cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
425
Views
0
Helpful
4
Replies

Third Party reporting-referrer address

bjames
Level 5
Level 5

Hi,

We are running redundant CSS's in one armed mode, and we use the group command. We have one group of servers that has content from third parties (search Engines). Since putting the group command on (to correct one issue) the source address is now being changed by the CSS (which is correct) however when the link on the internal web servers is clicked the third party gets the report and the referrer address shows up as the VIP not the Internet user.

Is there anyway to get this original source address back or into the packet(s) that hits the web server soas to send to the third party?

Thanks in advance

4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

no - there is no way if you use the group.

That's the problem with one-armed design.

We try a smuch as we can to recommend not to use one-armed design unless there is really no other way to do so.

In your case, you can get rid of the group command if you make sure the CSS sees the server response.

This can be done if the CSS is the default gateway of the server or if there is a device doing policy routing to redirect the response to the CSS.

Regards,

Gilles.

Gilles,

Thanks for your response, this is what I figured. I assume that in a non one armed config, the source address would still be present and the CSS would just flow the traffic.

As far as the default gateway, would the CSS not strip the source address anyway regardless if it's the default gateway or not?

Thanks

if the CSS is the default gateway for the servers, then there is no need of the group configuration.

Without the group, the CSS does not modify the client ip address.

Gilles.

If you're not aware, there is a gotcha not using groups.You cannot access the server from a client address on the same subnet. Without the group the packet will be forwarded to the server (via a VIP on the CSS). The server will see the client address as being on the same subnet and will try to send the data directly and not through the CSS. Obviously this gets rejected by the client as it doesn't have a matching TCP session. As long as the source is on a different subnet to the server there is no problem.

Tony

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: