Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
884
Views
0
Helpful
9
Replies

CSS11503 hides client ip

AlexUglev
Level 1
Level 1

‎05-30-2014 04:58 AM

The customer uses a pair of CSS 11503 for load balancing traffic destined to the application servers. Server administrators want to know IP addresses of the clients, who initiate sessions to the servers. They make SQL queries from the servers to find client IP address. But they see CSS IP address instead of client IP address in the answers on these queries. It looks like that CSS hides IP addresses of the clients from the server. Could you share your opinion, why it happens?

 

Labels:
0 Helpful
9 Replies 9

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎05-30-2014 06:10 AM

Hi Alex,

CSS hides source IP of the client due to configuration of source groups with add destination services configured (each service in each content rule is added to a source group as add destination service). This is done when the set up is such that the server's default gateway is not the CSS and/or the server's return traffic does not pass back through the CSS.  So, the topology needs to be re-examined if you require the client's source IP to be maintained.  The server's response must go through the CSS either by setting the server's default gateway as the CSS or using routing on server.

For more details on source groups please visit the below link:

http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/data_center_app_services/css11500series/v8-10/configuration/content_lb/guide/cntlbgg/SGrp.html#wp1150075

ACE and other LB's have the capability to insert client ip in http header using X-forwarded-for but it is NOT supported on CSS. Came across another discussion and checked internally.

https://supportforums.cisco.com/discussion/10070981/x-forwarded-css-11501

Regards,

Kanwal

 

0 Helpful

AlexUglev
Level 1
Level 1
In response to Kanwaljeet Singh

‎05-30-2014 07:30 AM

Hi Kanwal,

Thank you for a quick answer. But there is no source group with "аdd destination service" in CSS configuration output. What else can we check?

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to AlexUglev

‎05-30-2014 07:32 AM

Hi Alex,

Can you share the interesting configuration you have? Is it a L4 or L5 content rule? Normally, CSS shall not hide client IP address and use it's own unless you have source groups configured.

Regards,

Kanwal

0 Helpful

AlexUglev
Level 1
Level 1
In response to Kanwaljeet Singh

‎05-30-2014 08:38 AM

Hi Kanwal,

I need to get permission for it. I'll speak with the customer next Monday. We have L4 content rule.

0 Helpful

AlexUglev
Level 1
Level 1
In response to Kanwaljeet Singh

‎06-02-2014 03:25 AM

Hi Colleagues,

I attach partial configuration from both CSS. IP addresses of the app servers are 10.x.x.132 and 10.x.x.133. Three different VIPs are configured on the CSS - 10.x.x.12, 10.x.x.16, 10.x.x.17. Consider two cases:

1) When clients establishes session with VIP 10.x.x.12, traffic is load balanced between the servers (10.x.x.132 and 10.x.x.133). L4 content rules are used. Server administrators see VIP 10.x.x.12 instead of client IP for these sessions. 

2) VIP 10.x.x.16 and 10.x.x.17 are for administration needs, traffic is NOT load balanced and goes only to a particular server (10.x.x.132 or 10.x.x.133). L3 content rules are used. Server administrators see client IP for these sessions. 

There are two source groups on the CSS with "add service" option but without VIP 10.x.x.12 into them. 

The customer wants to see client IP on server side in both cases and asks us how to achieve this. Is it possible on CSS11503?

Preview file
7 KB
Preview file
8 KB
0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to AlexUglev

‎06-03-2014 05:04 AM

Hi Alex,

With the configuration attached, CSS should not do source natting for the clients coming to VIP  x.x.x.12. Is it possible to get the packet capture from the server to see what exactly we see in there? Is it possible to get the complete configuration? If it is not possible to get either of the two, i would suggest to open a case with TAC for further investigation. That way you can send any information requested and not worry about anything.

Regards,

Kanwal

0 Helpful

AlexUglev
Level 1
Level 1
In response to Kanwaljeet Singh

‎06-04-2014 04:42 AM

Hi Kanwal,

Thank you for the help. I'll ask the customer about possibility of packet capture on the server side. I think that source NAT is not the reason of the issue. Is it possible that CSS answer on some queries itself with its own IP address instead of sending them further due to security reasons?

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to AlexUglev

‎06-04-2014 05:33 AM

Hi Alex,

If the query is destined for CSS IP itself, it will answer it with it's own IP but if the query is destined for VIP, then CSS will look at the rules etc and take a decision. May be we should take all details from customer to see what exactly is happening.

Regards,

Kanwal

0 Helpful

Alex Rickard
Level 1
Level 1

‎05-30-2014 08:39 AM

The CSS performs NAT by using source groups and either "add destination service" or "add service".  For NAT on server initiated connections the "add service" is used. Do you have any source groups that have the services in question added to them?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents