topic Re: loadbalancing SSL on CSS in Application Networking

loadbalancing SSL on CSS

ROMAN TOMASEK — Mon, 20 Apr 2009 06:21:47 GMT

Hi,

the customer has to loadbalance SSL traffic which is terminated on servers port 8001. But the clients need to communicate on port 443. So the customer provide the following configuration, but it isn't work. Does anybody know where is a problem? Thank you.

Roman

*************************** GLOBAL *************************** ip route 0.0.0.0 0.0.0.0 192.168.110.158 1

************************* INTERFACE ************************* interface e1

description "public-test VIP"

bridge vlan 56

interface e2

description "intra-test"

bridge vlan 57

!************************** CIRCUIT ************************** circuit VLAN56

ip address 192.168.110.131 255.255.255.224

circuit VLAN57

ip address 192.168.110.161 255.255.255.224

!************************** SERVICE ************************** service webt1

ip address 192.168.110.162

protocol tcp

port 8001

keepalive type tcp

keepalive port 8001

active

service webt2

ip address 192.168.110.163

protocol tcp

port 8001

keepalive type tcp

keepalive port 8001

active

!*************************** OWNER *************************** owner VIST

content webt

add service webt1

add service webt2

protocol tcp

port 443

url "/*"

vip address 192.168.110.129

application ssl

advanced-balance ssl

active

Re: loadbalancing SSL on CSS

dario.didio — Mon, 20 Apr 2009 07:08:17 GMT

Hi,

here you find an example of an SSL configuration on a CSS.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/configuration/ssl/guide/examples.html#wp998891

The example was found in the SSL configuration guide, which can be found here:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/configuration/ssl/guide/sslgd.html

If any more specific questions on how to solve this, post them!

HTH,

Dario

Re: loadbalancing SSL on CSS

ROMAN TOMASEK — Mon, 20 Apr 2009 07:18:08 GMT

Hello Dario,

the customer has no SSL module. The CSS doesn't encrypt/decrypt traffic. The CSS will be transparent for SSL. Only PAT will be provided.

Client - VIP + 443 - CSS - server's IP address + 8001

The examples, which you sent me, are with the SSL module (back-end SSL, end-to-end SSL - with encryption and decryption on CSS, termination of SSL on CSS):-(.

Re: loadbalancing SSL on CSS

dario.didio — Mon, 20 Apr 2009 07:23:20 GMT

Hi,

misread your question.

you should configure your content rule like a normal L4 content rule, without the ssl config.

content webt

add service webt1

add service webt2

protocol tcp

port 443

vip address 192.168.110.129

active

HTH,

Dario

Re: loadbalancing SSL on CSS

ROMAN TOMASEK — Tue, 21 Apr 2009 11:04:56 GMT

Hi,

the customer tried your config, but without success. He had to add url into content rule (so he had to create L7 rule again) for seeing some session from client. The status of the LB is following:

the client sent SYN packet on port 443, this SYN packet arived into server on port 8001, the server responsed with SYN, ACK, the client responsed with ACK and then ACK RST:-(I don't know why RST is sent;-(

Re: loadbalancing SSL on CSS

dario.didio — Tue, 21 Apr 2009 11:19:35 GMT

You can't use a L7 rule because the packet is encrypted. that's why you need to use a L4 rule.

Can you post your adapted config of the content rule?

try sniffing infront and behind you LB.

the packets in front should point to port 443 (destination port towards the LB, source port towards the client), and the packets behind should point to port 8001(destination port towards the server, source port towards the LB).

Re: loadbalancing SSL on CSS

ROMAN TOMASEK — Wed, 22 Apr 2009 12:00:55 GMT

Hello,

te customer again tried the L3 rule:

!*************************** GLOBAL

ip route 0.0.0.0 0.0.0.0 192.168.110.158 1

!************************* INTERFACE interface e1

description "public-test VIP"

bridge vlan 56

interface e2

description "intra-test"

bridge vlan 57

!************************** CIRCUIT circuit VLAN56

ip address 192.168.110.131 255.255.255.224

circuit VLAN57

ip address 192.168.110.161 255.255.255.224

!************************** SERVICE service webt1

ip address 192.168.110.162

protocol tcp

port 8001

keepalive port 8001

keepalive type tcp

active

service webt2

ip address 192.168.110.163

protocol tcp

port 8001

keepalive port 8001

keepalive type tcp

active

!*************************** OWNER owner VIST

content webt

add service webt1

add service webt2

vip address 192.168.110.129

protocol tcp

port 443

active

!*************************** GROUP group serverst

vip address 192.168.110.129

add destination service webt1

add destination service webt2

active

but the communication between the client (192.168.110.133) and the server throught CSS didn't work:-( I'm sending you the output from sniffer between client and CSS (vist11_in) - here are seen only SYN packets:-( And I'm sending you the output from tcpdump between CSS and server (vist11_out) - here are not seen some client traffic:-(

I don't know why it doesn't work:-( Thank you. Roman.

Re: loadbalancing SSL on CSS

dario.didio — Wed, 22 Apr 2009 12:35:49 GMT

Hi,

why are you doing destination NAT?

By using the group and adding the services as destination service, your packet goes through the CSS and is being source nat. This means that the client IP is replaced by the VIP address as source address.

in your TCPdump you see this:

08:52:07.701022 IP 192.168.110.129.blackboard > 192.168.110.163.vcom-tunnel: S 3900452246:3900452246(0) win 65535

This is the CSS connecting to server @.163.

Here you see the reply from your server:

08:52:07.703198 IP 192.168.110.163.vcom-tunnel > 192.168.110.129.blackboard: S 3688339573:3688339573(0) ack 3900452247 win 5840

And immediatly you see this:

08:52:07.706426 IP 192.168.110.190 > 192.168.110.163: ICMP host 192.168.110.129 unreachable - admin prohibited filter, length 36

which indicates that address 192.168.110.129 is unreachable - admin prohibited filter, I assume an ACL or something like that.

This is whats happening and causing your problem.

HTH,

Dario

Re: loadbalancing SSL on CSS

ROMAN TOMASEK — Thu, 23 Apr 2009 10:16:47 GMT

Hello,

thank you for your explanation. The customer uses source NAT, because the servers have default GW on L3 switch. So there is one arm mode design.

The connection between CSS and servers is throught L2 switch, so the communication from the server to the VIP address is in the same network segment. So the communication is only throught L2 switch and there is not any ACL:-( So I don't know why the response to client is prohibited. There is no filter on the path between CSS and servers. Thanks.

Re: loadbalancing SSL on CSS

dario.didio — Thu, 23 Apr 2009 10:38:41 GMT

Hi,

then your IP subnetting is not correct.

Your VIP is 192.168.110.129, which belongs to VLAN56, which is in the subnet 192.168.110.128/27 (host addresses between 192.168.110.129 - 158).

Your servers have IP addresses 192.168.110.162 - 3, in VLAN57 with subnet 192.168.110.160/27 (host addresses 192.168.110.161 - 190).

your config reflects a routed mode design (has an IP address in client VLAN and IP Address in server VLAN) and your servers should have the CSS as default gateway. In a one armed mode design, your CSS only has 1 IP address.

HTH,

Dario

Re: loadbalancing SSL on CSS

ROMAN TOMASEK — Thu, 23 Apr 2009 10:53:07 GMT

Hi Dario,

you are right.:-) I'm blind. So there are two subnets - so the comunnication is routed on the DG (L3 switch). So I will ask the customer about ACL or some filters configuration on this l3 device. Thank you!!!

Re: loadbalancing SSL on CSS

dario.didio — Thu, 23 Apr 2009 11:02:47 GMT

Hi,

keep us posted if this was causing your problem and if it is resolved.

Re: loadbalancing SSL on CSS

ROMAN TOMASEK — Wed, 06 May 2009 10:47:15 GMT

Hi Dario,

the customer removed ACL on the L3 device, but LB is not functional again:-( The config is same. I'm sending you the trace between client (192.168.110.133) - CSS (192.168.110.129) = Visit_in and CSS(192.168.110.129) - servers (192.168.110.162 and .163) = Visit_out. The file 3750_090505_4a.log is log from the DG for servers (192.168.110.158). There is only one ACL in out direction which permits all traffic between 192.168.110.128/27 (VIP) a 192.168.110.160/27 (servers) Thank you for your help. Roman

Re: loadbalancing SSL on CSS

hostmaster — Fri, 15 May 2009 08:28:33 GMT

Note, you should still have the ff in your rule:

application ssl

advanced-balance ssl

You need SSL sticky for the session. Just no URL command since the CSS can't do a L5 rule with SSL.