https://community.cisco.com/t5/application-networking/css11503-inbound-and-outbound-traffic-on-same-virtual-interface/m-p/886799#M17409 <HTML><HEAD></HEAD><BODY><P>Julian,</P><P></P><P>this is not the same issue as firewall preventing traffic to go in and out the same interface.</P><P>The problem here is that the CSS will receive traffic from Server1, it will nat the vip into Server2 and forward traffic keeping the src ip unchanged.</P><P>So, when Server2 replies, it sends the response to Server1. Since they are on the same subnet, the response bypass the CSS and Server1 receives a response from Server2 which is unknown to Server1 since it expects a response from the Vip.</P><P>The solution is to implement source nat on the CSS for traffic originating from the servers.</P><P>This can be done with a group and an ACL.</P><P>This was discussed many times, so I think you should be able to find a sample config somewhere.</P><P>If you can't let me know.</P><P></P><P>Gilles.</P></BODY></HTML> Wed, 19 Sep 2007 14:59:19 GMT Gilles Dufour 2007-09-19T14:59:19Z https://community.cisco.com/t5/application-networking/css11503-inbound-and-outbound-traffic-on-same-virtual-interface/m-p/886798#M17408 <P>Setup two CSS11503's running 8.10. Running and active/passive config.</P><P></P><P>Two groups of servers each with a VIP. Both groups of servers on the same VLAN. </P><P></P><P>The VIP's reside on VLAN1 and the servers are on VLAN2</P><P></P><P>Problem:</P><P></P><P>Servers from one group cannot access the other via it's VIP. Servers cannot access themselves via their VIP as well.</P><P></P><P>Can ping the vip's with out a problem.</P><P></P><P>I assume that this is because that traffic generated by a client is going in and out of the same interface.</P><P></P><P>I have come across similar problems on various firewalls.</P><P></P><P>Is there anyway of getting around this.</P><P></P><P>Thanks</P><P></P><P>Julian</P> Wed, 19 Sep 2007 13:00:23 GMT https://community.cisco.com/t5/application-networking/css11503-inbound-and-outbound-traffic-on-same-virtual-interface/m-p/886798#M17408 julian.osborne 2007-09-19T13:00:23Z https://community.cisco.com/t5/application-networking/css11503-inbound-and-outbound-traffic-on-same-virtual-interface/m-p/886799#M17409 <HTML><HEAD></HEAD><BODY><P>Julian,</P><P></P><P>this is not the same issue as firewall preventing traffic to go in and out the same interface.</P><P>The problem here is that the CSS will receive traffic from Server1, it will nat the vip into Server2 and forward traffic keeping the src ip unchanged.</P><P>So, when Server2 replies, it sends the response to Server1. Since they are on the same subnet, the response bypass the CSS and Server1 receives a response from Server2 which is unknown to Server1 since it expects a response from the Vip.</P><P>The solution is to implement source nat on the CSS for traffic originating from the servers.</P><P>This can be done with a group and an ACL.</P><P>This was discussed many times, so I think you should be able to find a sample config somewhere.</P><P>If you can't let me know.</P><P></P><P>Gilles.</P></BODY></HTML> Wed, 19 Sep 2007 14:59:19 GMT https://community.cisco.com/t5/application-networking/css11503-inbound-and-outbound-traffic-on-same-virtual-interface/m-p/886799#M17409 Gilles Dufour 2007-09-19T14:59:19Z https://community.cisco.com/t5/application-networking/css11503-inbound-and-outbound-traffic-on-same-virtual-interface/m-p/886800#M17410 <HTML><HEAD></HEAD><BODY><P>Thanks for the pointer Giles, the problem is now sorted.</P><P></P><P>Solutions found in:</P><P><A class="jive-link-custom" href="http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Data%20Center&amp;topic=Application%20Networking&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddf8c30" target="_blank">http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Data%20Center&amp;topic=Application%20Networking&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddf8c30</A></P><P></P><P>Your solution too <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Julian</P></BODY></HTML> Wed, 19 Sep 2007 19:43:19 GMT https://community.cisco.com/t5/application-networking/css11503-inbound-and-outbound-traffic-on-same-virtual-interface/m-p/886800#M17410 julian.osborne 2007-09-19T19:43:19Z