vip, we can get back into the server.

Note that our configuration does not terminate the servers on the css. the css is but another part of the vlan.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents