https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411956#M7380 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>well I suppose your CSS is behind a firewall or is using ACLs for security reasons. I'd suggest to monitor the VIP of your back-end services via a NAT-Statement only permitting the GSS to monitor this IP.</P><P>This allows you to guess if the backend service is available or not. This allows the GSS to decide if the site with no alive backend service is address or not.</P><P>I guess this is a viable approache.</P><P>Kind regards,</P><P> Joerg</P></BODY></HTML> Tue, 09 Aug 2005 06:14:59 GMT jfoerster 2005-08-09T06:14:59Z https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411951#M7375 <P>In our network, the GSS replies to the url queries with an A-record. It returns IP addresses hosted by active/backup CSS boxes located at 2 different sites. GSS monitors the health of the sites/CSS using KAL-AP.</P><P></P><P>The CSS are configured in a 'Routing' topology I mean &#145;full-proxy&#146; configuration as we employ different ip subnets in the client/server side networks. CSS maintains a client encryption in the front and a server encryption in the back-end. We use couple of SSL modules for this purpose.</P><P></P><P>Now my problem is, the SSL modules accepts connections even when all the back-end services of a Content Rule are down. GSS shows on-line for that site. Both CSS and GSS behaves fine with the clear front and clear back config.</P><P></P><P>Version: 07.30.3.13s</P><P></P><P>Any idea? Is that an expected behaviour?</P><P></P><P>thanks</P><P></P> Wed, 01 Jun 2005 00:39:16 GMT https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411951#M7375 skumar1969 2005-06-01T00:39:16Z https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411952#M7376 <HTML><HEAD></HEAD><BODY><P>this is becaus you have a L5 rule for SSL.</P><P>You probably configured advanced-balance ssl to do stickyness based on SSLID.</P><P>A CSS will always spoof connection for L5 rule.</P><P></P><P>You should use a different type of keepalive on the GSS. You should use KAL-AP.</P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Wed, 01 Jun 2005 09:35:49 GMT https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411952#M7376 Gilles Dufour 2005-06-01T09:35:49Z https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411953#M7377 <HTML><HEAD></HEAD><BODY><P>Here is the CR below. I only use KAL-AP on the GSS to keep-alive on the CSS.</P><P></P><P> content ssl-front </P><P> vip address xx.xx.xx.xx </P><P> application ssl </P><P> add service ssl-module-1 </P><P> add service ssl-module-2 </P><P> protocol tcp </P><P> port 443 </P><P> advanced-balance ssl </P><P> active </P><P></P><P>thanks</P></BODY></HTML> Wed, 01 Jun 2005 22:44:30 GMT https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411953#M7377 skumar1969 2005-06-01T22:44:30Z https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411954#M7378 <HTML><HEAD></HEAD><BODY><P>ok, but this content rule will never go down since the ssl module service is using 'keepalive type none'.</P><P></P><P>You should use kal-ap by vip and assign a name to the backend content rule and monitor this *name*</P><P></P><P>Gilles.</P></BODY></HTML> Thu, 02 Jun 2005 07:22:07 GMT https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411954#M7378 Gilles Dufour 2005-06-02T07:22:07Z https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411955#M7379 <HTML><HEAD></HEAD><BODY><P>Pretty good idea Gilles!....but it wouldn't work for me as the VIP of my backend CR is in a non-routable ip range.</P><P></P><P>For security reasons, I would think communicating to that IP addrs from anywhere in the client/browser segment wouldn't be a good option.</P><P></P><P>Is there anyother way?</P></BODY></HTML> Thu, 02 Jun 2005 09:00:09 GMT https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411955#M7379 skumar1969 2005-06-02T09:00:09Z https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411956#M7380 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>well I suppose your CSS is behind a firewall or is using ACLs for security reasons. I'd suggest to monitor the VIP of your back-end services via a NAT-Statement only permitting the GSS to monitor this IP.</P><P>This allows you to guess if the backend service is available or not. This allows the GSS to decide if the site with no alive backend service is address or not.</P><P>I guess this is a viable approache.</P><P>Kind regards,</P><P> Joerg</P></BODY></HTML> Tue, 09 Aug 2005 06:14:59 GMT https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411956#M7380 jfoerster 2005-08-09T06:14:59Z https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411957#M7381 <HTML><HEAD></HEAD><BODY><P>Yes the CSS is behind the firewall. The server segment is a non-routable private ip one as you are aware. Yes I understand I should have the NAT-ing but was wondering where? On the CSS, how do I do that?</P></BODY></HTML> Tue, 09 Aug 2005 21:48:15 GMT https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411957#M7381 skumar1969 2005-08-09T21:48:15Z https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411958#M7382 <HTML><HEAD></HEAD><BODY><P>the nating should be done on the firewall.</P><P></P><P>G.</P></BODY></HTML> Wed, 10 Aug 2005 05:20:08 GMT https://community.cisco.com/t5/application-networking/backend-servies-and-ssl-modules/m-p/411958#M7382 Gilles Dufour 2005-08-10T05:20:08Z