CSS11503 - Redundancy With SSL Cards

john.pepper · ‎03-03-2005

Just after a bit of quick advice here.

I currently have 2 * CSS11503 units configured for ip redundancy (redundant interfaces, vips, etc.) and also using ASR (redundant-index values). All this works fine and failover is transparent to end users.

I have recently installed SSL modules and would like to know if I should configure an SSL Proxy List the same on both units (i.e. using the same SSL server number on both content switches)..?

My SSL configuration is https-to-http at the backend servers - config looks something like the below:

ssl-proxy-list my-proxy-list

ssl-server 22

ssl-server 22 rsacert my_cert

ssl-server 22 rsakey my_key

ssl-server 22 cipher rsa-export-with-rc4-40-md5 192.168.2.200 80

ssl-server 22 vip address 172.16.1.10 (example)

active

There's no redundant-index command within the ssl-proxy-list - do I need to config the same ssl-server number on the other CSS.?

Also, I presume the SSL service should have a redundant-index specified for failover as per other services / rules etc.?

service ssl-service

type ssl-accel

slot 3

keepalive type none

add ssl-proxy-list my-proxy-list

redundant-index 5

active

Any help appreciated.

Cheers..

Sbutzek · ‎03-03-2005

Hello John,

ASR ist not supported with ASR.

You can ASR the HTTP Streams, but not the HTTPS streams, because the key Exchange is some more complex.

I do the ASR on HTTP. So the client will do a new SSL Handshake in failover, but then work again on the same Backendserver. This works fine.

I read something about, that there is some discussion to get ASR with SSL Module in one of the next releases.

Best Regards

john.pepper · ‎03-08-2005

Many thanks. I will try this.

Cheers....john