03-20-2004 06:30 AM
Hi,
We are running redundant CSS's in one armed mode, and we use the group command. We have one group of servers that has content from third parties (search Engines). Since putting the group command on (to correct one issue) the source address is now being changed by the CSS (which is correct) however when the link on the internal web servers is clicked the third party gets the report and the referrer address shows up as the VIP not the Internet user.
Is there anyway to get this original source address back or into the packet(s) that hits the web server soas to send to the third party?
Thanks in advance
03-21-2004 12:26 AM
no - there is no way if you use the group.
That's the problem with one-armed design.
We try a smuch as we can to recommend not to use one-armed design unless there is really no other way to do so.
In your case, you can get rid of the group command if you make sure the CSS sees the server response.
This can be done if the CSS is the default gateway of the server or if there is a device doing policy routing to redirect the response to the CSS.
Regards,
Gilles.
03-21-2004 08:08 AM
Gilles,
Thanks for your response, this is what I figured. I assume that in a non one armed config, the source address would still be present and the CSS would just flow the traffic.
As far as the default gateway, would the CSS not strip the source address anyway regardless if it's the default gateway or not?
Thanks
03-22-2004 12:50 AM
if the CSS is the default gateway for the servers, then there is no need of the group configuration.
Without the group, the CSS does not modify the client ip address.
Gilles.
03-22-2004 08:41 PM
If you're not aware, there is a gotcha not using groups.You cannot access the server from a client address on the same subnet. Without the group the packet will be forwarded to the server (via a VIP on the CSS). The server will see the client address as being on the same subnet and will try to send the data directly and not through the CSS. Obviously this gets rejected by the client as it doesn't have a matching TCP session. As long as the source is on a different subnet to the server there is no problem.
Tony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide