Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
811
Views
0
Helpful
9
Replies

HTTPS balance without a SSL Module

grubbdw
Level 1
Level 1

‎08-15-2006 04:37 AM

I have read thru the forum and found a couple threads talking about this issue but didnt find a solution to my problem.

I have 2 CSS11503s without SSL modules. I now have a need to balance a KVMoIP system that uses ssl on the servers(currently only 5 concurrent users). My balance is simply for ease of use for my customers so they dont have to know the url for the primary and secondary servers. Here is what I have right now:

interface 1/1

bridge vlan 241

description "to users"

interface 1/2

description "to servers"

bridge vlan 700

circuit VLAN700

ip address 172.20.241.181 255.255.255.192

ip virtual-router 100 priority 1

ip redundant-interface 100 172.20.241.183

ip critical-service 100 css-up-down

ip critical-reporter 100 css-sc1

circuit VLAN241

ip address 172.20.241.71 255.255.255.192

ip virtual-router 1 priority 1

ip redundant-interface 1 172.20.241.73

ip redundant-vip 1 172.20.241.100

ip critical-service 1 css-up-down

ip critical-reporter 1 css-sc1

service obsidian

ip address 172.20.241.172

keepalive port 80

keepalive type tcp

active

owner avocent

content kvm (Does not work)

vip address 172.20.241.100

protocol tcp

port 443

add service obsidian

content kvm_80 (This works)

protocol tcp

port 80

add service obsidian

vip address 172.20.241.100

active

The http to the server works fine but the https get "The page can not be displayed" when you go to https://172.20.241.100

Thanks for any insight into this issue.

Labels:
0 Helpful
9 Replies 9

pknoops
Level 3
Level 3

‎08-15-2006 04:53 AM

I would at minimum create a second service for the 443 rule like this:

service obsidian_443

ip address 172.20.241.172

keepalive port 443

keepalive type tcp

active

and use it for the 443 rule. Atleast then when you look at the rule and service you should see things alive if the 443 part is working fine. By using a service with a keepalive type of 80 on a 443, it kind of gives a false sense of security that the service is up.

Can you give that a try and then let us know the results..

Regards

Pete..

0 Helpful

grubbdw
Level 1
Level 1
In response to pknoops

‎08-15-2006 05:37 AM

Boy do I feel like a noob now!!

I have made so many changes over the last 2 days trying to get this going, I miss one very obvious mistake along the way.

Content kvm

ACTIVE

Pete, Thanks for the advice, I have changed my keepalive as you recommended. Everything looks good at this point.

0 Helpful

joerg.micheel
Level 1
Level 1
In response to pknoops

‎12-06-2006 12:10 AM

Hi All.

must i not configure in the content

application ssl to support https ??!!

bye joerg

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to joerg.micheel

‎12-06-2006 01:59 AM

Joerg,

it is not mandatory.

This command is required only if you use sticky-ssl. It tells the CSS to interpret the traffic as SSL and look for the SSLID.

If you do not use sticky-ssl then I would recommend not to configure this command.

Gilles.

0 Helpful

joerg.micheel
Level 1
Level 1
In response to Gilles Dufour

‎12-06-2006 04:10 AM

Hi Gilles,

i had configured the same stuff as here mentioned before, but it doesn?t work. After i had configured the app ssl stuff it works as i want.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to joerg.micheel

‎12-06-2006 04:18 AM

not needed.

You must have configured stickyness or it works for other reasons than this command.

Gilles.

0 Helpful

joerg.micheel
Level 1
Level 1
In response to Gilles Dufour

‎12-06-2006 07:08 AM

Hi Gill,

thats what i?ve found:

config-owner-content) application

To specify the application type associated with the content rule, use the application command. The application type enables the CSS to correctly interpret the data stream matching the content rule and parse them. Otherwise, the data stream packets are rejected. Use the no form of this command to reset the application type to its default setting of HTTP.

application type

no application

Syntax Description

type

Application type. Enter one of the following:

?bypass - Bypasses the matching of the content rule and send the request directly to the origin server

?http (default) - Processes HTTP data streams

?ftp-control - Processes FTP data streams

?sip - Processes Session Initiation Protocol (SIP) data streams

?ssl - Processes Secure Sockets Layer (SSL) protocol data streams

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to joerg.micheel

‎12-06-2006 08:45 AM

Joerg,

thanks for the info, but it clearly says that this is required if you need to interpret the data.

However, to loadbalance HTTPS traffic or any TCP traffic, you do not need to interpret the data.

For example, you do not need 'application telnet' to loadbalance telnet traffic.

As I said the command is only needed if you're CSS is spoofing the connection.

I think if you do not have stickyness and you need 'application ssl' this is because you have configured a url /* which is a mistake as well since the CSS can't decrypt the traffic.

Configuring the url forces the CSS to spoof the connection and by default it will try to identify http traffic. Since this is ssl it fails.

Do you have the url configured ?

Gilles.

0 Helpful

joerg.micheel
Level 1
Level 1
In response to Gilles Dufour

‎12-06-2006 11:04 PM

hi gilles,

aha you are right. I had configured url/*, now i have deconfigured and now it?s working also without this command.

Thanks to clarify this and for your help.

bye joerg

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card