Hi Gilles,

thank you for your advice. I have the SSL module and I have the client certificate on the SSL module (PEM files). I downloaded WebNS 7.50. So can I use script with "encrypt" command for SSL GET keepalive? But I haven't experience with script language:-( Can somebody help me with this keepalive?

You can't use a script.

To use the encryption functionality create a normal http keepalive and use the option 'encrypt'.

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_command_reference_chapter09186a008040c44b.html

Regards,

Gilles.

thank you very much. I will test it:-) I hope that all will be OK:-)

Hi Gilles,

but I cannot use it for transparent SSL configuration:-(, because when I use keepalive type http encrypt I have to use command type type ssl-accel-backend or ssl-init.

I need to use the following configuration:

service W1

ip address 192.168.66.33

keepalive type ssl

keepalive port 5001

active

service W2

ip address 192.168.66.34

keepalive type ssl

keepalive port 5001

active

owner MUZO

content ssl

vip address 192.168.66.35

add service W1

add service W2

application ssl

advanced-balance ssl

protocol tcp

port 5001

active

and I'd like to change keepalive for services W1 and W2, for example:

service W2

ip address 192.168.66.34

keepalive type http encrypt

keepalive port 5001

keepalive uri "/test.htm"

type ssl-init

but I have to configure SSL-proxy-list and so on. So I think that I will have the problem with transparent traffic:-( Because when I will configure SSL-proxy-list, I think the CSS will not be transparent for this traffic (it will try to encrypt and decrypt this traffic:-()

I have not yet tested this feature myself so I can't confirm if the first solutiob below will work or not.

For sure the 2nd one will work.

1. configure ssl-backend service for w1 and w2 and use the 'encrypt' keepalive.

Normally the SSL module only encrypt traffic that comes on the specific cleartext port.

If your traffic does not match this port, it should be forwarded unchanged.

2. you should create new backend-ssl service for W1 and W2.

Use the keepalive with encrypt.

Then for your current W1 and W2 service, use a script that checks if the corresponding backend service is alive.

Gilles.

I have tested solution #1 and it works.

backend-server 2

backend-server 2 cipher rsa-with-rc4-128-md5

backend-server 2 port 83

backend-server 2 ip address 192.168.10.123

backend-server 2 server-ip 192.168.10.123

!************************** SERVICE **************************

service gduf-backend

type ssl-accel-backend

add ssl-proxy-list gdufour

keepalive port 83

keepalive type http encrypt

ip address 192.168.10.123

keepalive uri "/index.html"

keepalive method get

active

Regards,

Gilles.

Hi Gilles,

thank you very much. I will test both solutions on Thursday. I will write you about my result. I hope that all will be OK.

Best Regards

Roman

Hi Gilles,

I tested the first solution, but without success:-( I used the following configuration:

!*************************** GLOBAL ***************************

no restrict web-mgmt

ssl-l4-fallback disable

ssl associate rsakey mykey w.key

ssl associate cert mycert w.crt

ip route 0.0.0.0 0.0.0.0 192.168.67.5 1

!************************* INTERFACE *************************

interface 1/1

trunk

vlan 65

vlan 66

vlan 67

!************************** CIRCUIT **************************

circuit VLAN66

ip address 192.168.66.5 255.255.255.0

circuit VLAN67

ip address 192.168.67.10 255.255.255.0

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list test

backend-server 1

backend-server 1 ip address 192.168.66.33

backend-server 1 server-ip 192.168.66.33

backend-server 1 rsakey mykey

backend-server 1 rsacert mycert

backend-server 1 port 5001

active

!************************** SERVICE **************************

service W1

ip address 192.168.66.33

type ssl-accel-backend

add ssl-proxy-list test

keepalive port 5001

keepalive type http encrypt

keepalive method get

keepalive uri "/sid/status"

active

service W2

ip address 192.168.66.34

type ssl-accel-backend

add ssl-proxy-list test

keepalive type http encrypt

keepalive port 5001

keepalive method get

keepalive uri "/sid/status"

service sslmodule

type ssl-accel

keepalive type none

slot 2

add ssl-proxy-list test

active

!*************************** OWNER ***************************

owner MUZO

content ssl

vip address 192.168.66.35

add service W1

add service W2

application ssl

advanced-balance ssl

protocol tcp

port 5001

active

but the keepalive arrived to the server on the port 443.

When I used the command backend-server 1 server-port 5001, the keepalive arrived only once on the port 5001(the response was 200OK, but the service was down) and next keepalives didn't come on the server:-( When I reconfigured the CSS with the same commands (backend-server 1 server-port 5001) the keepalive stoped arriving:-( on both ports (5001 and 443).

Where is any mistake?:-( Thanks

don't forget the SSL mod listens on port 80 to translate to port 443.

To change the destination port, you need the command 'backend-server server-port 5001' and remove the command 'backend-server port 5001'.

Finally, replace the 'keepalive port 5001' by 'keepalive port 80' under the services.

Regards,

Gilles.

Hi Gilles,

it is excellent. All is functional, but I have the last problem. I hope, that it is the last problem:-) I have some script which generates the GET requests every seconds. When the server is shut, services dying and script generate GET request and waiting for reply from server (CSS), but here is no response from CSS (no RST). So this connection is frozen:-( When I made new GET all is OK. So I need to solve my problem with GE request which is sent every second:-( I tried to configure flow-reset-reject, no persistence, but without success.

Do you have any idea? Thank you.

For L3/L4 rules, the CSS does not respond to client SYN if service is down.

With L7 rule, the CSS will respond and then reset/close the connection.

For http traffic, you simply enter the commmand 'url "/*"'.

For ssl, you can enter the following commands :

application ssl

advanced-balance ssl

This is the only way.

Gilles.

Hi Gilles,

I used the following configuration:

!*************************** GLOBAL ***************************

no restrict web-mgmt

persistence reset remap

ssl associate rsakey mykey w.key

ssl associate cert mycert w.crt

ip route 0.0.0.0 0.0.0.0 192.168.67.5 1

!************************* INTERFACE *************************

interface 1/1

trunk

vlan 65

vlan 66

vlan 67

!************************** CIRCUIT **************************

circuit VLAN66

ip address 192.168.66.5 255.255.255.0

circuit VLAN67

ip address 192.168.67.10 255.255.255.0

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list test

backend-server 2

backend-server 2 server-ip 192.168.66.34

backend-server 2 ip address 192.168.66.34

backend-server 1

backend-server 1 ip address 192.168.66.33

backend-server 1 server-ip 192.168.66.33

backend-server 1 rsakey mykey

backend-server 1 rsacert mycert

backend-server 1 server-port 5001

backend-server 2 server-port 5001

backend-server 2 rsacert mycert

backend-server 2 rsakey mykey

active

!************************** SERVICE **************************

service W1

ip address 192.168.66.33

type ssl-accel-backend

add ssl-proxy-list test

keepalive type http encrypt

keepalive method get

keepalive uri "/sid/status"

keepalive port 80

active

service W2

ip address 192.168.66.34

type ssl-accel-backend

add ssl-proxy-list test

keepalive type http encrypt

keepalive method get

keepalive uri "/sid/status"

keepalive port 80

keepalive frequency 10

active

service sslmodule

type ssl-accel

keepalive type none

slot 2

add ssl-proxy-list test

active

!*************************** OWNER ***************************

owner MUZO

content ssl

vip address 192.168.66.35

add service W1

add service W2

application ssl

advanced-balance ssl

protocol tcp

port 5001

balance leastconn

flow-reset-reject

active

So all is OK, but I have the problem with sending RST when the server or connectivity is down. I use some script which generates the GET request every second. When the connectivity is down - there is some time than the service is down. So this script generates next GET in this time, but the answer from CSS is nothing (no RST). So it seems that the keepalive watches the state of SSL, but no physical connectivity:-( When I change the response code for SSL to 500 on the server, the next GET request from script has the answer with RST from CSS. And all is OK. But when I unplugged server from L2 switch, the GET request from script is without the answer from CSS:-((

It's horrible:-( Do you have any idea for solving this problem? Thank you.

Roman

is your script opening a new connection for each GET request ?

If it's reusing the same connection for all request, then only the 'flow-reset-reject' command can force the CSS to send a RESET to the client.

However, this command only works when the CSS loses the server ARP entry.

That's why I'm surprised to hear that when the server returns a 500 response, the RESET is sent but not when the server is unplug.

Could you verify if the script opens new session and could you capture sniffer trace and "sho service " to confirm what you describe.

Gilles