Odd - SSL connections to some FARMS work, but not to others!

sgonsalv · ‎07-06-2005

Hi,

I have been able to successfully test two SSL-PROXY services for my two test farms on our SSL module. However, when i try applying this to a production farm, namely FARM-VISTA-TEST as detailed in the attached config files, i've noticed that the HTTP connections work, but the HTTPS connections don't initiate the SSL connection, i.e. doesn't bring up the certificate etc. It just sits in the "discovering" state, where the bar at the bottom of the browser says "connected to 130.194.11.122..."!

At the moment the real servers in the FARM-VISTA-TEST have failed the probe, so the HTTP connections aren't avaliable, but, if you wanted to test the HTTPS connections from your browser you can. Note, you can also test connecting to my two test farm setups.

- Just wondering if there is anything in my configuration of the service for FARM-VISTA-TEST that stands out???

- Also would the type, or setup of the real servers in this farm have any bearing on the SSL connections to it??

FYI, we have two SSL modules, but for testing purposes i've only been using one SSL module.

Any help on this would be much appreciated.

thanks

sgonsalv · ‎07-06-2005

Hi Giles,

Have another question:

- When setting up Virtual servers, is it essential to state what the VLAN is? For example, with

vserver VVISTA-TEST-80

virtual 130.194.11.122 tcp www

serverfarm FARM-VISTA-TEST

vlan 11

sticky 60 group 225

replicate csrp sticky

persistent rebalance

inservice

is it essential to have the line "vlan 11" there? What does stating a VLAN here mean or imply?

thanks

Gilles Dufour · ‎07-07-2005

the vlan is there to limit access to the vserver from a specific vlan.

If you do not specify a vlan, the CSM accept connections from every vlan.

Regards,

Gilles.

Gilles Dufour · ‎07-07-2005

you are using the wrong sticky group.

In your config, I see group 225 being used with "vserver VISTEST-SSLVIP" and group 225 is " sticky 225 cookie JSESSIONID timeout 60".

So the CSM is waiting for a cookie in the HTTPS traffic.

There is no way to find a cookie in encrypted traffic.

You're working vserver - " vserver SSL_VIP" is using sticky group 100, which is SSL id stickyness.

Regards,

Gilles.

sgonsalv · ‎07-07-2005

Hi Giles,

Thanks for the information.

So going on what you are saying, setting up a sticky connection based on an SSL ID allows stickyness between the "clients" and the "SSL modules" itself, but there is no way of having that flow onto stickyness to the real servers themselves? That is, there is on way of having cookies at all with SSL connections?

thanks

sgonsalv · ‎07-07-2005

Further to my previous note, if i setup the following:

serverfarm FARM-VISTA-TEST

nat server

no nat client

predictor leastconns

description WebCT-Vista Test-ServerFarm

failaction purge

real 130.194.13.241

inservice

real 130.194.13.242

inservice

real 130.194.13.243

inservice

real 130.194.13.244

inservice

real 130.194.13.245

inservice

real 130.194.13.246

inservice

probe VISTA-TCP-80

!

serverfarm VISTESTSSLFARM

nat server

no nat client

real 172.16.11.11

inservice

real 172.16.11.12

inservice

sticky 101 ssl timeout 30

sticky 225 cookie JSESSIONID timeout 60

vserver VVISTA-TEST-80

virtual 130.194.11.122 tcp www

serverfarm FARM-VISTA-TEST

sticky 60 group 225

replicate csrp sticky

persistent rebalance

inservice

vserver VISTEST-DECVIP

virtual 172.16.11.101 tcp www

serverfarm FARM-VISTA-TEST

persistent rebalance

inservice

vserver VISTEST-SSLVIP

virtual 130.194.11.122 tcp https

serverfarm VISTESTSSLFARM

sticky 30 group 101

ssl-stick offset 20 length 6

replicate csrp sticky

persistent rebalance

inservice

- would having one virtual server "VVISTA-TEST-80" (HTTP)using a cookie based stickyness, and the other "VISTEST-SSLVIP" (HTTPS) using an SSL based stickyness cause a problem?

- If the above causes a problem, i guess the group that owns the FARM-VISTA-TEST farm would need to remove the cookie based stickyness from their servers to allow an SSL service to work?

- Is there an alternate way of having stickyness to the real servers if cookies aren't the way?

thanks

Sheldon

Gilles Dufour · ‎07-07-2005

your solution is correct.

You have to use ssl stickyness for ssl [HTTPS] traffic and the decrypted traffic [HTTP] can be then stuck to a specific server using cookies.

Regards,

Gilles.

PS: please rate all answers you are receiving - it helps others find useful information and it is also a motivation to know that our help is appreciated.