https://community.cisco.com/t5/application-networking/advanced-balance-ssl-problem/m-p/303236#M4729 <P>Hi all,</P><P></P><P>We have a problem dealing using advanced-balance ssl with a CSS11501 and 2 apache servers. </P><P>When we use the "balance srcip" or "balance aca" alone, it works fine. But we would like to use "advanced-balanced ssl" method, as we have to deal with HTTPS flow...</P><P></P><P></P><P>Here is part of my running config : </P><P></P><P>circuit VLAN202</P><P> ip address XX.2.2.4 255.255.255.0 </P><P> no redirects </P><P> </P><P>circuit VLAN301</P><P> ip address XX.3.1.2 255.255.255.0 </P><P> no redirects </P><P></P><P>service ssl_service1 </P><P> port 443 </P><P> protocol tcp </P><P> keepalive type ssl </P><P> ip address XX.2.2.11 </P><P> </P><P>service ssl_service2 </P><P> port 443 </P><P> protocol tcp </P><P> keepalive type ssl </P><P> ip address XX.2.2.13 </P><P> </P><P>content SSL_load_balancing </P><P> protocol tcp </P><P> port 443 </P><P> application ssl </P><P> balance aca </P><P> advanced-balance ssl </P><P> add service ssl_service1</P><P> add service ssl_service2</P><P> vip address XX.3.1.50</P><P> active </P><P></P><P></P><P>I've a doubt about the SSL handshake because i can see from our FW that a the Web Server tries to answer directly to the client, while it gateway is the CSS....</P><P></P><P>Any help or idea about my config will be appreciated...and plz excuse my bad english..</P><P></P><P></P> Tue, 27 Apr 2004 11:23:34 GMT admin_2 2004-04-27T11:23:34Z https://community.cisco.com/t5/application-networking/advanced-balance-ssl-problem/m-p/303236#M4729 <P>Hi all,</P><P></P><P>We have a problem dealing using advanced-balance ssl with a CSS11501 and 2 apache servers. </P><P>When we use the "balance srcip" or "balance aca" alone, it works fine. But we would like to use "advanced-balanced ssl" method, as we have to deal with HTTPS flow...</P><P></P><P></P><P>Here is part of my running config : </P><P></P><P>circuit VLAN202</P><P> ip address XX.2.2.4 255.255.255.0 </P><P> no redirects </P><P> </P><P>circuit VLAN301</P><P> ip address XX.3.1.2 255.255.255.0 </P><P> no redirects </P><P></P><P>service ssl_service1 </P><P> port 443 </P><P> protocol tcp </P><P> keepalive type ssl </P><P> ip address XX.2.2.11 </P><P> </P><P>service ssl_service2 </P><P> port 443 </P><P> protocol tcp </P><P> keepalive type ssl </P><P> ip address XX.2.2.13 </P><P> </P><P>content SSL_load_balancing </P><P> protocol tcp </P><P> port 443 </P><P> application ssl </P><P> balance aca </P><P> advanced-balance ssl </P><P> add service ssl_service1</P><P> add service ssl_service2</P><P> vip address XX.3.1.50</P><P> active </P><P></P><P></P><P>I've a doubt about the SSL handshake because i can see from our FW that a the Web Server tries to answer directly to the client, while it gateway is the CSS....</P><P></P><P>Any help or idea about my config will be appreciated...and plz excuse my bad english..</P><P></P><P></P> Tue, 27 Apr 2004 11:23:34 GMT https://community.cisco.com/t5/application-networking/advanced-balance-ssl-problem/m-p/303236#M4729 admin_2 2004-04-27T11:23:34Z https://community.cisco.com/t5/application-networking/advanced-balance-ssl-problem/m-p/303237#M4730 <HTML><HEAD></HEAD><BODY><P>We have Advanced-Balance SSL but have included a line:</P><P></P><P>url "/*"</P><P></P><P>in the content rule. I think this forces the protocol up to layer 5 where the SSL ID can be found.</P><P></P><P>Good luck</P><P></P><P>Andrew</P></BODY></HTML> Tue, 27 Apr 2004 12:18:48 GMT https://community.cisco.com/t5/application-networking/advanced-balance-ssl-problem/m-p/303237#M4730 andrew.thomson 2004-04-27T12:18:48Z https://community.cisco.com/t5/application-networking/advanced-balance-ssl-problem/m-p/303238#M4731 <HTML><HEAD></HEAD><BODY><P>could you please provide some information about the problem itself.</P><P>Is it every connections or just a few of them ?</P><P></P><P>If you see the server bypassing the CSS, that would be a concern.</P><P>Can you sniff the server side and see the mac address of the SYN/ACK.</P><P>Also check where it breaks exactly in the TCP connection.</P><P></P><P>The url command is not required.</P><P>The command application ssl will make the CSS look for the session id.</P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Tue, 27 Apr 2004 12:26:43 GMT https://community.cisco.com/t5/application-networking/advanced-balance-ssl-problem/m-p/303238#M4731 Gilles Dufour 2004-04-27T12:26:43Z https://community.cisco.com/t5/application-networking/advanced-balance-ssl-problem/m-p/303239#M4732 <HTML><HEAD></HEAD><BODY><P>Thanks for your help...</P><P></P><P>Let me explain my case better.</P><P>All connections are "refused" when i use advanced-balance ssl. But if i put it away (i.e. using only balance srcip or else), it works fine (hopefully!)</P><P></P><P>From my FW monitor, i can see the syn/ack flow : </P><P>SYN / From:myPC / Destination : XX.3.1.50 / Service :https/443</P><P>ACK / From:XX.2.2.13 / Destination : myPC / Service:4435 / Reason : no connection found for TCP packet</P><P></P><P>Perhaps that is the problem : it should be the CSS that sends the ACK to the client ...? </P><P></P><P>Anther point : from llama, i can see an increasing number of WCC_REJECTED from the Apache_side_vlan...</P><P></P><P>I will try to see where the TCP connection stops but i'm not used to working with sniffer...</P><P></P><P>Hope these informations can help ! Any idea ?</P><P></P><P></P><P></P><P></P></BODY></HTML> Tue, 27 Apr 2004 13:34:30 GMT https://community.cisco.com/t5/application-networking/advanced-balance-ssl-problem/m-p/303239#M4732 2004-04-27T13:34:30Z