topic CSS 11501 - L5 rules over SSL? in Application Networking

CSS 11501 - L5 rules over SSL?

IT Manager It Manager — Mon, 30 Jan 2012 22:25:21 GMT

Hi all,

Reaching into history here asking about a Cisco CSS however we have a customer with a CSS 11501 that has a SSL module that we're trying to do some L5 rules over SSL with.

The rules work fine over HTTP but when I wrap them in SSL (the SSL is terminated on the CSS) it does not work.

We have a backend server running IIS on port 80 and a different web server on port 8080 (eg. tomcat).

What needs to happen is that a client hits the website and the if the URL has /follow-me/ in it, then the connection needs to go to port 8080 on the backend server. This works fine over HTTP. When we try the same with HTTPS what we see (in the IE and Google Developer tools) is a 404 come back from IIS so it looks like the CSS is not processing the L5 rules?

A breakdown of the configuration is as follows: -

ssl-proxy-list ssl_1

ssl-server 20

ssl-server 20 vip address 10.2.1.1

ssl-server 20 rsakey example.com_key

ssl-server 20 rsacert example.com_cert

ssl-server 20 http-header session

ssl-server 20 urlrewrite 1 www.example.com

ssl-server 20 cipher rsa-with-rc4-128-md5 10.2.1.1 80 weight 1

ssl-server 20 cipher rsa-with-rc4-128-sha 10.2.1.1 80 weight 2

ssl-server 20 cipher rsa-with-3des-ede-cbc-sha 10.2.1.1 80 weight 3

ssl-server 20 cipher rsa-with-des-cbc-sha 10.2.1.1 80 weight 4

active

service tomcat_10_2_1_10_8080

ip address 10.2.1.10

protocol tcp

keepalive method get

keepalive type tcp

port 8080

active

service tomcat_10_2_1_10_80

ip address 10.2.1.10

protocol tcp

keepalive method get

keepalive type tcp

port 80

active

service ssl-serv1

type ssl-accel

add ssl-proxy-list ssl_1

slot 2

keepalive type none

active

owner EXAMPLE_TOMCAT

content SSL_10_2_1_1_443

flow-timeout-multiplier 80

vip address 10.2.1.1

port 443

protocol tcp

add service ssl-serv1

active

content TOMCAT_10_2_1_1_8080

flow-timeout-multiplier 80

add service tomcat_10_2_1_10_8080

vip address 10.2.1.1

port 80

protocol tcp

url "/follow-me/"

active

content TOMCAT_10_2_1_1_80

flow-timeout-multiplier 80

vip address 10.2.1.1

add service tomcat_10_2_1_10_80

port 80

protocol tcp

url "/*"

active

Just to confuse matters - if we hit the "/follow-me/" URL directly in a web-browser it appears to go to the tomcat webserver on backend port 8080, however after that all requests (from that browser) go to the tomcat on port 8080.

Alternatively if we hit the normal webpage first and then try to access "/follow-me/" we are presented with the IIS 404 page.

So somehow the SSL session is "sticking" and not processing the L5 rules?

Re: CSS 11501 - L5 rules over SSL?

pablo.nxh — Tue, 31 Jan 2012 03:16:29 GMT

Hi,

Problem is related to the layer 5 behavior when it comes to HTTP 1.1. The config seems to be in good shape and I'm almost sure the persistence reset remap command should get this on the right track.

(config)# persistence reset remap

You may want to add the no persistent command under both clear text content rules.

Basically with L5 and default persistence the CSS will verify only the first match after the 3-way-handshake and all subsequent request won't be inspected to look for a more specific match this helps to speed up the L5 process.

HTH

Sent from Cisco Technical Support iPhone App

Re: CSS 11501 - L5 rules over SSL?

IT Manager It Manager — Tue, 31 Jan 2012 06:02:42 GMT

Hi Pablo,

Thanks for your feedback, I tried your suggestions but they didn't appear to make any difference.

To confuse matters greatly, the connection(s) and L5 processing works fine from Firefox / Opera / Safari - but does not work successfully from IE (8 / 9) or Chrome. Argh.

The original statement above about confusing matters is only applicable to Chrome - in IE if you go to the "/follow-me/" URL the tomcat responds correctly but when accessing "/follow-me" via the main webpage the 404 that is returned is from IIS.

Re: CSS 11501 - L5 rules over SSL?

Daniel Arrondo Ostiz — Tue, 31 Jan 2012 09:02:01 GMT

Hi,

In general, Pablo's comments are right. However, the right command to be added to the content rule configuration is "no persistent". This will force the CSS to look at all the requests inside the same TCP flow and make a separate load-balancing decision for each of them.

I hope this helps

Daniel

CSS 11501 - L5 rules over SSL?

IT Manager It Manager — Thu, 02 Feb 2012 03:11:04 GMT

Thank you for the clarification Daniel. Alas I have implemented those commands and still the issue persists. For the moment we have been requested to hold off whilst the Developer works on a 'work-around' for this issue.

CSS 11501 - L5 rules over SSL?

joekislo — Sat, 18 Feb 2012 18:18:18 GMT

The above comments are absolutely correct, you need the "no persistent" in *ALL* of your HTTP rules (if even one of them is missing it, the connection will become stuck there), and you also must have "persistence reset remap" set.

Sounds like you've already done that, so I think you may have run into the same problem we were just facing, especially if it only happens on some browsers and everything works great if it's via HTTP instead of HTTPS. I just posted a solution:

https://supportforums.cisco.com/thread/2132663

The subject is:

Newly Occuring CSS SSL Issue in Chrome, FF10, IE9 with L5 rules; 3 second delay, loss of L5 stickyness

if you need to search for it.

If you're running into the same problem I was, this should fix it for you:

ssl-proxy-list ssl_1

suspend

no ssl-server 20 cipher rsa-with-3des-ede-cbc-sha

no ssl-server 20 cipher rsa-with-des-cbc-sha

active

(be sure you do the suspend+active, otherwise I don't think it actually takes affect).

See the other post for additional info/details. Let me know if it works.

-Joe