04-19-2009 11:21 PM
Hi,
the customer has to loadbalance SSL traffic which is terminated on servers port 8001. But the clients need to communicate on port 443. So the customer provide the following configuration, but it isn't work. Does anybody know where is a problem? Thank you.
Roman
*************************** GLOBAL *************************** ip route 0.0.0.0 0.0.0.0 192.168.110.158 1
************************* INTERFACE ************************* interface e1
description "public-test VIP"
bridge vlan 56
interface e2
description "intra-test"
bridge vlan 57
!************************** CIRCUIT ************************** circuit VLAN56
ip address 192.168.110.131 255.255.255.224
circuit VLAN57
ip address 192.168.110.161 255.255.255.224
!************************** SERVICE ************************** service webt1
ip address 192.168.110.162
protocol tcp
port 8001
keepalive type tcp
keepalive port 8001
active
service webt2
ip address 192.168.110.163
protocol tcp
port 8001
keepalive type tcp
keepalive port 8001
active
!*************************** OWNER *************************** owner VIST
content webt
add service webt1
add service webt2
protocol tcp
port 443
url "/*"
vip address 192.168.110.129
application ssl
advanced-balance ssl
active
04-20-2009 12:08 AM
Hi,
here you find an example of an SSL configuration on a CSS.
The example was found in the SSL configuration guide, which can be found here:
If any more specific questions on how to solve this, post them!
HTH,
Dario
04-20-2009 12:18 AM
Hello Dario,
the customer has no SSL module. The CSS doesn't encrypt/decrypt traffic. The CSS will be transparent for SSL. Only PAT will be provided.
Client - VIP + 443 - CSS - server's IP address + 8001
The examples, which you sent me, are with the SSL module (back-end SSL, end-to-end SSL - with encryption and decryption on CSS, termination of SSL on CSS):-(.
04-20-2009 12:23 AM
Hi,
misread your question.
you should configure your content rule like a normal L4 content rule, without the ssl config.
content webt
add service webt1
add service webt2
protocol tcp
port 443
vip address 192.168.110.129
active
HTH,
Dario
04-21-2009 04:04 AM
Hi,
the customer tried your config, but without success. He had to add url into content rule (so he had to create L7 rule again) for seeing some session from client. The status of the LB is following:
the client sent SYN packet on port 443, this SYN packet arived into server on port 8001, the server responsed with SYN, ACK, the client responsed with ACK and then ACK RST:-(I don't know why RST is sent;-(
04-21-2009 04:19 AM
You can't use a L7 rule because the packet is encrypted. that's why you need to use a L4 rule.
Can you post your adapted config of the content rule?
try sniffing infront and behind you LB.
the packets in front should point to port 443 (destination port towards the LB, source port towards the client), and the packets behind should point to port 8001(destination port towards the server, source port towards the LB).
04-22-2009 05:00 AM
Hello,
te customer again tried the L3 rule:
!*************************** GLOBAL
ip route 0.0.0.0 0.0.0.0 192.168.110.158 1
!************************* INTERFACE interface e1
description "public-test VIP"
bridge vlan 56
interface e2
description "intra-test"
bridge vlan 57
!************************** CIRCUIT circuit VLAN56
ip address 192.168.110.131 255.255.255.224
circuit VLAN57
ip address 192.168.110.161 255.255.255.224
!************************** SERVICE service webt1
ip address 192.168.110.162
protocol tcp
port 8001
keepalive port 8001
keepalive type tcp
active
service webt2
ip address 192.168.110.163
protocol tcp
port 8001
keepalive port 8001
keepalive type tcp
active
!*************************** OWNER owner VIST
content webt
add service webt1
add service webt2
vip address 192.168.110.129
protocol tcp
port 443
active
!*************************** GROUP group serverst
vip address 192.168.110.129
add destination service webt1
add destination service webt2
active
but the communication between the client (192.168.110.133) and the server throught CSS didn't work:-( I'm sending you the output from sniffer between client and CSS (vist11_in) - here are seen only SYN packets:-( And I'm sending you the output from tcpdump between CSS and server (vist11_out) - here are not seen some client traffic:-(
I don't know why it doesn't work:-( Thank you. Roman.
04-22-2009 05:35 AM
Hi,
why are you doing destination NAT?
By using the group and adding the services as destination service, your packet goes through the CSS and is being source nat. This means that the client IP is replaced by the VIP address as source address.
in your TCPdump you see this:
08:52:07.701022 IP 192.168.110.129.blackboard > 192.168.110.163.vcom-tunnel: S 3900452246:3900452246(0) win 65535
This is the CSS connecting to server @.163.
Here you see the reply from your server:
08:52:07.703198 IP 192.168.110.163.vcom-tunnel > 192.168.110.129.blackboard: S 3688339573:3688339573(0) ack 3900452247 win 5840
And immediatly you see this:
08:52:07.706426 IP 192.168.110.190 > 192.168.110.163: ICMP host 192.168.110.129 unreachable - admin prohibited filter, length 36
which indicates that address 192.168.110.129 is unreachable - admin prohibited filter, I assume an ACL or something like that.
This is whats happening and causing your problem.
HTH,
Dario
04-23-2009 03:16 AM
Hello,
thank you for your explanation. The customer uses source NAT, because the servers have default GW on L3 switch. So there is one arm mode design.
The connection between CSS and servers is throught L2 switch, so the communication from the server to the VIP address is in the same network segment. So the communication is only throught L2 switch and there is not any ACL:-( So I don't know why the response to client is prohibited. There is no filter on the path between CSS and servers. Thanks.
04-23-2009 03:38 AM
Hi,
then your IP subnetting is not correct.
Your VIP is 192.168.110.129, which belongs to VLAN56, which is in the subnet 192.168.110.128/27 (host addresses between 192.168.110.129 - 158).
Your servers have IP addresses 192.168.110.162 - 3, in VLAN57 with subnet 192.168.110.160/27 (host addresses 192.168.110.161 - 190).
your config reflects a routed mode design (has an IP address in client VLAN and IP Address in server VLAN) and your servers should have the CSS as default gateway. In a one armed mode design, your CSS only has 1 IP address.
HTH,
Dario
04-23-2009 03:53 AM
Hi Dario,
you are right.:-) I'm blind. So there are two subnets - so the comunnication is routed on the DG (L3 switch). So I will ask the customer about ACL or some filters configuration on this l3 device. Thank you!!!
04-23-2009 04:02 AM
Hi,
keep us posted if this was causing your problem and if it is resolved.
05-06-2009 03:47 AM
Hi Dario,
the customer removed ACL on the L3 device, but LB is not functional again:-( The config is same. I'm sending you the trace between client (192.168.110.133) - CSS (192.168.110.129) = Visit_in and CSS(192.168.110.129) - servers (192.168.110.162 and .163) = Visit_out. The file 3750_090505_4a.log is log from the DG for servers (192.168.110.158). There is only one ACL in out direction which permits all traffic between 192.168.110.128/27 (VIP) a 192.168.110.160/27 (servers) Thank you for your help. Roman
05-15-2009 01:28 AM
Note, you should still have the ff in your rule:
application ssl
advanced-balance ssl
You need SSL sticky for the session. Just no URL command since the CSS can't do a L5 rule with SSL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide