Sticky-srcip timeout

Similar Messages

• CSM command similar to CSS sticky-srcip-dstport

  Is there a command in the CSM similar to the CSS command sticky-srcip-dstport?
  If thre isn't...is there still a way to do something similar on the CSM?

  CSM sticky functionality with multiple SSL connections with resumption.
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml

• Exploring CSS 11503 sticky table / sticky mask

  Hi All
  I am currently undergoing some testing with a client.
  We have a VIP load balancing 8 instances. We are testing with the following configs
  content test-test
      add service a
      add service b
      add service c
      add service d
      add service e
      add service f
      add service g
      add service h
      vip address 10.10.10.1
      flow-timeout-multiplier 225
      sticky-mask 255.255.255.252
      redundant-index 1000
      port 443
      protocol tcp
      advanced-balance sticky-srcip-dstport
      sticky-inact-timeout 360
      balance leastconn
  active
  We  have traffic been sourced from 32 IP addresses and want all 8 instances  to be used/hit, but this is not happening in all instances.
  (from the above config, 4 consecutive IPs will be stuck to the same instance based on the sticky mask -- yes?)
  For instance I would expect the following: with the Test IP addresses used based on the sticky mask:
  10.120.1.168
  10.120.1.169
  10.120.1.170
  10.120.1.171 
  (to be stuck to maybe instance a)
  10.120.1.176
  10.120.1.177
  10.120.1.178
  10.120.1.179
  (to be stuck to maybe instance b)
  I have tried the following command during tests:
  show sticky-table l4-sticky ipaddress 10.10.10.1  255.255.255.252  443
  and get an empty table back.
  L4 Sticky List on Slot 1, subslot 1:
  Entries for page 1.
  Entry   Hash    Rule Rule  Srv  Srv      Time(Sec)     Hit Col  Elem Inact
  Number  Value   Indx State Indx State    Elapsed       Cnt Cnt  Type Cfg(Min)
  Total number of entries found is 0.
  L4 Sticky List on Slot 2, subslot 1:
  Entries for page 1.
  Entry   Hash    Rule Rule  Srv  Srv      Time(Sec)     Hit Col  Elem Inact
  Number  Value   Indx State Indx State    Elapsed       Cnt Cnt  Type Cfg(Min)
  Total number of entries found is 0.
  I would like to ascertain what source IP address is been stuck to what load balanced instance at any one time.
  I have tried looking at the flow table but, that clears out quite quicky so not really an accurate method.
  Thanks!

  Hi All
  I am currently undergoing some testing with a client.
  We have a VIP load balancing 8 instances. We are testing with the following configs
  content test-test
      add service a
      add service b
      add service c
      add service d
      add service e
      add service f
      add service g
      add service h
      vip address 10.10.10.1
      flow-timeout-multiplier 225
      sticky-mask 255.255.255.252
      redundant-index 1000
      port 443
      protocol tcp
      advanced-balance sticky-srcip-dstport
      sticky-inact-timeout 360
      balance leastconn
  active
  We  have traffic been sourced from 32 IP addresses and want all 8 instances  to be used/hit, but this is not happening in all instances.
  (from the above config, 4 consecutive IPs will be stuck to the same instance based on the sticky mask -- yes?)
  For instance I would expect the following: with the Test IP addresses used based on the sticky mask:
  10.120.1.168
  10.120.1.169
  10.120.1.170
  10.120.1.171 
  (to be stuck to maybe instance a)
  10.120.1.176
  10.120.1.177
  10.120.1.178
  10.120.1.179
  (to be stuck to maybe instance b)
  I have tried the following command during tests:
  show sticky-table l4-sticky ipaddress 10.10.10.1  255.255.255.252  443
  and get an empty table back.
  L4 Sticky List on Slot 1, subslot 1:
  Entries for page 1.
  Entry   Hash    Rule Rule  Srv  Srv      Time(Sec)     Hit Col  Elem Inact
  Number  Value   Indx State Indx State    Elapsed       Cnt Cnt  Type Cfg(Min)
  Total number of entries found is 0.
  L4 Sticky List on Slot 2, subslot 1:
  Entries for page 1.
  Entry   Hash    Rule Rule  Srv  Srv      Time(Sec)     Hit Col  Elem Inact
  Number  Value   Indx State Indx State    Elapsed       Cnt Cnt  Type Cfg(Min)
  Total number of entries found is 0.
  I would like to ascertain what source IP address is been stuck to what load balanced instance at any one time.
  I have tried looking at the flow table but, that clears out quite quicky so not really an accurate method.
  Thanks!

• Question about the CSS behavior when using layer 3 sticky and sticky table

  Hi everyone,
  I have a question about the CSS behavior when using layer 3 sticky and sticky table is full.
  If I configure layer 3 sticky and specify the inactivity timeout as below, how does the CSS
  handle subsequent needed sticky requests ?
  advanced-balance sticky-srcip
  sticky-inact-timeout 30
  CSS document says that
  Note:
  If you use the sticky-inact-timeout command to specify the inactivity timeout
  period on a sticky connection, when the sticky table becomes full and none of
  the entries have expired from the sticky table, the CSS rejects subsequent
  needed sticky requests.
  My question is what is the next reaction by doing the CSS if the CSS is in the
  following condition:
  when the sticky table becomes full and none of the entries have expired from
  the sticky table, the CSS rejects subsequent needed sticky requests
  Does CSS just rejects/drops subsequent needed sticky requests ?
  or
  Does CSS does not stick subsequence requests to particular service but CSS forward
  subsequence requests with round-robin basis ? which means if the sticky table is full,
  the CSS just works round-robin load balancing fashion for subsequence requests ?
  Your information would be appreciated.
  Best regards,

  Hello,
  There is a good document explaining this on Cisco web site
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080094b4b.shtml
  It depends if the sticky-inact-timeout is used or not. If not, it's FIFO (the oldest entry in the sticky table is removed). If yes, the CSS will reject the next sticky request.
  Rgds,
  Gaetan
  Rgds
  Gaetan

• CSS 11501 web timeout

  Hi,
  I have a CSS11501 running 8.10.0.02 software. I have 2 windows 2003 web servers that connect to a backend database. I am recieving complaints that intermittently the end user is getting a session timeout.
  I set the flow multiple to 2700 so the flow would be active for 12 hours, but when I issue the show flows command I see flow disappearing after just a few minutes.
  Is this normal behavior?
  Does my config look correct otherwise?
  service A
  ip address 192.168.248.17
  keepalive type http
  active
  service B
  keepalive type http
  ip address 192.168.248.18
  active
  !*************************** OWNER ***************************
  owner test1
  content web
  port 80
  protocol tcp
  add service A
  add service B
  vip address 192.168.248.16
  balance aca
  advanced-balance sticky-srcip
  sticky-inact-timeout 720
  flow-timeout-multiplier 2700
  active
  Thanks
  Frank

  Frank,
  if the client or the server closed the connection, it will disappear.
  Sniff the traffic on both side of the css and see which device is closing the connection.
  Don't forget that servers also come with an idle timeout which is usually far less than 12 hours.
  Gilles.

• Sticky problem

  Hi, we have an issue where the sticky tables on our CSS are too large, so that if a server fails, connections move to the rest of the farm. As the sticky table does not time out anytime soon the failed server does not get many connections when it is back online.
  Sticky-inact-timer command does not work as this only makes the entries eligible for removal.
  The content rule is a L4 on port 443, I tried to configure this as an L5 rule with arrowpoint cookies but I suspect this does not work as we are using SSL connection that is not terminated on the CSS.
  The servers themselves send a cookie ? Can I make use of this or as the connection is port 443 am I stuck ?
  Any other solutions would be much appreciated.
  cheers,
  Mike

  Mike,
  let me first say, that if you configure a sticky-inact-timeout, once the entry times out it is removed IMMEDIATELY. There is no concept of elligibility. [this for flows and garbage collection - nothing to do with stickyness].
  Here is an example
  CSS11503-2(debug)# show sticky-table l3-sticky
  L3 Sticky List on Slot 1, subslot 1:
  Entries for page 1.
  Entry Hash Rule Rule Srv Srv Time(Sec) Hit Col Elem Inact
  Number Value Indx State Indx State Elapsed Cnt Cnt Type Cfg(Min)
  1 c0a81429 5 ACT 9 EGRES 59 2 0 L3 1
  Total number of entries found is 1.
  L3 Sticky List on Slot 3, subslot 1:
  Entries for page 1.
  Entry Hash Rule Rule Srv Srv Time(Sec) Hit Col Elem Inact
  Number Value Indx State Indx State Elapsed Cnt Cnt Type Cfg(Min)
  Total number of entries found is 0.
  CSS11503-2(debug)# show sticky-table l3-sticky
  L3 Sticky List on Slot 1, subslot 1:
  Entries for page 1.
  Entry Hash Rule Rule Srv Srv Time(Sec) Hit Col Elem Inact
  Number Value Indx State Indx State Elapsed Cnt Cnt Type Cfg(Min)
  Total number of entries found is 0.
  L3 Sticky List on Slot 3, subslot 1:
  Entries for page 1.
  Entry Hash Rule Rule Srv Srv Time(Sec) Hit Col Elem Inact
  Number Value Indx State Indx State Elapsed Cnt Cnt Type Cfg(Min)
  Total number of entries found is 0.
  CSS11503-2(debug)# show sticky-table l3-sticky
  L3 Sticky List on Slot 1, subslot 1:
  Entries for page 1.
  Entry Hash Rule Rule Srv Srv Time(Sec) Hit Col Elem Inact
  Number Value Indx State Indx State Elapsed Cnt Cnt Type Cfg(Min)
  1 c0a81429 5 ACT 14 EGRES 3 1 0 L3 1
  As you can see, with a 1 min timeout, after 60 sec the entry is removed, and the next time the client comes in it is sent to a different server which creates a new entry.
  So, your problem is that you either do not have the sticky-inact-timeout, in which case you need to manually clear the sticky table when a server goes down/up, or you have the timeout configured but with a value too high so the sticky entry is never removed because always refreshed by a new connection.
  You can use 'advanced-balance ssl' without the ssl module but it only works with 1 type of ssl protocol - SSLv2 [I think] and for the other protocols it just reverts back to sticky-srcip.
  So, you should stick with sticky-srcip and just make it works correctly by setting correct parameter or by clearing the sticky table manually.
  Finally, I'd like to say that there is a known-issue with sticky-srcip in general.
  This is the use of mega-proxy on the Internet.
  A lot of people sitting behind a proxy and therefore appearing with a single ip address on the internet.
  This is known to cause un-even loadbalancing.
  That might be your problem and changing the inact-timeout would have no effect.
  This is one of the reason for a lot of people to buy the ssl module so they can use cookies.
  Gilles.

• 11503 Loadbalance SSL sticky and HTTP not sticky to proxy-cache

  I am using a 11503 to balance 200 schools traffic to 5 caches. Some of the schools have firewalls so the CSS sees their PCs as coming from a single IP. If I set the rule to balance sticky then the load is not spread evenly to the 5 proxies causing them to get overloaded from time to time.
  If I balance the load non-sticky (say leastconn) then users have trouble accessing certain SSL sites.
  Does anyone know a good solution for this?

  Hi Joerg,
  Thanks for your reply. How would you code your solution? Currently I am using the following to work around particular sites:
  service Proxy1
  ip address 10.0.0.11
  type proxy-cache
  active
  service Proxy2 ... etc
  **************************** DQL ****************************
  dql domains-no-balance
  domain www.dontbalancethissite.com
  domain ... etc
  !*************************** OWNER ***************************
  owner admin
  content Proxy-servers
  add service Proxy1
  add service Proxy2
  add service Proxy3
  add service Proxy4
  add service Proxy5
  protocol tcp
  port 3128
  vip address 10.0.0.100
  sticky-inact-timeout 5
  balance leastconn
  active
  content no-load-balance
  vip address 10.0.0.100
  advanced-balance sticky-srcip
  balance leastconn
  add service Proxy1
  add service Proxy2
  add service Proxy3
  add service Proxy4
  add service Proxy5
  protocol tcp
  port 3128
  url "/*" dql domains-no-balance
  sticky-inact-timeout 5
  Regards,
  Ben

• L3 loadbalancing based on srcip

  I've got a question regarding L3 loadbalancing based on srcip. We've got this configured on a css11501 for a terminal server farm. How long does the css remeber to wich service a thinclient is redirected by the css. And can i set a timeout for this.

  HI,
  the default value is 0 which means this feature is disabled. You can configure this with the sticky-inact-timeout compare to: http://www.cisco.com/en/US/partner/products/hw/contnetw/ps789/products_configuration_guide_chapter09186a00800d6b35.html#34248
  Regards,
  joerg

• CSS11800 - High CPU with Sticky and L3 rule

  I have a customer who wants to maintain sticky between TCP80 and TCP443, so we selected a L3 content rule.
  content L3_www.ourcustomer.com
  vip address 1.2.3.4
  sticky-mask 255.255.128.0
  add service web004
  add service web005
  add service web006
  sticky-inact-timeout 10
  advanced-balance sticky-srcip
  active
  The problem I see is that without a low inactivity timeout the CPU goes through the roof to 100%. Even with 10 minute inactivity timer it rockets to 60-80% CPU, but at least it isn't locked at 100% (which causes latency and other problems).
  The customer is pushing 12Mbps with on average 5-10K connections. No sticky rejects or collisions and plenty of FCBs available. At any time the average number of used sticky entries is 8-10K.
  I can make the CPU immediately drop like a rock to 1-10% by simply purging the sticky table or by removing sticky from the content rule. As a result I am confident the issue appears to be sticky related. I didn't find any bugs opened on this issue tho. We run sticky for quite a few customers and have rarely, if ever, seen anything like this before.
  I did some testing in production and experienced this high CPU problem with 4.01.44.s, 5.01.69s and 6.10.405 and saw it on a CSS11150 before I moved the customer to a CSS11800 where we experience the same exact issue.
  I have dozens of CSS11150s, CSS11800s, and a few CSS11500 series in production but never experienced this on any version of code before.
  Has anyone seen this before? Due to "shopping cart" issues we need to maintain persistence between 80->443 transitions so I think I am stuck with sticky and a L3 rule.
  Any thoughts would be most appreciated.
  Thanks!
  Mike

  I have also not seen an issue like this. Have you tried with changing the sticky inactivity timeout and did that help. You could find more information on how the entries are removed in the following document.
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080094b4b.shtml

• Can I see how long the longest entry has been in the sticky table ?

  Hi,
  I have a customer who has a possible issue with the sticky inactivity timeout on the CSS. At the moment we are using no timeout, just relying on the CSS to purge the entries.
  However, is it possible to see how long the longest entry has been in the sticky table. I can see the 'elapsed time' with the 'show sticky' command but this only shows 100 entries per time and not in time order ?
  Thanks in advance for any help

  Michael,
  You can use the command "show sticky-table" with L3 or L4 options, depending on what you have configured, then add ip addressing to the command, to focus down to where the oldest sticky entries are likely to be, but theres no other way. If your problem is having too many entries, configure a sticky timeout, as the default of 0 will keep then forever, or until overwritten due to the table being full. If the problem is sticky entries timing out too early, you can use the timeout parameter to increase their life, but the sticky table is limited to 32k entries.
  Peter

• ACE - Balance HTTP and sticky only SSL/TLS

  Hi there,
  I have a situation that I am trying to solve. We have lot of services trough ACE, but now I have to modify one of them, PROXY servers. 
  I have six (6) servers working with Sticky, but with a MASK 255.255.255.0, which produce an unbalanced situation some times, and that affect some servers on depending of how many users connected to that server. We have between 40K and 50K conns in that serverfarm, but in Sticky terms we have arround 700 /24 subnets.
  I want to modify the configuration, specificaly the MASK to 255.255.255.255, which is going to increase a lot Sticky resources. But thinking in optimize Sticky resources, I want to know if there is a way to select only e-commerce, Home Banking or other kind of SSL/TSL traffic (always using port 80 trough proxy servers), so I could use Sticky only  for connections that need it, and leave other HTTP traffic without this feature.
  I´m sorry, may be I'm doing a silly question, but don´t have the experience to make this configuration, and I will apreciate your help.
  Here is the actual configuration:
  probe tcp HTTP
    description Keepalive web servers
    interval 20
    passdetect interval 30
  rserver host Server1
    ip address 10.1.1.1
    inservice
  rserver host Server2
    ip address 10.1.1.2
    inservice
  rserver host Server3
    ip address 10.1.1.3
    inservice
  rserver host Server4
    ip address 10.1.1.4
    inservice
  rserver host Server5
    ip address 10.1.1.5
    inservice
  rserver host Server6
    ip address 10.1.1.6
    inservice
  serverfarm host PRX
    failaction purge
    predictor leastconns
    probe HTTP
    rserver Server1
      inservice
    rserver Server2
       inservice
    rserver Server3
      inservice
    rserver Server4
      inservice
    rserver Server5
      inservice
    rserver Server6
      inservice
  sticky ip-netmask 255.255.255.0 address source sticky-PRX
    timeout 60
    serverfarm PRX
  class-map match-any VIP-PRX
    2 match virtual-address 10.10.10.101 tcp eq www
  policy-map type loadbalance first-match POLICY-L7-PRX
    class class-default
      sticky-serverfarm sticky-PRX
  policy-map multi-match PRX-Balance
    class VIP-PRX
      loadbalance vip inservice
      loadbalance policy POLICY-L7-PRX
      loadbalance vip icmp-reply
  interface vlan 100
    ip address 10.10.10.11 255.255.255.0
    alias 10.10.10.10 255.255.255.0
    peer ip address 10.10.10.12 255.255.255.0
    no normalization
    access-group output SOLO-SLB
    service-policy input PRX-Balance
  Thanks
  Alexis

  You might want to check out this new product called ITD.
  Simple and faster solution:
  ITD provides :
  ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
  No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
  Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
  Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
  IP-stickiness
  Resilient (like resilient ECMP)
  VIP based L4 load-balancing
  NAT (available for EFT/PoC). Allows non-DSR deployments.
  Weighted load-balancing
  Load-balances to large number of devices/servers
  ACL along with redirection and load balancing simultaneously.
  Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
  Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
  Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
  The servers/appliances don’t have to be directly connected to N7k
  Monitoring the health of servers/appliances.
  N + M redundancy.
  Automatic failure handling of servers/appliances.
  VRF support, vPC support, VDC support
  Supported on both Nexus 7000 and Nexus 7700 series.
  Supports both IPv4 and IPv6
  N5k / N6k support : coming soon
  Blog
  At a glance
  ITD config guide
  Email Query or feedback:[email protected]

• Cisco CSS 11150 Series switch and DNS Sticky

  Hi,
  I have currently have two internet independent facing CSS11154 switches with two web server farm environment across both of them.
  I have a single URL that round robins between my internet facing links for these server farms.
  The application is based on ssl connectivity to a web farm, because of the application and need to maintain session transactions, I have needed to use “advanced-balance stick-srcip”.
  When using one leg (internet link) it works fine, no problem and visa versa.
  However, when I turn both of them on my application fails.
  Would I need to incorporate DNS Sticky to resolve my issue ?
  This is one of the configs from one of the CSS Switches, the other has a similar config different servers.
  !*************************** GLOBAL ***************************
  acl enable
  date european-date
  dns-server
  app
  app session 10.1.1.1 14 authChallenge ebe encryptMd5hash
  !************************** SERVICE **************************
  service Server01
  ip address 10.140.80.45
  port 443
  protocol tcp
  active
  service Server02
  port 443
  protocol tcp
  ip address 10.140.80.47
  active
  service Server03
  port 443
  protocol tcp
  ip address 10.140.80.53
  active
  service Server04
  ip address 10.140.80.54
  port 443
  protocol tcp
  active
  !*************************** OWNER ***************************
  owner HOME
  dns both
  content www-home.com
  vip address 192.168.0.1
  add dns www.home.com
  add service Server01
  add service Server02
  add service Server03
  add service Server04
  advanced-balance sticky-srcip
  active
  Many Thanks !
  Any view would be most helpful

  looks like you will need dns sticky indeed.
  To be 100% sure you should capture a sniffer trace of a failure.
  But most probably this is a dns sticky problem.
  Follow this link for sample configuration of dns sticky.
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_guide_chapter09186a0080176f6f.html
  Regards,
  Gilles.

• CSS without SSL Module needing sticky sessions

  Hello All,
  If anyone can help with this sticky situation I'd appreciate it.
  I have a customer with a CSS11501. He does not have an SSL module installed.
  He has 2 blade servers, when he adds a web site, which is accessible over SSL, the CSS load balances client requests causing lost sessions, mostly lost pop-ups, it does not want stick to the same server.
  I've configured the following:-
  service web1
  protocol tcp
  port 443
  keepalive type tcp
  ip address 192.168.200.50
  string web1
  active
  service web2
  rotocol tcp
  port 443
  eepalive type tcp
  ip address 192.168.200.51
  string web2
  active
  content SSL_Web
  add service web1
  add service web2
  rotocol tcp
  port 443
  vip address 1.2.3.4
  application ssl
  advanced-balance sticky-srcip-dstport
  active
  group web_Farm
    add service web1
    add service web2
    vip address 1.2.3.4
    active
  I was attempting to get the client to stick to the server but unfortunately, this didn't work, the CSS seems to continue to send requests to both servers and they are getting scripting errors.
  Once the customer turns off the second blade, all is ok.
  I did try adding the string value to the service and configuring 'advanced-balance arrowpoint-cookie' in the content but the clients were unable to reach any web sites.
  Best Regards Tony

  Tony,
  The config looks fine other than the "application SSL" under the content rule, and right now you are probing the servers with a tcp probe on port 80. If you want the probe to be on port 443 you should add the command "keepalive port 443" to both of the services. The CSS will default to port 80 for a tcp probe.
  Regards
  Jim

• CSS bad stickiness

  Hi all,
  seems we have some problems with stickiness src-ip on a CSS 11506. 6 clients are calling 4 servers.
  The four servers are balanced this way:
  content Prodotti_9503
  add service Prodotti_BEA_WLS_9501_1
  add service Prodotti_BEA_WLS_9501_2
  protocol tcp
  port 9503
  vip address 10.216.86.153
  advanced-balance sticky-srcip
  add service Prodotti_BEA_WLS_9501_206
  add service Prodotti_BEA_WLS_9501_207
  active
  All the traffic goes to Prodotti_BEA_WLS_9501_1 regardless of the client source IP.
  All the servers are active.
  Do you think this is due to the limited number of clients (the clients are frontend web servers)?
  Do you know how the CSS hashing algorithm works in detail?
  Thanks in advance.
  Fausto

  I just upgraded from a set of 11800's to 11506's. I'm running 7.20 build 206. We are doing a data center migration so it was a perfect time to upgrade and break my load-balancing out between internal and external users.
  We made the change two nights ago and I spent most of the next day and yesterday troubleshooting some css issues that cropped up. One was with our online bill payment app and the other an agent and reseller site. Both have standard port 80 URL's that then redirect to https for login. Both were configured for sticky-srcip-dstport and immediately began having issues. If you went to servers directly everything worked fine.
  Because of the way the redirects are setup we had a hard time getting them working when the sites were first setup. The port 80 rule listens, hits a server then it redirects back to the VIP address and the port 443 rule then reflects it back to the server. After the migration it appeared that intermittenly users would be redirected back to a server that didn't know about their session and browser errors would occur. I was able to set both of those to use ssl session ID and it fixed the issue.
  I have another application that seems to be doing something very similar but it has no ssl piece so advanced-balance ssl will do no good with that one. I'm still searching for a workaround.
  If anyone here has any suggestions they would be greatly appreciated.

• Client NAT and Source IP Sticky

  How can we implement client NAT and source IP sticky for the same server farm without running into issues? Our NAT pool is using IPs from the VIPs' subnet. Is this possible? This configuration is on Cat 6500 w/ CSM-S v. 2.1.1. Thanks.

  this is possible.
  The CSM will first determine the destination server based on the client ip and the sticky srcip table and then it will nat the client ip address using your pool.
  It does not matter which subnet is being used as long as the servers know to respond back to the CSM.
  Regards,
  Gilles.