Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
393
Views
0
Helpful
2
Replies

CSS11503 - Inbound and outbound traffic on same virtual interface

Go to solution
julian.osborne
Level 1
Level 1

‎09-19-2007 06:00 AM

Setup two CSS11503's running 8.10. Running and active/passive config.

Two groups of servers each with a VIP. Both groups of servers on the same VLAN.

The VIP's reside on VLAN1 and the servers are on VLAN2

Problem:

Servers from one group cannot access the other via it's VIP. Servers cannot access themselves via their VIP as well.

Can ping the vip's with out a problem.

I assume that this is because that traffic generated by a client is going in and out of the same interface.

I have come across similar problems on various firewalls.

Is there anyway of getting around this.

Thanks

Julian

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎09-19-2007 07:59 AM

Julian,

this is not the same issue as firewall preventing traffic to go in and out the same interface.

The problem here is that the CSS will receive traffic from Server1, it will nat the vip into Server2 and forward traffic keeping the src ip unchanged.

So, when Server2 replies, it sends the response to Server1. Since they are on the same subnet, the response bypass the CSS and Server1 receives a response from Server2 which is unknown to Server1 since it expects a response from the Vip.

The solution is to implement source nat on the CSS for traffic originating from the servers.

This can be done with a group and an ACL.

This was discussed many times, so I think you should be able to find a sample config somewhere.

If you can't let me know.

Gilles.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎09-19-2007 07:59 AM

Julian,

this is not the same issue as firewall preventing traffic to go in and out the same interface.

The problem here is that the CSS will receive traffic from Server1, it will nat the vip into Server2 and forward traffic keeping the src ip unchanged.

So, when Server2 replies, it sends the response to Server1. Since they are on the same subnet, the response bypass the CSS and Server1 receives a response from Server2 which is unknown to Server1 since it expects a response from the Vip.

The solution is to implement source nat on the CSS for traffic originating from the servers.

This can be done with a group and an ACL.

This was discussed many times, so I think you should be able to find a sample config somewhere.

If you can't let me know.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents