Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1141
Views
0
Helpful
7
Replies

CSM HTTP and HTTPS on the same server farm

Go to solution
egerritsen
Level 1
Level 1

‎05-28-2004 09:26 AM

Hi,

Is it possible to configure the CSM to accept http and https on the same serverfarm ?

We host a website that automatically change to an https site.

I tried to configure the CSM , but only http or https is working, but not both the same time.

Is there someone with some tips for me ?

Kind regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jfoerster
Level 4
Level 4
In response to egerritsen

‎06-02-2004 07:09 AM

Hi Edwin,

no problem at all:

this does a per client IP-stickiness.with a timeout of 20 minutes.

Kind Regards,

Joerg Foerster

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎05-30-2004 12:12 PM

the serverfarm can be used with different server.

Your problem could be the switch from http to https.

You need to guarantee stickyness with sticky source ip for example.

Give us your vserver and serverfarm config if you still need help.

Gilles.

0 Helpful

Go to solution
egerritsen
Level 1
Level 1
In response to Gilles Dufour

‎05-31-2004 11:33 PM

Gilles,

Thanks for helping me out.

I´ve two configs. The first works well with http and the second works well with https. But both on the same time is the problem.

Custommers connect with http to the web page and there is an automatic redirection to https.

HTTP config

module ContentSwitchingModule 7

ft group 10 vlan 130

priority 100

preempt

!

vlan 120 server

ip address 192.168.254.50 255.255.255.0

alias 192.168.254.254 255.255.255.0

!

vlan 110 client

ip address 172.30.0.50 255.255.255.0

gateway 172.30.0.254

!

serverfarm ICHAIN-SERVERS

nat server

no nat client

predictor leastconns

real 192.168.254.1

inservice

real 192.168.254.2

inservice

!

serverfarm SERVERS-REAL

nat server

no nat client

predictor forward

!

sticky 10 cookie STICKY timeout 20

!

vserver DIRECT-ACCESS

virtual 192.168.254.0 255.255.255.0 any

serverfarm SERVERS-REAL

replicate csrp sticky

replicate csrp connection

persistent rebalance

inservice

!

vserver ICHAIN

virtual 172.30.0.250 any

serverfarm ICHAIN-SERVERS

sticky 20 group 10

replicate csrp sticky

replicate csrp connection

persistent rebalance

inservice

!

!

**************************************************

HTTPS configuration

module ContentSwitchingModule 7

ft group 10 vlan 130

priority 200

preempt

!

vlan 120 server

ip address 192.168.254.40 255.255.255.0

alias 192.168.254.254 255.255.255.0

!

vlan 110 client

ip address 172.30.0.40 255.255.255.0

gateway 172.30.0.254

!

serverfarm ICHAIN-SERVERS

nat server

no nat client

predictor leastconns

real 192.168.254.1 443

inservice

real 192.168.254.2 443

inservice

!

serverfarm SERVERS-REAL

nat server

no nat client

predictor forward

!

sticky 10 cookie STICKY timeout 20

!

sticky 20 ssl timeout 50

!

vserver DIRECT-ACCESS

virtual 192.168.254.0 255.255.255.0 any

serverfarm SERVERS-REAL

replicate csrp sticky

replicate csrp connection

persistent rebalance

inservice

!

vserver ICHAIN

virtual 172.30.0.250 tcp https

serverfarm ICHAIN-SERVERS

sticky 50 group 20

replicate csrp sticky

replicate csrp connection

persistent rebalance

inservice

I hope this is clear for you.

We have two 6509 both with the same CSM module for failover.

Kind regards,

Edwin Gerritsen

!

0 Helpful

Go to solution
jfoerster
Level 4
Level 4
In response to egerritsen

‎06-01-2004 12:28 AM

Hi Edwin,

as Gilles wrote, it seems as if you loose the stickieness when moving from HTTP to HTTPS. I'm not sure if your application supports a possible move from HTTP to HTTPS. In the second config is the http vserver missing. I guess you won't be able to access the ICHAIN-webpage per HTTP in the szenario with the 2nd config right?

You have to add another vserver like

vserver ICHAIN_http

virtual 172.30.0.250 tcp www

serverfarm ICHAIN-SERVERS

sticky 20 group 10 (if the above is not a problem else you should use in both Layer3-Client-stickiness)

replicate ...

and so on...

inservice

In my opinion in the 1st config the sticky rule is a problem as the CSM could not check for cookies in HTTPS connections. guess this confuses the CSM a bit and therfore HTTPS is not working. .oO(just my thoughts)

Hope that helps.

Kind regards,

Joerg

0 Helpful

Go to solution
egerritsen
Level 1
Level 1
In response to jfoerster

‎06-01-2004 10:11 AM

Joerg,

Thanks for helping me out.

I tried both solutions you provided. First in the http config i changed the sticky and https is now working but without http.

This is the new config:

spanning-tree vlan 100 priority 16384

module ContentSwitchingModule 7

ft group 10 vlan 130

priority 100

preempt

!

vlan 120 server

ip address 192.168.254.50 255.255.255.0

alias 192.168.254.254 255.255.255.0

!

vlan 110 client

ip address 172.30.0.50 255.255.255.0

gateway 172.30.0.254

!

serverfarm ICHAIN-SERVERS

nat server

no nat client

predictor leastconns

real 192.168.254.1

inservice

real 192.168.254.2

inservice

!

serverfarm SERVERS-REAL

nat server

no nat client

predictor forward

!

sticky 10 cookie STICKY timeout 20

!

sticky 20 ssl timeout 50

!

vserver DIRECT-ACCESS

virtual 192.168.254.0 255.255.255.0 any

serverfarm SERVERS-REAL

replicate csrp sticky

replicate csrp connection

persistent rebalance

inservice

!

vserver ICHAIN

virtual 172.30.0.250 any

serverfarm ICHAIN-SERVERS

sticky 50 group 20

replicate csrp sticky

replicate csrp connection

persistent rebalance

inservice

!

!

Kind regards,

Edwin Gerritsen

0 Helpful

Go to solution
jfoerster
Level 4
Level 4
In response to egerritsen

‎06-02-2004 01:33 AM

Hi Edwin,

did you take a sniffertrace in VLAN 110/120 and check what is going wrong with http?

Is the http request reachting the reals or is it dropped?

If it is dropped give it a try with the following changes:

sticky 30 netmask 255.255.255.255 address source timeout 20

and

VSERVER ICHAIN

no sticky 50 group 20

sticky 20 group 30

I want to find out if the SSL-stickiness confuses the CSM so that is does not know what to do if non SSL-traffic reaches this VSERVER.

Kind Regards,

Joerg

0 Helpful

Go to solution
egerritsen
Level 1
Level 1
In response to jfoerster

‎06-02-2004 04:05 AM

Joerg,

Thanks for helping, you found the solution for my problem. Everything works fine now.

Can you explain what the function is for this statement ?

sticky 30 netmask 255.255.255.255 address source timeout 20

Kind regards

Edwin Gerritsen

0 Helpful

Go to solution
jfoerster
Level 4
Level 4
In response to egerritsen

‎06-02-2004 07:09 AM

Hi Edwin,

no problem at all:

this does a per client IP-stickiness.with a timeout of 20 minutes.

Kind Regards,

Joerg Foerster

0 Helpful
Customers Also Viewed These Support Documents