Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

CSS & SCA redundant one-armed proxy


scenario with two CSS and two SCA for SSL offload from Web Servers as described in the SCA Config Guide (deployment examples one-armed (non-)transparenton proxy) on CCO.

The example configs are definitly not correct - VIPs or static-route-next-hops in subnets not defined on the CSS VLAN circuits etc.; does anybody have correct / tested example configs of redundant one-armed (non-)transparent proxy configurations?

Or: Is there a document which describes what especially the SCAs do in detail (packet chains / traces which show how they work on Layer 2 / Layer 3 / higher)? Do they any IP addresses in the packets arriving from the CSS, which addresses does the CSS use for traffic to the SCAs, ...



Cisco Employee

Re: CSS & SCA redundant one-armed proxy

the configs are correct.

I used them almost everyday.

I guess you reference this page

What does not work in your case ?

What is your exact case ? transparent or non-transparent ?

In transparent mode, the CSS does not change source or destination ip address. So static routes are needed to point to the SCA.

In non-transparent mode, the CSS will nat the destination ip address of the client request to the ip address of the SCA.

Since the SCA is directly connected, no static routes are needed.

Transparent mode.


client (C) sends a request to CSS VIP (V).

The CSS redirect the request to the SCA.

Ip addresses do not change but mac addresses are modified.

The SCA accept any packets received in transparent mode.

It establishes HTTPS connection with client through CSS and

it then open an HTTP connection with server/VIP (SV) using the source

ip address (C).

The CSS gets the HTTP request and forwards it to the real server (SR).



(C) open connection to (V)

CSS forwards to SCA and replaces (V) with SCA ip address (SCA).

SCA setup the HTTPS connection with (C) and open an HTTP connection wih (SV) using its own ip address (SCA).

Hope this helps.


New Member

Re: CSS & SCA redundant one-armed proxy

Thanks for your explanation.

The page I was referencing is:

It's very similar to the one you've referenced.

What I mean with "not correct" is for example:

The VIPs in the One-Armed (Non-)Transparent Proxy Deployment Example belong to 10.176.11.x, but the CSS has no VLAN with that subnet. Maybe I don't fully understand that machine, but I would say that this can't work. There are more points like that in both CSS configs, also in the corresponding SCA configs. Do I think the wrong way or are there some mistakes in there?


Cisco Employee

Re: CSS & SCA redundant one-armed proxy

I believe vlan 1 ip address should be in the 10.176.11.x range.

We just forgot a '1'.

I'll have this corrected for the future.

However, FYI it can also work even if the VIP is not part of any VLAN.

You just need to make sure that the rest of the world knows how to reach this ip address.


Cisco Employee

Re: CSS & SCA redundant one-armed proxy


If you configure the CSS for Transparent Mode.

Do you need to configure the SCA Server Services for Transparent ? Im assuming yes... but want to verify. This is not identified in any of the configuration examples

CreatePlease to create content