Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSS 11503 as Gateway Problem

Hey guys,

I configured my companies 2 CSS's as load balancers for a bunch of web servers and they work great except for a minor issue that I cant seem to resolve. When a web daemon on a server crashes, or is shutdown for one reason or another, the CSS removes that service from the pool, which is good, but that server looses connection to the outside world. We can still SSH into the server and push data onto it, but the route to the outside world is dead.

This is a problem since our servers often need to connect to outside resources on startup.

We are currently set up with a 2-Tier network layout where the CSS is connected to our public network (say and our servers sit on a private network( and use the CSS as their gateway.

I tried a number of fixes to rectify the situation, but nothing has worked so far. The servers have another NIC connected directly to the public network, but since the default GW is the CSS, it does not help. I tried changing the default GW on the servers to point to our public GW, but then access through the CSS VIP does not work. Static routes don't do the trick either.

Is there any configuration option that I can change so that the CSS does not kill the GW for a server whose service is down?

Either that, or do you know of a better way to lay out the configuration so we avoid the problem?

If needed I can post the configuration of our CSS and the network setup on our servers.

Any help is greatly appreciated.



Re: CSS 11503 as Gateway Problem

CSS by default acts as a router but you need to translate the Real server's ip for server originated traffic.

To have the CSS nat traffic initiated by the server side you need to add a "source group" into the CSS config. Here is what you need:


vip address

add service

add service



This will force the CSS to NAT server initiated traffic.

Syed Iftekhar Ahmed

New Member

Re: CSS 11503 as Gateway Problem

Thanks for the response Syed.

We already have groups set up for the servers. I have attached our config file (slightly edited for security reasons) to see our setup.

Here are some more details on our setup.


Public Network:

Private Network:

Public Gateway:


CSS Gateway:

Server Network Setup:

Default Gateway -> CSS Gateway (



As I said, while the Tomcat daemon is running, the server can ping to the outside world through the CSS, but as soon as the daemon is stopped, the keepalive detects it as down, removes it from the pool and drops all outgoing packets from that server.


Re: CSS 11503 as Gateway Problem

Can you try using a different IP (other than )in group configuration.

group webservers

add service http2

add service http3

add service http1

vip address 198.202.0.x