Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Third Party reporting-referrer address

Hi,

We are running redundant CSS's in one armed mode, and we use the group command. We have one group of servers that has content from third parties (search Engines). Since putting the group command on (to correct one issue) the source address is now being changed by the CSS (which is correct) however when the link on the internal web servers is clicked the third party gets the report and the referrer address shows up as the VIP not the Internet user.

Is there anyway to get this original source address back or into the packet(s) that hits the web server soas to send to the third party?

Thanks in advance

4 REPLIES
Cisco Employee

Re: Third Party reporting-referrer address

no - there is no way if you use the group.

That's the problem with one-armed design.

We try a smuch as we can to recommend not to use one-armed design unless there is really no other way to do so.

In your case, you can get rid of the group command if you make sure the CSS sees the server response.

This can be done if the CSS is the default gateway of the server or if there is a device doing policy routing to redirect the response to the CSS.

Regards,

Gilles.

Community Member

Re: Third Party reporting-referrer address

Gilles,

Thanks for your response, this is what I figured. I assume that in a non one armed config, the source address would still be present and the CSS would just flow the traffic.

As far as the default gateway, would the CSS not strip the source address anyway regardless if it's the default gateway or not?

Thanks

Cisco Employee

Re: Third Party reporting-referrer address

if the CSS is the default gateway for the servers, then there is no need of the group configuration.

Without the group, the CSS does not modify the client ip address.

Gilles.

Community Member

Re: Third Party reporting-referrer address

If you're not aware, there is a gotcha not using groups.You cannot access the server from a client address on the same subnet. Without the group the packet will be forwarded to the server (via a VIP on the CSS). The server will see the client address as being on the same subnet and will try to send the data directly and not through the CSS. Obviously this gets rejected by the client as it doesn't have a matching TCP session. As long as the source is on a different subnet to the server there is no problem.

Tony

143
Views
0
Helpful
4
Replies
CreatePlease to create content