CSS Source IP address Missing

Server A, Server B, Server C are connected directly to CSS (Network Address 192.168.XX.XX). clients access the servers through Internet and get connected as well as load balanced. But our servers are unable to track the source IP address of the clients logging through Internet. Is there any configuration where servers can track the source IP address.

Hi,
The CSS would be doing source NATing if you have a group configured with "add destination service".
This is needed to prevent asymmetric flows, but if the servers are directly connected to the CSS, there would be no asymmetric flows, hence you can get rid of the group and the CSS will start sending traffic to the server with original client's IP.
Configure the CSS as the default gateway of your servers to make sure they wont bypass the CSS on the way back.
Hope it helps!!
Diego M.

Similar Messages

  • Redirect based on source IP address????

    I have a site that I don't want our competitors to view! By
    tracking code, I have managed to obtain their source IP addresses.
    After looking around, there is a .php solution to my problem
    but my host is not well suited to .php files (although it does some
    processing).
    My pages are in .shtml (to process css drop-down menus
    correctly) and I understand that this attached code, if put at the
    top of the page before anything else, will work.
    I have managed to get one working
    http://www.donbur.co.uk/gb/newindex.php
    but am having difficulty getting this code to work elsewhere.
    The problem is, when I try to put this code into either a
    template or as an include, it won't process correctly or the page
    won't render at all.
    Do I have to use .php files or can I insert php script into
    an .shtml document.
    Getting really confused now.... HELP

    Thanks for the constructive advice...
    quote:
    >After looking around, there is a .php solution to my
    problem but my host is not well
    >suited to .php files (although it does some processing).
    What does this mean? Does your hosting plan include php
    support or not?
    You can't just put a php script into any page. It needs to be
    a .php page or you need to reconfigure the server to parse other
    pages for php. But if your hosting plan doesn't support php then it
    won't work in any case.
    My host is BT Internet and they claim not to process .php
    files which is why our main .php site is hosted elsewhere; however,
    it seems that, although it has difficulty (to clarify: doesn't
    render) with main full scripts, it does seem to process simple
    <?php echo commands for example.
    It has been suggested on another forum that the .shtml files
    are set to be recognised by .php in the cpanel but our host will
    not do this...
    Our competitors are not particularly smart or up-to-date and
    this would have been reasonably effective; however, I bow to better
    judgement and close this topic.

  • Load balancing based on source IP address

    Hi,
    I configured a CSS to balance the load depending on source IP address to suppport a application feature in the server.
    We have two firewalls and behind we have different users. We have also two servers behind the CSS.
    Firewalls perform NAT with a unique outside IP address. So, for example, in these conditions the CSS balances requests coming from FW 1 to server 1 and requests coming from FW 2 to server 2. Is it correct this scenario?
    Is it possible that requests coming from FW 1 could be forwarded to Server 2 and viceversa?
    Could anyone answer me?
    Thanks in advance.
    Best regards.
    Giuseppe.

    Giuseppe,
    it all depends on how you configured your CSS.
    Did you use an ACL to force traffic from SRC1 to server1 and traffic from SRC2 to server2 ?
    Or did you simply configure sticky based on source ip or a source ip hash loadbalancing ?
    Except the ACL, all other methods do not guarantee that the traffic will be splitted in 2.
    Gilles.

  • Route call based on source IP address

    Hello Guys,
    Is there a way to route calls based on source IP address?
    I want to redirect calls to specific queues based on the ip of the phone who's starting it.
    Any ideas?
    Thanks in advance.
    Filipe Leite                  

    Hi Filipe
    I'm assuming here that you are using CallManager rather than CME?
    One option might be to use the 'device mobility' feature to assign a specific CSS to devices based on their IP subnet. That CSS could have the appropriate partitions to route to a seperate trigger that directs calls to a separate CSQ.
    Of course, whether you can do this depends on whether it would be appropriate to override the device CSS in this way.
    Aaron

  • Doing Source IP address NAT. Using 1 address vs using many

    I have a few implimentations where I am using source groups to do NAT on the client's source IP address. It is possible to always translate the source IP address to the same one, or to have it be different depending on the content rule you hit.
    Is there any advantage of one over the other?

    Thanks for the thoughts. I am aware of the content rule limitation, and actually, (depending on your definition of PAT vs NAT) the CSS can do NAT of the source IP address using source groups and an ACL. It can translate the source IP address of an incoming packet from a client into a different IP address. You don't really have a pool of addresses like you do on a Cisco router, you can specify a single IP address to translate the source address to, or different ones depending on the content rule you hit, so it is kind of like NATing with overload on a router. I am doing it now.
    The basic steps for doing NAT on the source(I.E.-Client's) IP address are:
    group [groupx]
    ip address [source address you want to change client IP to]
    active
    acl 1
    clause 10 permit any any destination [VIP of content rule] sourcegroup [groupx]
    apply circuit-(VLANx)
    If the inbound packet on VLANx matches all the criteria in the clause statement, the "sourcegroup" part of the clause statement links you to the ip address that you want to NAT your client's source address to.
    You can build on this and make it as fancy as you like, even translating the source address to different addresses depending on the content rule you hit. I'm just wondering if there is an advantage of using many different IP addresses over using just one.

  • CSMARS Source IP address

    I have a CSMARS box with the following rules set to send me an e-mail if they are triggered.
    System Rule: Password Attack: Remote VPN Access - Attempt
    System Rule: Password Attack: Remote VPN Access - Success Likely
    System Rule: Password Attack: System - Attempt
    My ASA authenticates against my ACS server. If I test any of the rules from our inside network address space CSMARS gives me the correct source IP addresses. However, if I run the same test from our outside IP address block my source address is displayed as 0.0.0.0. If I look at the " Failed Attempts" logs on the ACS server the correct source address is displayed. I'm wondering what I'm missing in order to have CSMARS display the correct source address.

    When you look at the acs logs for failed attempts, both the internal and external failures are in the same file and identically formatted?

  • Maintaining source IP address

    We want to configure IIS to allow web calls only from particular IPs and ranges.
    However once the traffic is balanced through the CSS the CSS becomes the source IP. Is there a setting on the CSS that will cause it to pass through the source IP address?

    Question was answered in previous conversation.
    Thanks

  • IIS Logs display CSS11501 IP address instead of external source IP address.

    (FW)---(CSS11501)---(SERVERS)
    Basic configuration, everything on VLAN1. Servers in web farm are logging attacks, etc. Source IP address all show the CSS instead of the originating IP address coming from the outside.
    What do I need to add/change to allow servers to see the actual IPs from the outside?

    Yes, inline configuration. FW connects to L2 switch crossed over to CSS, Servers are connected to CSS ports directly. However the servers Default Gateway is the FW not the CSS, that is what I believe I need to change in order for it to work, is that correct, or is there something else?
    Example:
    circuit VLAN1
    ip address x.x.x.x x.x.x.x
    owner xyz
    address "xyz"
    content rule.100.https
    protocol tcp
    port 443
    url "/*"
    add service serv.1.https weight 1
    add service serv.2.https weight 2
    add service serv.3.https weight 3
    vip address x.x.x.100
    application ssl
    advanced-balance ssl
    sticky-mask 255.255.255.0
    sticky-inact-timeout 15
    dnsbalance roundrobin
    balance srcip
    active
    group source.100
    vip address x.x.x.100
    add destination service serv.1.https
    add destination service serv.2.https
    add destination service serv.3.https
    active

  • Source Ip Address of Logging Sendmail

    Hi,
    I'm looking for a way to configure a specific Circuit Vlan #'s Ip Address as source ip address of log messages sent as result of the "logging sendmail" command. (at the moment Sw Version: 7.30).
    Does anyone know a way get it ?
    Thanx in advance !
    Francesco

    Francesco,
    This info will come from the mgt ip address assigned on the CSS. You would need to change the mgt ip address on your box which will sendmail will then use:
    Like this:
    CS503# config
    CS503(config)# b
    boot Enter BOOT configuration mode
    bridge Bridge parameters
    bypass Configure Bypassed Service Action
    CS503(config)# boot
    CS503(config-boot)# ip address ?
    Of the form a.b.c.d
    CS503(config-boot)# ip address
    Keep in mind that you do not want to use a circuit ip address range already being used on your CSS.
    Regards
    Pete..

  • Tracing TCP Source/Destination Addresses/Ports for ongoing connections

    On Solaris 10 U4 through U7, I'm trying the following just to perform basic tracking of TCP source/destination addresses and ports, using code similar to what is available in tcpsnoop_snv and tcptop_snv.
    The odd thing is that the addresses/ports appear to be zeroed out - are they being cached outside of the conn_t data structure?
    #!/usr/sbin/dtrace -Cs
    #pragma D option switchrate=10hz
    #pragma D option bufsize=512k
    #pragma D option aggsize=512k
    #include <sys/file.h>
    #include <inet/common.h>
    #include <sys/byteorder.h>
    #include <sys/socket.h>
    #include <sys/socketvar.h>
    /* First pass, for all TCP Read/Write actions, collect source/destination
       IP + Port - after a few secs, print them all out */
    fbt:ip:tcp_send_data:entry
      /* Outgoing TCP */
      self->connp = (conn_t *)args[0]->tcp_connp;
    fbt:ip:tcp_rput_data:entry
      /* Incoming TCP */
      self->connp = (conn_t *)arg0;
    fbt:ip:tcp_send_data:entry,
    fbt:ip:tcp_rput_data:entry
    /self->connp/
      /* fetch ports */
    #if defined(_BIG_ENDIAN)
      self->lport = self->connp->u_port.tcpu_ports.tcpu_lport;
      self->fport = self->connp->u_port.tcpu_ports.tcpu_fport;
    #else
      self->lport = BSWAP_16(self->connp->u_port.tcpu_ports.tcpu_lport);
      self->fport = BSWAP_16(self->connp->u_port.tcpu_ports.tcpu_fport);
    #endif
      /* fetch IPv4 addresses */
      this->fad12 =
        (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[12];
      this->fad13 =
        (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[13];
      this->fad14 =
        (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[14];
      this->fad15 =
        (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[15];
      this->lad12 =
        (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[12];
      this->lad13 =
        (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[13];
      this->lad14 =
        (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[14];
      this->lad15 =
        (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[15];
    /* At this point, this->{f|l}ad1{2345}->connua_v6addr.connua_{f|l}addr._S6_un.S6_u8
        are empty - where is this data? */
    }

    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/command/reference/CmdGrpC.html#wp1139667
    portmap [base-port base_number|disable|enable|number-of-ports number|vip-address-range number]
    disable
    Instructs the CSS to perform Network Address Translation (NAT) only on the source IP addresses and not on the source ports of UDP traffic hitting a particular source group. This option does not affect TCP flows.
    For applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups. Destination services cause the CSS to NAT the client source ports, but not the destination ports.
    Note If you disable flows for a UDP port using the flow-state table and configure the portmap disable command in a source group, traffic for that port that matches on the source group does not successfully traverse the CSS.
    The CSS maintains but ignores any base-port or number-of ports (see the options above) values configured in the source group. If you later reenable port mapping for that source group, any configured base-port or number-of ports values will take effect. The default behavior for a configured source group is to NAT both the source IP address and the source port for port numbers greater than 1023.
    There is no possibility to disable it for TCP.
    We need to source nat the port to guarantee that the server response comes back on the same module/CPU and the internal packet allocation algorithm is based on src and dst ports.µ
    Gilles:

  • In iMovie: I open a project that has been finalized. source fragment is missing. I see a yellow triangle with exclamation mark. Why is that and how do I solve the problem?

    in iMovie:
    I open a project that has been finalized. source fragment is missing. I see a yellow triangle with exclamation mark. Why is that and how do I solve the problem?
    please help.
    J. Aalbers

    Shouldn't really be the MPE at fault here ... what is the codec of the footage/sequence/project?
    Second, can you create a new project in PrPro, then in the media browser, import that sequence from the other project?

  • Moving and copying events and projects to an external hard drive using Imovie09-Source clip is missing

    Some background on what I am doing is importing all of my home video into an event in IMovie. Since DVD's can only hold about 2 hours of footage, I am making a new project for each 2 hours so I can burn the footage onto a DVD. I want to make space on my internal hard drive so I am trying to move the projects that are completed to an external drive. Because I also don't want to lose any footage I have imported into the event I am also copying the home video event to the external drive. (didn't want to move it yet until I know what i am doing, just in case it is lost somehow).
    I tried moving a project to the external drive (it was a slideshow for my daughters first birthday which contained photos and video clips from the event that was already copied to the external drive). The project did move to the external hard drive but on the video clips there is a yellow triangle that says source clip is missing. I am moving and copying from within Imovie and NOT the finder so I don't understand why it says the clip is missing when it is definitely a part of the event that is already on the external drive.
    What is interesting is the source clip is missing error showed on the first birthday project but it did NOT show as an error when I moved the 2 hour home video project. (All of the video in these projects are coming from the same home video event)
    I am trying to make sure that when I move the projects permanently off the internal hard drive and onto the external drive, that I am not losing any part of my projects. I want to be able to easily move them back and forth if needed without any missing files.
    Any suggestions as to why I am still receiving the yellow triangle?

    As I can't see what you are doing, I can't tell you what you might be doing wrong.
    You could try trashing the preferences.
    Many weird things happen as a result of corrupt preferences which can create a vast range of different symptoms, so whenever FCP X stops working properly in any way, trashing the preferences should be the first thing you do using this free app.
    http://www.digitalrebellion.com/prefman/
    Shut down FCP X, open PreferenceManager and in the window that appears:-
    1. Ensure that only  FCP X  is selected.
    2. Click Trash
    The job is done instantly and you can re-open FCP X.
    There is absolutely no danger in trashing preferences and you can do it as often as you like.
    The preferences are kept separately from FCP X and if there aren't any when FCP X opens it automatically creates new ones  .  .  .  instantly.

  • Ip igmp snooping querier on Nexus, what source IP address to use?

    Am looking at a problem with servers in the same vlan across multiple switches that are unable to communicate using multicast. I have found that in the systen I'm to set up I need to apply the ip igmp snooping querier command, in the vlan, but it needs a source IP address.
    Different documents make conflicting recommendations for this address, one suggests that any unused address will do, another suggests to use the IP address that is configured on the SVI for the vlan.
    Which is correct?

    Eventually I had to ask Cisco TAC, the response was that any IP address within the subnet could be used. The recommendation was to allocate an unused address in the vlan subnet for this purpose, use the same address on multiple switches should resiliance be required.

  • Prelude source file is missing

    Hi...
    I'm trying to add preludes at both the module and member level to a C++ GUI project.... and keep getting this annoying error "Code editing problem: the prelude source file is missing".
    Has anybody solved this one ?
    I can't find a way to generate such a file, although I found a template for such a file under the examples. I can workaround it by deleting my main source.cpp file and regenerating it... as long as I keep saving the .dt file I don't seem to lose any of my preludes.....
    Thanks.... Marty

    It is ZEBS (Electronic up load of bank statement)
    Regards,
    Chansa

  • ISCSI Initiator favourites revert to using the IPv6 or the apipa IP address from other NICs instead of the source IP address that I specified

    Windows 2008 R2
    ISCSI Initiator favourites revert to using the IPv6 or the apipa IP address from other NICs instead of the source IP address that I specified. 
    When I manually connect to multiple targets and specify the correct ISCSI source IP address, I check the favourites and everything looks okay. But when the server is rebooted I check the favourites again and the source IP is now referencing the IPv6 and
    sometimes the apipa address. 
    I have unbound IPv6 from the ISCSI NICS but this has made no difference.
    Can anyone explain why this is happening?
    Although the server still reconnects to the storage oaky, I’m concerned that if a path goes down that is might try to use the wrong interface to re-establish a connection.
    Thanks.  

    Hi,
    IPV6 is supported with MS iSCSI. Do you have Multiple Connections per Session (MCS) configured? Is your storage configured to use both IPv4 and IPv6?
    If yes, please see if http://support.microsoft.com/kb/2014131 helps.
    Hope this helps.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

Maybe you are looking for