cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3166
Views
0
Helpful
6
Replies

CSS SSL Termination with layer 3 & 5 backend

chris.sharp
Level 1
Level 1

I am having problems with an SSL termination rule with a backend layer 3 and layer 5 rule (on 2 different servers).

We have an existing SSL connection terminated by the content switch, then forwarded on to a layer 3 rule, this is then balanced between 4 webheads (on two different servers, HTTP). This works fine and has done for a few years now.

Now I have introduced a new layer 5 rule to a 3rd separate server, (it is basically a simple page to be embedded in to the page request. This works intermittently, it fails I with an invalid server response error, and no hit against either of L3 or L5 rules. I expected that the L5 rule would be processed first, but I am a bit stuck as to what is happening? Is it possible to have multiple backend content rules associated with a single VIP with SSL termination?

We are running a 11501s with Apache backend servers, I can attach and example code for what I am trying to do.

Any help will be really appreciated…

Chris

6 Replies 6

Gilles Dufour
Cisco Employee
Cisco Employee

yes this is possible.

It might be a problem of connection being idled...in which case, the css stops looking for the best rule.

Try to increase the flow-timeout-multiplier on all of your rules.

Gilles.

Hi Gilles, thanks for your reply, unfortunately I have a timeout modifier of 77, and this issue can also happen on the first connect to the page (not all the time though)

The request will come in to the SSL rule then the initial page request will go to the L3 then the resource requests should (I hoped at least) come in and be handle by both the L5 and the L3 rule...

Cheers

Chris

Here is a sample of what I am trying

  content DESTINATION1_L5

    url "/PATH/RESOURCE.PHP"

    vip address 192.168.2.8

    add service SERVER4_PORT80

    flow-timeout-multiplier 77

    port 80

    protocol tcp

    active

  content SSL-CONTENT

    port 443

    protocol tcp

    add service SSL-SERVICE

    application ssl

    vip address 192.168.2.8

    flow-timeout-multiplier 77

    active

  content DESTINATION2_L3

    vip address 192.168.2.8

    add service SERVER1_PORT8090

    add service SERVER2_PORT8080

    flow-timeout-multiplier 77

    port 80

    protocol tcp

    active

this should work.

If it does not, we will need a sniffer trace of frontend and backend traffic with the private key to decrypt the ssl traffic.

Better open a service request if you do not want to share this private info on a forum.

Thanks,

Gilles.

Hi Gilles, thanks for confirming what I was doing was correct. I will get a capture, then will probably need to create a service request,but I will feed back on here what I can.

Thanks for you advice

Just as an update, we have raised a call via our support contract, I will update when I get some more info.

Just as a final update, we needed to change the global persistence reset mode from the default redirect to remap as we still have to support IE6 clients and IE6 was not liking the redirects.

This has resolved our issues nicely.

Thanks for the help.

Review Cisco Networking for a $25 gift card