01-30-2012 02:25 PM
Hi all,
Reaching into history here asking about a Cisco CSS however we have a customer with a CSS 11501 that has a SSL module that we're trying to do some L5 rules over SSL with.
The rules work fine over HTTP but when I wrap them in SSL (the SSL is terminated on the CSS) it does not work.
We have a backend server running IIS on port 80 and a different web server on port 8080 (eg. tomcat).
What needs to happen is that a client hits the website and the if the URL has /follow-me/ in it, then the connection needs to go to port 8080 on the backend server. This works fine over HTTP. When we try the same with HTTPS what we see (in the IE and Google Developer tools) is a 404 come back from IIS so it looks like the CSS is not processing the L5 rules?
A breakdown of the configuration is as follows: -
ssl-proxy-list ssl_1
ssl-server 20
ssl-server 20 vip address 10.2.1.1
ssl-server 20 rsakey example.com_key
ssl-server 20 rsacert example.com_cert
ssl-server 20 http-header session
ssl-server 20 urlrewrite 1 www.example.com
ssl-server 20 cipher rsa-with-rc4-128-md5 10.2.1.1 80 weight 1
ssl-server 20 cipher rsa-with-rc4-128-sha 10.2.1.1 80 weight 2
ssl-server 20 cipher rsa-with-3des-ede-cbc-sha 10.2.1.1 80 weight 3
ssl-server 20 cipher rsa-with-des-cbc-sha 10.2.1.1 80 weight 4
active
service tomcat_10_2_1_10_8080
ip address 10.2.1.10
protocol tcp
keepalive method get
keepalive type tcp
port 8080
active
service tomcat_10_2_1_10_80
ip address 10.2.1.10
protocol tcp
keepalive method get
keepalive type tcp
port 80
active
service ssl-serv1
type ssl-accel
add ssl-proxy-list ssl_1
slot 2
keepalive type none
active
owner EXAMPLE_TOMCAT
content SSL_10_2_1_1_443
flow-timeout-multiplier 80
vip address 10.2.1.1
port 443
protocol tcp
add service ssl-serv1
active
content TOMCAT_10_2_1_1_8080
flow-timeout-multiplier 80
add service tomcat_10_2_1_10_8080
vip address 10.2.1.1
port 80
protocol tcp
url "/follow-me/"
active
content TOMCAT_10_2_1_1_80
flow-timeout-multiplier 80
vip address 10.2.1.1
add service tomcat_10_2_1_10_80
port 80
protocol tcp
url "/*"
active
Just to confuse matters - if we hit the "/follow-me/" URL directly in a web-browser it appears to go to the tomcat webserver on backend port 8080, however after that all requests (from that browser) go to the tomcat on port 8080.
Alternatively if we hit the normal webpage first and then try to access "/follow-me/" we are presented with the IIS 404 page.
So somehow the SSL session is "sticking" and not processing the L5 rules?
01-30-2012 07:16 PM
Hi,
Problem is related to the layer 5 behavior when it comes to HTTP 1.1. The config seems to be in good shape and I'm almost sure the persistence reset remap command should get this on the right track.
(config)# persistence reset remap
You may want to add the no persistent command under both clear text content rules.
Basically with L5 and default persistence the CSS will verify only the first match after the 3-way-handshake and all subsequent request won't be inspected to look for a more specific match this helps to speed up the L5 process.
HTH
Sent from Cisco Technical Support iPhone App
01-30-2012 10:02 PM
Hi Pablo,
Thanks for your feedback, I tried your suggestions but they didn't appear to make any difference.
To confuse matters greatly, the connection(s) and L5 processing works fine from Firefox / Opera / Safari - but does not work successfully from IE (8 / 9) or Chrome. Argh.
The original statement above about confusing matters is only applicable to Chrome - in IE if you go to the "/follow-me/" URL the tomcat responds correctly but when accessing "/follow-me" via the main webpage the 404 that is returned is from IIS.
01-31-2012 01:02 AM
Hi,
In general, Pablo's comments are right. However, the right command to be added to the content rule configuration is "no persistent". This will force the CSS to look at all the requests inside the same TCP flow and make a separate load-balancing decision for each of them.
I hope this helps
Daniel
02-01-2012 07:11 PM
Thank you for the clarification Daniel. Alas I have implemented those commands and still the issue persists. For the moment we have been requested to hold off whilst the Developer works on a 'work-around' for this issue.
02-18-2012 10:18 AM
The above comments are absolutely correct, you need the "no persistent" in *ALL* of your HTTP rules (if even one of them is missing it, the connection will become stuck there), and you also must have "persistence reset remap" set.
Sounds like you've already done that, so I think you may have run into the same problem we were just facing, especially if it only happens on some browsers and everything works great if it's via HTTP instead of HTTPS. I just posted a solution:
https://supportforums.cisco.com/thread/2132663
The subject is:
Newly Occuring CSS SSL Issue in Chrome, FF10, IE9 with L5 rules; 3 second delay, loss of L5 stickyness
if you need to search for it.
If you're running into the same problem I was, this should fix it for you:
ssl-proxy-list ssl_1
suspend
no ssl-server 20 cipher rsa-with-3des-ede-cbc-sha
no ssl-server 20 cipher rsa-with-des-cbc-sha
active
(be sure you do the suspend+active, otherwise I don't think it actually takes affect).
See the other post for additional info/details. Let me know if it works.
-Joe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide