the problem with kerberos is that the user must first sends a request to kerberos server that delivers a token to then contact the destination server.
Here the user will use the vip ip to request the token and when contacting the destination the ip is different and the token not accepted.
I had an issue like this in a long time ago and I don't think we ever found a solution.
Did you try to configure loopback ip addresses on the server that would be the same ip as the vip ?
Then configure service of type transparent on the CSS.
Or contact the kerberos admin guy to see if he knows a way to have a token valid on multiple platforms.
Gilles.