https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331761#M5451 <HTML><HEAD></HEAD><BODY><P>By the way, in my opinion, you are not compromising security simply because the packets are still ssl all the way to the server. The encryption is fine</P><P></P><P>Pete.. </P></BODY></HTML> Fri, 18 Mar 2005 13:54:07 GMT pknoops 2005-03-18T13:54:07Z https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331757#M5447 <P>Hello. I am having a problem with timeouts when using ssl load balancing. The ssl termination point is on the webserver. I am hitting the VIP on port 443 and then balancing between 2 servers at the backend. The problem is that the users' sessions are timing out at random intervals. When one of the servers is powered down this issue does not happen. Could this be something to do with the content switch and flow timeouts?? I have added the line "sticky-inact-timeout 45" thinking that it might be that but it has not made a difference. </P><P></P><P>My config is as follows</P><P></P><P>********************************</P><P> </P><P>service ugwprd01-ssl-2443 </P><P> ip address 10.48.7.3 </P><P> protocol tcp </P><P> port 2443 </P><P> keepalive type ssl </P><P> redundant-index 210 </P><P> active</P><P></P><P>service ugwprd02-ssl-2443 </P><P> ip address 10.48.7.6 </P><P> protocol tcp </P><P> port 2443 </P><P> keepalive type ssl </P><P> redundant-index 220 </P><P> active</P><P></P><P>***************************</P><P></P><P>owner x</P><P></P><P> content x</P><P> vip address 10.48.1.6 </P><P> port 443 </P><P> protocol tcp </P><P> application ssl </P><P> add service ugwprd01-ssl-2443 </P><P> add service ugwprd02-ssl-2443 </P><P> redundant-index 1210 </P><P> advanced-balance ssl </P><P> sticky-inact-timeout 45 </P><P> active </P><P>*************************************</P><P></P><P></P><P>THANKS!</P> Wed, 16 Mar 2005 18:49:18 GMT https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331757#M5447 donaghq_2 2005-03-16T18:49:18Z https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331758#M5448 <HTML><HEAD></HEAD><BODY><P>You may be running into an IE issue whereby the SSL session id is changed every 2 minutes. This becomes a problem when using advanced-balance ssl and application ssl as this is l5 stickyness based on session id. After 2 minutes, this changes. With only one server you will not see this occur as you are on the same server to begin with. </P><P></P><P>The only solution here is to use some type of SSL temrination device that we offer such as an SCA. You may also want to back off the VIP to layer 4 and not use application ssl and advanced-balance ssl and have the content rule look like this:</P><P></P><P>content x </P><P>vip address 10.48.1.6 </P><P>port 443 </P><P>protocol tcp </P><P>add service ugwprd01-ssl-2443 </P><P>add service ugwprd02-ssl-2443 </P><P>redundant-index 1210 </P><P>active </P><P></P><P>See if changing to L4 makes things work better.</P><P></P><P>Regards</P><P>Pete Knoops</P><P>Cisco Systems</P></BODY></HTML> Wed, 16 Mar 2005 19:46:32 GMT https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331758#M5448 pknoops 2005-03-16T19:46:32Z https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331759#M5449 <HTML><HEAD></HEAD><BODY><P>I have tried that and the users appear to be happy so thank you. I have had to put in stickiness based on source IP in order to get it to work. Will stickiness work on source IP even if I am natting a public IP to a private one? Am I compromising security by not balancing on SSL? </P></BODY></HTML> Fri, 18 Mar 2005 10:08:08 GMT https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331759#M5449 donaghq_2 2005-03-18T10:08:08Z https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331760#M5450 <HTML><HEAD></HEAD><BODY><P>Glad to hear things are better. Source IP sticky will work fine in a NATing senario as long as it is not a many to one nat. If each user has his/her own ip address after being NAT'd, it should be fine.</P><P></P><P>Pete..</P></BODY></HTML> Fri, 18 Mar 2005 13:46:49 GMT https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331760#M5450 pknoops 2005-03-18T13:46:49Z https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331761#M5451 <HTML><HEAD></HEAD><BODY><P>By the way, in my opinion, you are not compromising security simply because the packets are still ssl all the way to the server. The encryption is fine</P><P></P><P>Pete.. </P></BODY></HTML> Fri, 18 Mar 2005 13:54:07 GMT https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331761#M5451 pknoops 2005-03-18T13:54:07Z https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331762#M5452 <HTML><HEAD></HEAD><BODY><P>it is a many to one NAT! any ideas on what I should do now?</P></BODY></HTML> Fri, 18 Mar 2005 14:39:32 GMT https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331762#M5452 donaghq_2 2005-03-18T14:39:32Z https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331763#M5453 <HTML><HEAD></HEAD><BODY><P>it is a many to one NAT! any ideas on what I should do now?</P></BODY></HTML> Fri, 18 Mar 2005 14:39:55 GMT https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331763#M5453 donaghq_2 2005-03-18T14:39:55Z https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331764#M5454 <HTML><HEAD></HEAD><BODY><P>Hmm, that's a tough one. Cookies is not an option because it is SSL traffic and will be encrypted. </P><P></P><P>You may be at a point where you need to have some type of SSL termination device prior to getting load balanced like using an SCA or an SSL module on the CSS itself. </P><P></P><P>In general, because of the IE timeout issue, your ONLY option is Sticky Source IP. With the NATing involved now, I believe you need to turn to another hardware solution from an SSL termination perspective working in conjunction with the CSS</P><P></P><P>Pete..</P><P></P><P></P></BODY></HTML> Fri, 18 Mar 2005 15:02:02 GMT https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331764#M5454 pknoops 2005-03-18T15:02:02Z https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331765#M5455 <HTML><HEAD></HEAD><BODY><P>as it turns out the application people were not happy with the L4 service. They maintain that when they switched one of the webservers off they got "page cannot be displayed" which is fine. They say that upon the fourth refresh they got back the page that they were previously in back i.e they were not forced to logon again. This seems to strange to me and defeats the purpose of ssl. Would there be any logical explanation for this. The same SSL cert resides on the two webservers. Maybe this is the reason for the seamless changeover?! </P><P></P><P>The business have subseqently decided to go with "advance-balance ssl" with one webserver as this has been extensively tested. There will have to be manual changeover in case of failure which is not ideal. In any case I will have to find a satisfactory resolution to this, albeit L4 or L5 balancing!</P></BODY></HTML> Fri, 18 Mar 2005 15:59:44 GMT https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331765#M5455 donaghq_2 2005-03-18T15:59:44Z https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331766#M5456 <HTML><HEAD></HEAD><BODY><P>According to this document: <A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080094068.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080094068.shtml</A> , "SSL ID renegotiation problem" is with IE 5.0.</P><P></P><P>Are you talking about the same problem? Are other IE versions affected too?</P><P></P><P>CT Yau</P><P>Hong Kong</P></BODY></HTML> Tue, 22 Mar 2005 08:16:00 GMT https://community.cisco.com/t5/application-networking/ssl-timeouts/m-p/331766#M5456 ct_yau 2005-03-22T08:16:00Z