Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSS One Armed Mode Questions

Hi all.

I have a couple of questions with regard to configuring the CSS and would welcome some assistance.

Firstly the CSS has multiple servers on a subnet that provide different services. The VIP addresses are also on the same subnet.

The clients are on another subnet and we are using loopbacks on the servers to allow DSR for the purpose of logging IP addresses. This all works fine.

The problem that we now have is that we require server to server communication via VIPs also. This will obviously not work as the servers will respond directly to the source thereby breaking TCP communication and timing out.

My question is can the CSS provide static source NAT like the F5 Big-IP can which gets around this ? I have tried using the add destination service to hide the source address but this does not work either.

I have tried setting up a server to be NAT'd wherever it talks by using:

acl 1

clause 10 permit any x.x.x.x destination any sourcegroup DST

clause 50 permit any any destination any

apply circuit-(VLAN252)

This didn't work either.

Any ideas here ?

On final question, is it possible to have a VIP monitor another VIP so if one fails then the other does too ?

I can post the config is that will help.

Thanks in Advance.

Cisco Employee

Re: CSS One Armed Mode Questions

for clarity of the response, assume the Vip your server needs to communicate with is called MYVIP.

What you have to do is this


vip x.x.x.x


acl 1

clause 10 permit ip x.x.x.x destination content MYVIP sourcegroup YOUR_GROUP.

This should work.

However, your description contains some anomalies. The CSS does not support DSR [direct server return]. So, I'm not really sure what you configured exactly.

If the config I gave you does not work, collect a sniffer trace on the server vlan to see if nat is occuring and the destination server does.