Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

CSS / SCA - One Arm Proxy Mode (Transparent)

Hello ... my question is similar to one posted recently. But I still cannot understand the reason.

Our customer has a CSS x 2 with SCAs x 2 in a one-arm Proxy (transparent) operation.

Currently we have 3 default routes as suggested in CCO.

1 for upstream router (pointing to customer networks)

2 for the SCAs

We have defined the Service on the CSS pointing to the SCA's with type transparent-cache

I don't understand why a box would need 3 default routes (surely this will not work normally ?)

The configuration seems to work OK with one major drawback.

There seems to be a lot of problems with traffic coming from the user sites using apps ... the only workaround I have found for this is to add a static route for each remote network we want to connect to.

This is obviously VERY ANNOYING for the customer as they are expecting the CSS to default route packets to their WAN instead of having to keep raising change requests to add routes.

Please could anyone explain why this needs to happen - or is there something I am missing here ?

Could the default routes to the CSS's be replaced with something else ? I am currently nervous about proposing this without something to back up my theory.

Any feedback would be most appreciated.

Cisco Employee

Re: CSS / SCA - One Arm Proxy Mode (Transparent)

this is documented here :

the default routes are required for ecmp - prefer egress route to work [this is because when spoofing client ip on the SCA, the SCA is using the client ip address, so when the server respond to the client, the CSS needs to forward the response to the SCA and not the client]

As you mentioned this is a problem for some traffic.

One solution is to use an acl to match these types of traffic and use a 'prefer ' clause.



CreatePlease to create content