Solved: Re: can CSS11501 without ssl module load balancing https

lanningye · ‎12-08-2010

Hi,

Anyone could help me?

We have a CSS11501 NAME: "chassis ", DESCR: "Cisco 11501 Content Services Switch with Hard and AC Disk"
PID: CSS11501

I just found out that this hardware doesn't have SSL module built in.

We have two Web Server running IIS. we are going to apply SSL wildcard certification to the server for multi-domain access. I wonder if it possible to use this CSS to provide load balance to access these two server with https request? Even just access one server without load balancing? My configuration is as below:

configure

!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 193.39.xx.xx 1

!************************* INTERFACE *************************
interface e1
bridge vlan 2
interface e5
bridge vlan 3

interface e6
bridge vlan 3

interface e7
bridge vlan 3

interface e8
bridge vlan 3

!************************** CIRCUIT **************************
circuit VLAN2

ip address 193.39.xx.xx 255.255.255.192

circuit VLAN3

ip address 192.168.10.1 255.255.255.0

!************************** SERVICE **************************
service Server1
ip address 192.168.10.3
keepalive type tcp
keepalive port 80
active

!*************************** OWNER ***************************
owner Test

content Test

vip address 193.39.xx.xx

    protocol tcp
    port 443
    add service Server1

active

BETEGUCSS01#

Why I could access https://localhost on the webserver, but can't access VIP via the load balancer https://193.39.xx.xx ?

Any help would be very appreciated!

pablo.nxh · ‎12-09-2010

Hey Lanning,

Ok gotcha! In that case let's create a basic L4 load balancing for HTTP and HTTPS. We need to split up the services and rules as follows:

!************************** SERVICE **************************
service Server1-HTTP
ip address 192.168.10.3

port 80
keepalive type tcp
keepalive port 80
active

service Server1-HTTPS
ip address 192.168.10.3

port 443
keepalive type tcp
keepalive port 443
active

!*************************** OWNER ***************************
owner Test

content Test-HTTP

vip address 193.39.xx.xx

    protocol tcp
    port 80
    add service Server1-HTTP

active

owner Test-HTTPS

content Test

vip address 193.39.xx.xx

    protocol tcp
    port 443
    add service Server1-HTTPS

active

Check the service status and then send some request to the VIPs and gather the output of show summary to confirm the

request are hitting the CSS.

I have a little suspicion that you have an asymmetric routing issue going on... Is this server dual-homed?

Regards.

__ __

Pablo

View solution in original post

sachinga.hcl · ‎12-08-2010

Hi,

Kindly send the output of the following command:

#show chassis

Regards,

Sachin Garg

lanningye · ‎12-08-2010

Hi Sachin

Here is the output:

Configuration for CSS11501 P0:

Product Name: CSS11501 P0 SW Version: 08.20.0.01
Serial Number: JMX1411600A Base Mac Address: 68-ef-bd-99-36-24

Module Number Module Name Status

1 CSS501-SCM-INT primary

Port Number Port Name Status

      1             e1              online
      2             e2              online
      3             e3              online
      4             e4              online
      5             e5              online
      6             e6              online
      7             e7              online
      8             e8              online
      9             e9              online

Thanks for your reply and help!

Regards

Lanning

lanningye · ‎12-09-2010

Hi Pablo

The web server is in both http and https. I also would like to have be able to access both http and https to the server. Haven't figured out how yet. But firstly https doesn't work.

The Service is alive:

Service Name State Conn Weight Avg State
Load Transitions

Server1 Alive 6 1 2 42

Any chance to spot any other problem in my configuration?

Thanks

Lanning

pablo.nxh · ‎12-09-2010

Hey Lanning,

Ok gotcha! In that case let's create a basic L4 load balancing for HTTP and HTTPS. We need to split up the services and rules as follows:

!************************** SERVICE **************************
service Server1-HTTP
ip address 192.168.10.3

port 80
keepalive type tcp
keepalive port 80
active

service Server1-HTTPS
ip address 192.168.10.3

port 443
keepalive type tcp
keepalive port 443
active

!*************************** OWNER ***************************
owner Test

content Test-HTTP

vip address 193.39.xx.xx

    protocol tcp
    port 80
    add service Server1-HTTP

active

owner Test-HTTPS

content Test

vip address 193.39.xx.xx

    protocol tcp
    port 443
    add service Server1-HTTPS

active

Check the service status and then send some request to the VIPs and gather the output of show summary to confirm the

request are hitting the CSS.

I have a little suspicion that you have an asymmetric routing issue going on... Is this server dual-homed?

Regards.

__ __

Pablo

lanningye · ‎12-09-2010

Thanks Genuis Pablo, working like charm..

pablo.nxh · ‎12-08-2010

Hi Lanning,

Perhaps when you switched to HTTPS in your backend server HTTP is not longer active that action could've brought down

the keepalive on the CSS so no LB can be performed as only one service is configured.

Please check with show service summary the state of the service, if down then remove the keepalive or change the port to be 443.

*HTTPS LB works on the CSS regardless of not having an SSL-M, the module only takes care of SSL offloading.

HTH

__ __

Pablo