cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

726
Views
0
Helpful
1
Replies
scottmcgillivray
Beginner

Hairpinning on CSS 11503 when using source groups?

Hi

I'm not sure if my terminology is correct when using hairpinning but i was wondering if there is any special config needed when you try to access a content rule VIP from a server that's configured as a member of a source group on the same CSS?

So say i have a content rule with a VIP 20.20.20.20 and i also have two servers 192.168.1.1 and 192.168.1.2 that are part of a source group with VIP of 20.20.20.21. My problem at the moment is if from the servers 192.168.1.x i try to ping the other VIP 20.20.20.20 that's configured on the same CSS then it doesn't work and ping fails. The same happens with HTTP traffic to the 20.20.20.20 VIP.

I would have thought that the NAT of the source group would happen before the routing so the 192.168.1.x IP's would be natted to 20.20.20.21 and then passed over for routing where the CSS would see that the VIP 20.20.20.20 is local and it would send it on it's way.

I thought it might be ACL related but i increased the verbosity of acl logging and couldn't see anything in the logs.

The source group works fine on it's own and from the CSS itself i can ping the 20.20.20.20 VIP fine. It just seems that from the source group members i can't ping the VIP.

Any ideas or pointers appreciated.

thanks

Scott

1 REPLY 1
Daniel Arrondo Ostiz
Cisco Employee

Hi Scott,

Before making any comments, I would like to see your full configuration. Depending on how things are set up, this behaviour could be normal.

If you are concerned about the confidentiality of your configuration, you can always open a TAC case instead to have it investigated further.

Regards

Daniel