Re: 6500 w/csm ,Server Farm with 4 ssl modules

spencedavid21 · ‎01-11-2005

What CSM command can I use to find which SSL module is being used.

When diagnosing problems I would like to find out which SSL module the client is hitting.

Gilles Dufour · ‎01-11-2005

actually if you do not nat the destination ip address, there is currently no way to see which real/ssl module is being used.

There is a feature request open for this already.

I would suggest you to log into each ssl module and issue a 'sho ssl-proxy conn' to find out which one received the connection from your client ip address.

Regards,

Gilles.

spencedavid21 · ‎01-11-2005

I have found a way roud this.

If you enable ssl-sticky under the vserver it will allow you to see the source address and the next hop(which should be the ssl module address) with the command "sh module contentSwitchingModule all sticky".

robert.breen.hbp2 · ‎01-12-2005

We've found another way to do this. It leverages the fact that the CSM includes the IN and OUT VLAN information in the session table. So, assume you put SSL module #1 in VLAN #11, SSL module #2 in VLAN #2, SSL module #3 in VLAN 13 and SSL module #4 in VLAN 14. When you do a 'sh mod csm X conns client xx.xx.xx.xx' you get something like the following (IP addresses changed to protect the innocent):

prot vlan source destination state

----------------------------------------------------------------------

In TCP 800 11.23.235.162:40546 2.6.46.5:443 ESTAB

Out TCP 13 2.6.46.5:443 11.23.235.162:40546 ESTAB

Since you know there is only 1 SSL module in VLAN 13 (the OUT VLAN) you know exactly which SSL module the session went to. In this case, SSL Module #3.

I have also used this in places where we do firewall load balancing and don't use sticky.