Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
3
Replies

Advanced-balance ssl problem

admin_2
Level 3
Level 3

‎04-27-2004 04:23 AM

Hi all,

We have a problem dealing using advanced-balance ssl with a CSS11501 and 2 apache servers.

When we use the "balance srcip" or "balance aca" alone, it works fine. But we would like to use "advanced-balanced ssl" method, as we have to deal with HTTPS flow...

Here is part of my running config :

circuit VLAN202

ip address XX.2.2.4 255.255.255.0

no redirects

circuit VLAN301

ip address XX.3.1.2 255.255.255.0

no redirects

service ssl_service1

port 443

protocol tcp

keepalive type ssl

ip address XX.2.2.11

service ssl_service2

port 443

protocol tcp

keepalive type ssl

ip address XX.2.2.13

content SSL_load_balancing

protocol tcp

port 443

application ssl

balance aca

advanced-balance ssl

add service ssl_service1

add service ssl_service2

vip address XX.3.1.50

active

I've a doubt about the SSL handshake because i can see from our FW that a the Web Server tries to answer directly to the client, while it gateway is the CSS....

Any help or idea about my config will be appreciated...and plz excuse my bad english..

Labels:
0 Helpful
3 Replies 3

andrew.thomson
Level 1
Level 1

‎04-27-2004 05:18 AM

We have Advanced-Balance SSL but have included a line:

url "/*"

in the content rule. I think this forces the protocol up to layer 5 where the SSL ID can be found.

Good luck

Andrew

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee

‎04-27-2004 05:26 AM

could you please provide some information about the problem itself.

Is it every connections or just a few of them ?

If you see the server bypassing the CSS, that would be a concern.

Can you sniff the server side and see the mac address of the SYN/ACK.

Also check where it breaks exactly in the TCP connection.

The url command is not required.

The command application ssl will make the CSS look for the session id.

Regards,

Gilles.

0 Helpful

Not applicable
In response to Gilles Dufour

‎04-27-2004 06:34 AM

Thanks for your help...

Let me explain my case better.

All connections are "refused" when i use advanced-balance ssl. But if i put it away (i.e. using only balance srcip or else), it works fine (hopefully!)

From my FW monitor, i can see the syn/ack flow :

SYN / From:myPC / Destination : XX.3.1.50 / Service :https/443

ACK / From:XX.2.2.13 / Destination : myPC / Service:4435 / Reason : no connection found for TCP packet

Perhaps that is the problem : it should be the CSS that sends the ACK to the client ...?

Anther point : from llama, i can see an increasing number of WCC_REJECTED from the Apache_side_vlan...

I will try to see where the TCP connection stops but i'm not used to working with sniffer...

Hope these informations can help ! Any idea ?

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card