cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
611
Views
3
Helpful
3
Replies

CSS 11500: httpd just logging VIP of the CSS

gdbell_cisco
Level 1
Level 1

This seems like a fairly stupid question however I have looked around I can't seem to find an exact answer.

I have a CSS 15506 sitting in front an single test webserver and the IP addesses that are comming through the access log are just from the CCS's VIP.

Have I missed something in the config or is this just how it works?

The webserver is not directly attached does this matter?

If this is how it works how are you supposed to collect httpd stats from your clients.

Cheers

3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

you probably have a one-armed design and have implemented 'client nat' with a group command.

To disable client nat, de-activate the group.

However, if you do this, you need to make sure the response from the server goes back to the CSS.

So, make the CSS the default gateway for the server.

Another solution - get rid of one-armed design.

Use 2 interfaces on the CSS -inside/outside.

here is a link to one-armed config example and some info about pros/cons.

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml#topic2

Gilles.

I dont believe I am running a one-arm solution because I am using two interfaces with the CCS

eg

show flows:

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

149.132.1.4 80 149.132.21.3 18360 149.132.56.143 TCP 1/2 2/1

149.132.56.143 2281 149.132.1.30 80 149.132.1.4 TCP 2/1 2/1

I am using groups for a destination service so it will go out on a different subnet.. but i looks ok

But as you can see the both are using different InPorts but the Same OutPort...

You are right if I disable the group I loose the route back... however I only want port 80 to be used so I dont want to change the default route of the host.. and they are on different subnets so I cant change the default route...

Does the host have to be physically connected to the ccs to get that feature... if so is there and X-Forwarded-For option??

the CSS does not nat client ip address unless you have a group config as I mentioned previously.

You also mentioned a group.

This is probably why the CSS is nating the client ip address.

What is the exact group config that you have ?

Why do you need it ?

Also the input flow from the client is on port 2/1 and the output is also 2/1 -> this is one-armed behavior even if you have 2 interfaces ?

How do you explain that the CSS goes to the server via port 2/1 and the server responds on port 1/2 ?

Gilles.

Review Cisco Networking for a $25 gift card