Re: CSS11503 - Must Return Flow Pass Through CSS?

ebanksdhhs · ‎04-27-2004

I'm tired; I hope this makes sense.

I have a CSS11503 I'm trying to get set up to load-balance a couple of web servers.

At the moment, I don't have the back-end web servers plugged into the CSS directly. They have other L2 devices back there, in between the CSS and the servers themselves. To be brief, nothing's working through the VIP. I can hit the VIP with a browser. I can see from debugging flows on the CSS that the VIP registers a flow from my client to the VIP, and then from my client to one or the other of the backend web servers...but I never see anything returned to my browser.

I have a feeling that if CSS doesn't see the return HTTP traffic, the connection I made to the VIP will be broken. Without getting into what all is in between the CSS and the backend servers, I can say that the return flow isn't making it back to the CSS box at the moment. Can someone confirm that the return flow has to go through CSS?

This must seem like an obvious question, but I'm so burnt right now I just need a sanity check.

jfoerster · ‎04-27-2004

HI,

you are absolutely right.- The CSS needs to see the retuern flow. In any other case the originating flow could be a DOS and therefore the CSS drops it. Easiest way to solve this is either to do source-nat on the CSS (your web-app needs to support this and logging won't tell you which client hits the web-app) or configuring the GW towards the clients at the servers pointing at the CSS.

Hope that helped.

Regards,

Joerg

Gilles Dufour · ‎04-28-2004

Joerg is correct.

The CSS must see the return traffic - a little bit like a stateful firewall.

Gilles.

Marcin Zgola · ‎03-05-2015

Hey Gilles, you still available? i have a question to ask about CSS. it seems like you are an expert :)..

Thanks let me know.

CCIE 18676