When monitoring a host that has a manual route table that yileds a lot of unidirectional traffic, is there a way around this?
In our case the incoming request goes over 10.194.188.78 and the reply or ACK goes out over 220.127.116.11 and both gives us a lot of unidirectional traffic. The incoming is properly identified as whatever it is like SQL or HTTP and the outgoing response is always "Unknown TCP" (high port number).
So I understand it as monitored server that has two IPs, one for accepting requests and the other for sending back the response to the client, right?
Does it change also TCP ports? I guess the requests goes to 10.194.188.78 with high client port and 80. And the response contains same pair of reversed ports or it's something else?
Just out of curiosity, did you inquire with them as to the reason for this architecture? That type of configuration is so non-optimal, and makes troubleshooting network issues enormously more complex. If they're just trying to make sure that larger, outbound traffic takes a specific path, there are much better ways to do it on the actual routers, than on manually configuring hosts to do it. Hopefully one of those NIC's isn't connected to a DMZ, and the other to the internal network, as that would violate a host of security best practices...
Funny that you ask as I couldn't refrain from doing so myself....
The answer was - No one knew!
Apparently this system has been in and out of a few SP's as well as at the customers own premises and now lives in a state of "if-it-runs-don't-touch-it". To further obstruct any attempts to fix and find the reason, the customer has chosen to leave this SP and go to another one so the level of cooperation is subterranean . Estimated time of departure 3-12 months.