Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
725
Views
0
Helpful
3
Replies

One Armed Config with CSS and SCA 11000 series

mfraenza
Level 1
Level 1

‎08-21-2002 02:48 PM

I am trying to use the One-armed transparent proxy config found in the SCA 11000 series manual with the One-Armed config for a CSS 11000 series load balancer. I have one SCA hanging off one CSS, and I'm balancing 3 IIS webservers that are connected to a switch. The CSS is also connected to the same switch. The site uses a http:// entry that redirects to https:// page. I am not using any ACL's, and everything is on the same subnet.

Right now, if I make an http (port 80) request I hit the CSS and the content rule sends it to a webserver that redirects to a https (443) page. This sends me back to the CSS and off to the SCA, where I get my cert. The SCA then goes back to the CSS on port 81 where it hits a content rule for the VIP and port 81 which sends it to one of the webservers. However, this is where the page hangs and eventually times out. It never gets back to the webservers, but it hits the content rule. Any ideas on what I'm doing wrong?

Labels:
0 Helpful
3 Replies 3

pgolding
Level 1
Level 1

‎08-21-2002 11:59 PM

this is most likely because the physical return path from the real servers does not go through the css, but direct to the router connected to the layer 2 switch. the end result is the client drops the response because the response packet source ip address and port do not match what the client connected to. connect the real servers and the router direct to the CSS ports if possible.

alternative may be to create source group for each non SSL encrypted vip on the CSS. under each, add destination service for all services using that content rule vip. this will make all sessions look like the CSS circuit address is the client source, therefore forcing all traffic to be returned to/through the CSS. this method will load the CSS, so not ideal, and obviously cant be done for the SSL sessions before the SCA.

0 Helpful

awo
Level 1
Level 1

‎08-22-2002 11:16 PM

you need paste here your config from CSS and SCA

remember to remove certs bodies....

also some networing description will be usefull

mostly LAN side and WAN side

and mostly HTTP server stack configuration 8-)

0 Helpful

6jdambly
Level 1
Level 1

‎12-19-2002 05:59 AM

if you are in a one armed config you don't want to use the transparent proxy

I had the same issues once I did this it worked just fine

(config[SCA101])# ssl

(config-ssl[SCA101])# server test-monster

(config-ssl-server[test-monster])# no transparent

(config-ssl-server[test-monster])# exit

(config-ssl[SCA101])# exit

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card