Re: backend-servies and SSL modules

skumar1969 · ‎05-31-2005

In our network, the GSS replies to the url queries with an A-record. It returns IP addresses hosted by active/backup CSS boxes located at 2 different sites. GSS monitors the health of the sites/CSS using KAL-AP.

The CSS are configured in a 'Routing' topology I mean ‘full-proxy’ configuration as we employ different ip subnets in the client/server side networks. CSS maintains a client encryption in the front and a server encryption in the back-end. We use couple of SSL modules for this purpose.

Now my problem is, the SSL modules accepts connections even when all the back-end services of a Content Rule are down. GSS shows on-line for that site. Both CSS and GSS behaves fine with the clear front and clear back config.

Version: 07.30.3.13s

Any idea? Is that an expected behaviour?

thanks

Gilles Dufour · ‎06-01-2005

this is becaus you have a L5 rule for SSL.

You probably configured advanced-balance ssl to do stickyness based on SSLID.

A CSS will always spoof connection for L5 rule.

You should use a different type of keepalive on the GSS. You should use KAL-AP.

Regards,

Gilles.

skumar1969 · ‎06-01-2005

Here is the CR below. I only use KAL-AP on the GSS to keep-alive on the CSS.

content ssl-front

vip address xx.xx.xx.xx

application ssl

add service ssl-module-1

add service ssl-module-2

protocol tcp

port 443

advanced-balance ssl

active

thanks

Gilles Dufour · ‎06-02-2005

ok, but this content rule will never go down since the ssl module service is using 'keepalive type none'.

You should use kal-ap by vip and assign a name to the backend content rule and monitor this *name*

Gilles.

skumar1969 · ‎06-02-2005

Pretty good idea Gilles!....but it wouldn't work for me as the VIP of my backend CR is in a non-routable ip range.

For security reasons, I would think communicating to that IP addrs from anywhere in the client/browser segment wouldn't be a good option.

Is there anyother way?

jfoerster · ‎08-08-2005

Hi,

well I suppose your CSS is behind a firewall or is using ACLs for security reasons. I'd suggest to monitor the VIP of your back-end services via a NAT-Statement only permitting the GSS to monitor this IP.

This allows you to guess if the backend service is available or not. This allows the GSS to decide if the site with no alive backend service is address or not.

I guess this is a viable approache.

Kind regards,

Joerg

skumar1969 · ‎08-09-2005

Yes the CSS is behind the firewall. The server segment is a non-routable private ip one as you are aware. Yes I understand I should have the NAT-ing but was wondering where? On the CSS, how do I do that?

Gilles Dufour · ‎08-09-2005

the nating should be done on the firewall.

G.