Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS11000 and services off-subnet

I'm having problems with a CSS11000 when we're using it with services that are not located on the same subnet as the L4 switch

The CSS11000 is acting as a default gateway for a subnet that has a number of firewalls connected to it, and there are web servers that we are wanting to define as services behind those firewalls.

When we define the services on the CSS11000, we find that the service status cycles through alive/dying/down and throughput is poor.

We know that L3 routing is okay, and we have ruled out the firewalls as an issue by replacing them with a standard router during testing.

If we place a web server on the same subnet as the L4 and configure it as a service, everything is fine.

Anyone got any ideas as to why the CSS doesn't like services that are off-subnet?

Cisco Employee

Re: CSS11000 and services off-subnet

it should not be a problem.

I have the same thing in my lab and it works.

How did you define your keepalive ?

Just ICMP or TCP or HTTP ?

Try to sniff the keepalive to see if the CSS is getting the replies from the server.

Also, did you open your firewall for the keepalives ?


New Member

Re: CSS11000 and services off-subnet


Thanks for the reply, we have tried both HTTP and ICMP keepalives, and made the necessary rule changes on the firewalls (and on the router when we swapped it for the firewall)

I'm still stumped for ideas


Cisco Employee

Re: CSS11000 and services off-subnet

can you ping the server from the CSS ?

Could you give us your config ?

What about the sniffer trace ?

CreatePlease login to create content