Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
565
Views
0
Helpful
7
Replies

backend-servies and SSL modules

skumar1969
Level 1
Level 1

‎05-31-2005 05:39 PM

In our network, the GSS replies to the url queries with an A-record. It returns IP addresses hosted by active/backup CSS boxes located at 2 different sites. GSS monitors the health of the sites/CSS using KAL-AP.

The CSS are configured in a 'Routing' topology I mean ‘full-proxy’ configuration as we employ different ip subnets in the client/server side networks. CSS maintains a client encryption in the front and a server encryption in the back-end. We use couple of SSL modules for this purpose.

Now my problem is, the SSL modules accepts connections even when all the back-end services of a Content Rule are down. GSS shows on-line for that site. Both CSS and GSS behaves fine with the clear front and clear back config.

Version: 07.30.3.13s

Any idea? Is that an expected behaviour?

thanks

Labels:
0 Helpful
7 Replies 7

Gilles Dufour
Cisco Employee
Cisco Employee

‎06-01-2005 02:35 AM

this is becaus you have a L5 rule for SSL.

You probably configured advanced-balance ssl to do stickyness based on SSLID.

A CSS will always spoof connection for L5 rule.

You should use a different type of keepalive on the GSS. You should use KAL-AP.

Regards,

Gilles.

0 Helpful

skumar1969
Level 1
Level 1
In response to Gilles Dufour

‎06-01-2005 03:44 PM

Here is the CR below. I only use KAL-AP on the GSS to keep-alive on the CSS.

content ssl-front

vip address xx.xx.xx.xx

application ssl

add service ssl-module-1

add service ssl-module-2

protocol tcp

port 443

advanced-balance ssl

active

thanks

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to skumar1969

‎06-02-2005 12:22 AM

ok, but this content rule will never go down since the ssl module service is using 'keepalive type none'.

You should use kal-ap by vip and assign a name to the backend content rule and monitor this *name*

Gilles.

0 Helpful

skumar1969
Level 1
Level 1
In response to Gilles Dufour

‎06-02-2005 02:00 AM

Pretty good idea Gilles!....but it wouldn't work for me as the VIP of my backend CR is in a non-routable ip range.

For security reasons, I would think communicating to that IP addrs from anywhere in the client/browser segment wouldn't be a good option.

Is there anyother way?

0 Helpful

jfoerster
Level 4
Level 4
In response to skumar1969

‎08-08-2005 11:14 PM

Hi,

well I suppose your CSS is behind a firewall or is using ACLs for security reasons. I'd suggest to monitor the VIP of your back-end services via a NAT-Statement only permitting the GSS to monitor this IP.

This allows you to guess if the backend service is available or not. This allows the GSS to decide if the site with no alive backend service is address or not.

I guess this is a viable approache.

Kind regards,

Joerg

0 Helpful

skumar1969
Level 1
Level 1
In response to jfoerster

‎08-09-2005 02:48 PM

Yes the CSS is behind the firewall. The server segment is a non-routable private ip one as you are aware. Yes I understand I should have the NAT-ing but was wondering where? On the CSS, how do I do that?

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to skumar1969

‎08-09-2005 10:20 PM

the nating should be done on the firewall.

G.

0 Helpful
Customers Also Viewed These Support Documents