Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
2
Replies

http not forwarded as https by ssl

Go to solution
k.hashisho
Level 1
Level 1

‎05-03-2005 07:27 AM

I have the following problem with my serverfarm:

http flow initiated from a serverfarm is not being handled by the load balanced ssl blades that’s supposed to forward traffic as https to its destination.

To compare the traffic, I am including test flows from 2 serverfarms, one of them is successfully handling the flow translation and the other one is not:

- From real server side, we’re initiating http connections to destination xx.yy.tt.104

- real server 192.168.11.35 (vip xx.yy.zz.124) http connection is translated to https by the SSL blades

- real server 192.168.11.47 (vip xx.yy.zz.73) http traffic is not translating to https and is not leaving the ContentSwitchingModule via vlan200:

Where:

* SRV-005 real address is 192.168.11.47 (vip xx.yy.zz.73) &

* SRV-001 real address is 192.168.11.35 (vip xx.yy.zz.124)

* real server side vlan: vlan301

* internal ssl vlan: ssl vlan201

* destination side transit vlan: vlan200

http flow from real server 192.168.11.35 leaving the ContentSwitchingModule as https:

LN-PRO-CSW001>sh mod csm 3 conn client 192.168.11.35

prot vlan source destination state

----------------------------------------------------------------------

In TCP 301 192.168.11.35:1212 xx.yy.zz.12:389 ESTAB

Out TCP 200 xx.yy.zz.12:389 xx.yy.zz.124:22395 ESTAB

In TCP 201 192.168.11.35:1388 xx.yy.tt.104:443 ESTAB

Out TCP 200 xx.yy.tt.104:443 xx.yy.zz.124:22601 ESTAB

In TCP 301 192.168.11.35:1360 xx.yy.zz.12:389 ESTAB

Out TCP 200 xx.yy.zz.12:389 xx.yy.zz.124:22572 ESTAB

In TCP 301 192.168.11.35:1388 xx.yy.tt.104:80 ESTAB

Out TCP 201 xx.yy.tt.104:80 192.168.11.35:1388 ESTAB

http flow from real server 192.168.11.47 not leaving the ContentSwitchingModule as https:

LN-PRO-CSW001>sh mod csm 3 conn client 192.168.11.47

prot vlan source destination state

----------------------------------------------------------------------

In TCP 301 192.168.11.47:1291 xx.yy.tt.104:80 ESTAB

Out TCP 201 xx.yy.tt.104:80 192.168.11.47:1291 ESTAB

In TCP 301 192.168.11.47:1301 xx.yy.tt.104:80 ESTAB

Out TCP 201 xx.yy.tt.104:80 192.168.11.47:1301 ESTAB

-------------------------------------------------

The following config is included on the 6500 content switch module and ssl module:

NL-PRO-CSM001#

!

static nat xx.yy.zz.73

real 192.168.11.47

!

static nat xx.yy.zz.124

real 192.168.11.41

real 192.168.11.35

!

serverfarm SRV-01/77

nat server

no nat client

predictor leastconns

real 192.168.11.35

inservice

real 192.168.11.41

inservice

probe LT-T:3389

!

serverfarm SRV-005

nat server

no nat client

real 192.168.11.47

inservice

!

vserver SRV-005-VIP

virtual xx.yy.zz.73 tcp 0

serverfarm SRV-005

persistent rebalance

inservice

!

vserver SSLtt.104:80

virtual xx.yy.tt.104 tcp www

serverfarm SSL_MODULES

persistent rebalance

inservice

!

serverfarm SSL_MODULES

no nat server

no nat client

real 192.168.10.68

inservice

real 192.168.10.69

inservice

-------------------------------------------------

NL-PRO-SSL001#

!

ssl-proxy service SSL-tt.104:80 client

virtual ipaddr xx.yy.tt.104 protocol tcp port 80 secondary

server ipaddr 192.168.10.67 protocol tcp port 443

certificate rsa general-purpose trustpoint test123

no nat server

trusted-ca ppCA

authenticate verify signature-only

inservice

-------------------------------------------------

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎05-04-2005 01:10 AM

if you don't have a version higher or equal to 2.1(2) for the SSLM, you are probably hitting bug

CSCed77583

SSL Module invalidate a source IP address using local mask

It looks like it works except for some ip addresses and therefore the bug mentioned above seems like a good match.

Gilles.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎05-04-2005 01:10 AM

if you don't have a version higher or equal to 2.1(2) for the SSLM, you are probably hitting bug

CSCed77583

SSL Module invalidate a source IP address using local mask

It looks like it works except for some ip addresses and therefore the bug mentioned above seems like a good match.

Gilles.

0 Helpful

Go to solution
k.hashisho
Level 1
Level 1
In response to Gilles Dufour

‎05-04-2005 08:11 AM

Hi Gilles,

It is exactly what you are suggesting.

The SSL vlan is applying its /28 mask when handling http traffic from the real server ip 192.168.11.47/24. SSL then replies to connection attempts with a RST as it interprets the.47 real server ip as a broadcast address.

Big thanks.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card