08-02-2009 06:36 PM
I have a frontend subnet 10.2.2.0/24 (has the VIP's) and backend subnet 10.1.1.0/24 (contains the physical servers)
VIP Address for WEB service is 10.2.2.4 (in the frontend subnet)
The destinations are 10.1.1.70, 71, 72 (on the backend subnet)
The source server is 10.1.1.200
External servers can connect to 10.2.2.4 fine and see the traffic as from that ip only.
However when the source server IP is in the same subnet as the destination servers is unable to connect to the VIP.
It will send the initial syn packet to 10.2.2.4, but recieves back a packet from the IP of the destination servers (ie 10.1.1.70, 71, 72)
Because this packet doesn't match the original request it fails to connect.
I tried adding a Group with the VIP and same destination service - but this forces all connections to the destination services to look like they are coming from the VIP Address of
10.2.2.4, I want the services to see it coming from the original ip only.
group WEB
vip address 10.2.2.4
add destination service WEB-01
add destination service WEB-02
add destination service WEB-03
08-02-2009 11:39 PM
I don't known CSS but I think it may be a NAT issue. Try to NAT the source server.
Hope this help.
Andrea.
08-03-2009 02:01 AM
you can creat an acl to apply the group only to those devices who need to be nated.
group WEB
vip address 10.2.2.4
active
acl 1
clause 10 permit any host 10.1.1.200 destination content
clause 99 permit any any destination any
apply circuit-VLANXXX
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide