07-29-2005 04:27 AM
Hello,
I think I am in the twilight zone right now so if somebody can put me out of my misery please do :-)
Here is the situation: I have a pretty straightforward configuration where I load-balance SSL in a very simple way, here is my config:
service ssl-1
redundant-index 6
ip address 1.1.1.1
port 443
protocol tcp
keepalive type ssl
active
service ssl-1
redundant-index 7
keepalive type ssl
ip address 1.1.1.2
port 443
protocol tcp
active
content sec.site
advanced-balance ssl
add service ssl-1
add service ssl-2
redundant-index 49
vip address 2.2.2.8
port 443
protocol tcp
active
Yet when I access the site with https://myurl.com, I get the following flows:
--------------- ----- --------------- ----- --------------- --- ------- ------
Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort
--------------- ----- --------------- ----- --------------- --- ------- ------
3.3.3.3 2331 2.2.2.8 443 0.0.0.0 TCP 1/1 -
2.2.2.8 443 3.3.3.3 2331 0.0.0.0 TCP - 1/1
When I access the site with http://myurl.com:443 I get the following:
--------------- ----- --------------- ----- --------------- --- ------- ------
Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort
--------------- ----- --------------- ----- --------------- --- ------- ------
3.3.3.3 2327 2.2.2.8 443 1.1.1.1 TCP 1/1 1/2-80
1.1.1.1 443 3.3.3.3 2327 3.3.3.3 TCP 1/2-80 1/1
But in both cases I never have a complete response from the servers. The site works well locally and with other machines in the same subnet.
I don't see any nat issues as everything is pretty straightforward, VIPs on one interface and servers on a trunk on the other.
This is a 11503 with 7.40.1.03 software.
Any idea?
07-29-2005 06:26 AM
you forgot the command 'application ssl' under the content rule.
When doing advanced-balance ssl, you're telling the CSS to look for SSLID in the traffic.
But by default the application is HTTP, so the CSS will not understand SSL traffic.
Everything you use advanced-balance ssl, you need the command application ssl.
Let me know if it works by rating this answer.
Thanks,
Gilles.
07-29-2005 06:45 AM
I added the application ssl command to the content rule and I have the exact same behavior.
07-29-2005 10:47 AM
hummm... could you capture a sniffer trace on your client when doing both test https and http:443.
Then attach it to the forum or send it to gd@cisco.com [me].
Also capture a 'sho rule
Thanks,
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide