CSS11501 Content Switch - Load Balancing Web Servers, what should the default gateway for the Servers be?

I just joined a company that uses a Cisco CSS11501 to load balance 2 web servers. I'm not familiar with the CSS11501, so I was hoping someone could help me.
The web servers are very slow, and I suspect the default gateway is wrong, here's the network topology.

Public IP of virtual IP address of load balanced Servers. Say it's
Cisco Pix Firewall - Static = (it's in our DMZ)
DMZ Interface on PIX -
CSS 11501 eth1 - /24
CSS 11501 eth2 - /8 (same vlan, it's the 192.168.165.x vlan)
Web Server 1 - 1st IP = /24, 2nd IP =, gateway = (the CSS not the firewall)
Web Server 2 - 1st IP = /24, 2nd IP =, gateway = (the CSS not the firewall)

I don't know how the CSS works for sure, and it's all LIVE so I'm loathed to just change it to see, it's used by 32K distributors.

Am I correct, should the default gateway on the Servers be (the firewall)? It seems everything goes back out via the CSS (.251) and it's painfully slow.

Here's the relevent part of the CSS config.

  ip route 1

!************************* INTERFACE *************************
interface e1
  phy 100Mbits-FD

interface e2
  phy 100Mbits-FD
  bridge vlan 10

interface e8

!************************** CIRCUIT **************************
circuit VLAN1

  ip address

circuit VLAN10

  ip address

!************************** SERVICE **************************

service www101
  ip address

service www102
  ip address

!*************************** OWNER ***************************
owner development

  content dev
    balance leastconn
    advanced-balance sticky-srcip
    add service www101
    add service www102
    vip address

Thanks in advance for any help!
Who is Participating?
JFrederick29Connect With a Mentor Commented:
Option 1 is to simply make the web servers default gateway so all traffic is routed via the CSS.  I don't know if this will work any better than your current setup and may require Firewall rule modifications as the source of traffic would now be the 10.0.0.x address when talking with the database servers.

You could make the web servers default gateway but add routes to the web servers for the database servers via the Firewall if you want to bypass the CSS for web to database traffic but in the end, the client traffic to the web servers needs to return to the CSS.

Alternatively, you could make the default gateway the Firewall and use source NAT on the CSS so client addresses appear to the web server as a 10.0.0.x address and will be sent back to the CSS.  All other traffic will be routed to the Firewall.
We run two Cisco 11503 CSS (which I am assuming are very close).  In our environment, we set the default gateway of the servers to the IP address of the VLAN Circuit.

Here is how ours is set up, web servers use default gateway of xxx.xxx.xxx.163

!************************* INTERFACE *************************
interface  1/1
  bridge vlan 68

interface  1/2
  bridge vlan 67

!************************** CIRCUIT **************************
circuit VLAN67

  ip address xxx.xxx.xxx.163

So, YES, it appears that your servers are set up correctly.  Now whether or not everything else on the CSS is configured properly is another question...
The servers default gateway should be
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Let me add.

Seems like the web servers should have a default gateway of and the CSS should have a default route via the Firewall (  I'm not sure why the web servers have interfaces directly on the subnet unless they host sites that aren't load balance via the CSS.
gahooperAuthor Commented:
Thanks everyone for your feedback.

Here's some more info.

The web servers have 2 IP addresses on their NIC, for Server 1, and for Server 2.

The CSS accesses the Servers via the 10.0.0.x address. The Servers access the Oracle database via their 192.168.165.x address, which is on another subnet 192.168.129.x.

Now, the web servers have a gateway of (the CSS). So it appears to me that all the database access goes via the CSS. If I change the default gateway on the Servers to (the firewall) the Servers work fast, and as I expect. The question is, would this cause the load balancing on the CSS to stop working?

The Web Servers are live, I tested with a test box, I'm loathed to take an outage trying toi find out.

Thanks in advance for your help.
gahooperAuthor Commented:
Thanks!! I appreciate you help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.