Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
2
Replies

CSS11501 connection resets when browsing on vip address

smc
Level 1
Level 1

‎09-29-2004 02:04 AM

Hi there,

I'm having a connection problem when I try to connect using the VIP-address in my browser:

It occurs in two different situations (both in one-armed config. mode):

P.s. Gilles I've read some of your replies but they don't seem to apply to my situation

1)

I have a loadbalancer set up for http webservers, and it works fine as long as I use the DNS name of the vip address. I can also reach both servers on their real addresses, but I can't get a connection when I use the VIP-address in the browser.

Using a sniffer I can see that the tcp handshake is completed (syn, syn ack, ack)

After that my pc sends a duplicate ack, two http GET packets and the next thing I get is a TCP reset from the CSS with seq=1, ack=402

So why is the connection resetted? because of the duplicate ack? and why is the ack of the resetpacket using a totally different number (402)?

2)

I also have a loadbalancer working for https servers behind a firewall

I have not set up the DNS for this yet, because otherwise our customers would also get the new entry. And the idea is that I can test on IP first, then make the DNS changes. Anyway:

When I use the public adresses of the servers in my browser, I can get to the servers. When I use the public VIP-address, nothing.

On the CSS I can see the service hits but it doesn't work

When I use a sniffer, i can see the TCP-handshake working fine, after that my pc sends a SSL V2 client hello packet but doesn't get an answer. I retries this several times but no answer.

I also made a capture when connecting on the public address of one of the servers. In this case, after the SSL V2 client hello packet, I get a response from the server that I should use SSLV3 and after that all the rest and as said, this works fine. Ofcourse, in this case I'm not being loadbalanced

p.s

1) the private addresses of the servers and the private VIP-address are being NATT'ed on the firewall

2) both LB's are CSS11501, V7.20

3) for the http servers I've set the keepalive at 4 seconds. The def flow-timeout for http is 8 seconds

4) for the htpps-servers I've set the keepalive at 15 seconds, the default being 16 seconds

5) no acl's are in use yet

6) Does the flow-timeout multiplier command apply only to the default value of 16, or does it apply to every flow. Meaning if you set the "flow-timeout multiplier 5" does it then multiply only the def. value of 16 times 5 makes 80? or does it also apply to all other values, for example http port 80 is value 8 seconds, does this then change to 40 seconds?

Thanx for the effort!

Radboud Veld

Labels:
0 Helpful
2 Replies 2

smc
Level 1
Level 1

‎09-30-2004 12:50 AM

Hi,

I resolved the issue with the CSS loadbalancing for the http servers, it was simply a matter of setting the url statement to url "/*"

However this doesn't resolve the problem with the CSS for the https-servers, so any help is appreciated!

0 Helpful

smc
Level 1
Level 1
In response to smc

‎10-04-2004 12:53 AM

I've managed to resolve all issues.

grtz Radboud

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card