Cisco CSS Load balancer " An active source group with that address already exists"

Hi All,

I am new to CSS LBs and to be honest they seem to be a bit of a pain to setup.

I've followed this document and got a working config of sorts

Currently I have 3 servers all servicing 80 and 443 traffic.  So i've setup 6 'services' - 3 for port 80 and 3 for port 443.  All good.

Also setup 2 content rules, one for 80 and one for 443 - both have the same VIP which is how I want it configured

Finally I setup 2 Group rules, one for 80 and one for 443 - when I try and make the second  one active i get the error "An active source group with that address already exists"

I could give them different VIP addresses but the final config for this CSS will be servicing 8 different URLS and would mean I had to double the number of firewall NAT rules and generally add more complexity, which I don't want.

Not having much luck with Google... Can anybody help ?

Cheers !
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Firstly, do you necessarily want to setup 1-armed (ie your CSS is NOT your default gateway)?  THe other option is two armed, where your CSS sits 'inline' and becomes your default gateway for the servers.

To answer your question now, the purpose of the group command is to source NAT the incoming request so that the server reply is returned to the CSS first.  This is how 1-armed loadbalancing enforces traffic symmetry, which is required for loadbalancing to work properly.

So once the VIP is added to one group, that is all that is needed.  Adding it to any further groups is redundant, and so the CSS rightly tells you not to do it.  Also note that the group command is based on an IP (not IP+port).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
goldie100Author Commented:
Brilliant !  All sorted..  The problem I had was having a seperate Group for 443 and 80 traffic.  Put them into one group with one VIP and it worked a treat.  Top solution many thanks..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.