Re: CSS SSL Termination with layer 3 & 5 backend

chris.sharp · ‎12-03-2009

I am having problems with an SSL termination rule with a backend layer 3 and layer 5 rule (on 2 different servers).

We have an existing SSL connection terminated by the content switch, then forwarded on to a layer 3 rule, this is then balanced between 4 webheads (on two different servers, HTTP). This works fine and has done for a few years now.

Now I have introduced a new layer 5 rule to a 3^rd separate server, (it is basically a simple page to be embedded in to the page request. This works intermittently, it fails I with an invalid server response error, and no hit against either of L3 or L5 rules. I expected that the L5 rule would be processed first, but I am a bit stuck as to what is happening? Is it possible to have multiple backend content rules associated with a single VIP with SSL termination?

We are running a 11501s with Apache backend servers, I can attach and example code for what I am trying to do.

Any help will be really appreciated…

Chris

Gilles Dufour · ‎12-04-2009

yes this is possible.

It might be a problem of connection being idled...in which case, the css stops looking for the best rule.

Try to increase the flow-timeout-multiplier on all of your rules.

Gilles.

chris.sharp · ‎12-04-2009

Hi Gilles, thanks for your reply, unfortunately I have a timeout modifier of 77, and this issue can also happen on the first connect to the page (not all the time though)

The request will come in to the SSL rule then the initial page request will go to the L3 then the resource requests should (I hoped at least) come in and be handle by both the L5 and the L3 rule...

Cheers

Chris

Here is a sample of what I am trying

content DESTINATION1_L5

url "/PATH/RESOURCE.PHP"

vip address 192.168.2.8

add service SERVER4_PORT80

flow-timeout-multiplier 77

port 80

protocol tcp

active

content SSL-CONTENT

port 443

protocol tcp

add service SSL-SERVICE

application ssl

vip address 192.168.2.8

flow-timeout-multiplier 77

active

content DESTINATION2_L3

vip address 192.168.2.8

add service SERVER1_PORT8090

add service SERVER2_PORT8080

flow-timeout-multiplier 77

port 80

protocol tcp

active

Gilles Dufour · ‎12-04-2009

this should work.

If it does not, we will need a sniffer trace of frontend and backend traffic with the private key to decrypt the ssl traffic.

Better open a service request if you do not want to share this private info on a forum.

Thanks,

Gilles.

chris.sharp · ‎12-04-2009

Hi Gilles, thanks for confirming what I was doing was correct. I will get a capture, then will probably need to create a service request,but I will feed back on here what I can.

Thanks for you advice

chris.sharp · ‎01-19-2010

Just as an update, we have raised a call via our support contract, I will update when I get some more info.

chris.sharp · ‎07-15-2010

Just as a final update, we needed to change the global persistence reset mode from the default redirect to remap as we still have to support IE6 clients and IE6 was not liking the redirects.

This has resolved our issues nicely.

Thanks for the help.