Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Web server accessing a load-balanced VIP

I have a test environment consisting of a single CSS 11052 with several servers behind it. The two web servers have their web sites defined in the CSS, and the CSS is providing a load-balanced VIP. For example, the CSS provides a VIP of 10.149.162.211 in VLAN5 for two web sites with IP addresses of 172.17.1.20 and 172.17.1.21 in VLAN4. Hosts outside this environment can reach the load-balanced site perfectly well.

I've had a request to allow the web servers themselves to browse to the load-balanced VIP. They currently aren't able to do this, and I can't figure out why. Is this a characteristic of the CSS, or is there something I can do to allow the servers being load-balanced to access the balanced load IP?

-Mark

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Web server accessing a load-balanced VIP

Hi,

the problem is that the SYN packets are sent from the server to the CSS and are NATed there. Then the NATed packets get sent back to the servers. A new TCP connection is established and after that ACK packets are sent back to the source which is on the same local net. So these ACK packets are not sent to the CSS to be 'reNATed', but directly to the initiator. But that initiator does not have a TCP state for this SRC/DST pair as they only have one for the NATed address, so the packets are discarded -> no TCP connection possible.

The only possibility is to add source groups to the CSS and ACLs to also NAT the source addresses for connection attempts from the servers to themselves which is quite complicated.

-alex

2 REPLIES
New Member

Re: Web server accessing a load-balanced VIP

Hi,

the problem is that the SYN packets are sent from the server to the CSS and are NATed there. Then the NATed packets get sent back to the servers. A new TCP connection is established and after that ACK packets are sent back to the source which is on the same local net. So these ACK packets are not sent to the CSS to be 'reNATed', but directly to the initiator. But that initiator does not have a TCP state for this SRC/DST pair as they only have one for the NATed address, so the packets are discarded -> no TCP connection possible.

The only possibility is to add source groups to the CSS and ACLs to also NAT the source addresses for connection attempts from the servers to themselves which is quite complicated.

-alex

New Member

Re: Web server accessing a load-balanced VIP

Thank you, Alex. That is exactly what I needed to know.

-Mark

121
Views
0
Helpful
2
Replies
CreatePlease to create content