Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Direct Server Access in One-armed, Routed mode

I'm having an issue with direct server access in a one-armed, routed mode as shown below.


Packets come in from the router, to the server directly.  When the server responds, the packets go to the ACE as its default gateway, and then are forwarded by the ACE to the router as the ACE's default gateway.

Load balancing works fine, however connecting directly to the server ( doesn't seem to work.  ACLs are "any any" on input and output on the interface of the ACE. 

From what I'm reading it may be required to turn off IP normalization, but I wanted to get any other insights into possible causes.



Re: Direct Server Access in One-armed, Routed mode


What you should do is configure the router to be the default gateway of the server, and use sourceNAT for load-balancing to force the returntraffic from the server to ACE in case of load-balancing.

What you could do as a workaround is configure sourceNAT on your router for direct server traffic. The same principle as when using sourceNAT on the ACE, the return traffic is send to an address that is local to the subnet, so it will send directly to it, not using the default gateway.



New Member

Re: Direct Server Access in One-armed, Routed mode

Normally, SNAT is what we'd do.  However, there is a requirement to preserve the true client source IP address, and the insert HTTP header option won't work because of the non-HTTP protocol being used.

New Member

Re: Direct Server Access in One-armed, Routed mode

In this case, you could create a static route on your router for the server IP to the ACE.  You may have MAC address conflicts as the router will try to answer on behalf of the server, but in that case you can statically map the server MAC addresses to your ACE.  Not perfect, but it works.