Re: the problem with advanced-balance ssl

ROMAN TOMASEK · ‎04-21-2005

Hi,

I find on the Packet Online the folowing question and answer:

Q: I will have a server farm with identical Web application servers and will be running SSL for data protection. Can the Cisco CSS 11501 without SSL termination load balance SSL Web application servers traffic if the load balancing is not based on higher-layer application data? In such a situation, what are the choices for load balancing apart from simple round robin?

A: SSL is a TCP protocol, so you can do load balancing based on IP or TCP. I would recommend round robin or leastconn for the balancing method. You should also use the advanced-balance ssl command to enable stickiness based on SSL ID."

I have the CSS11503 and I have the problem with advanced-balance SSL. I have the following configuration:

server s1

ip addr 10.0.0.1

keepalive type ssl

keepalive port 5001

active

server s2

ip addr 10.0.0.2

keepalive type ssl

keepalive port 5001

active

owner www.test.cz

content ssl

vip address 10.0.0.3

protocol tcp

protocol 5001

application ssl

advanced-balance ssl

add service s1

add service s2

active

But the SSL sticky is not functional:-( I use the WebNS 7.40. The sticky table is empty. CSS uses round-robin loadbalancing instead of SSL ID sticky:-( Do you know where can be problem?

Thank you

dtodd · ‎04-22-2005

Hmmm... I understand your problem.

I would refer you to this url:

http://www.cisco.com/en/US/customer/products/hw/contnetw/ps789/products_configuration_example09186a008009450d.shtml

Also your content rule is only a L4 content rule you are missing the L5 rule:

url "/*"

This will enable the rule to use L5. a sh rule ssl will state the type of rule by using L3/L4 and the URL.

Make these changes and take a look at the URL and see if this helps you.

Drop me a line off line if you would like. Please subject the post so the email does not get spam filtered.

ROMAN TOMASEK · ‎04-22-2005

thank you for your advice. I will try it and I hope that it will resolve my problem:-)

Gilles Dufour · ‎04-24-2005

Something to verify is that your server is returning a session id.

We have seen recently servers with session id reused disabled by default.

Gilles.

Gilles Dufour · ‎04-22-2005

sorry to say this but this is the 2nd time I read a BIG mistake from you.

Using the url command on SSL traffic is totally useless.

The traffic is encrypted and therefore the CSS can't see the URL.

I would recommend you to not respond to questions if you're not 100% sure of the answer.

Gilles.

dtodd · ‎04-23-2005

GduFour:

I am sending an email to you off line. I would suggest that you read it.

==DMT>

Gilles Dufour · ‎04-22-2005

The config looks good.

What version do you run ?

What SSL version are you using on the client ? [CSS only supports SSLv3 and TlS 1.0]

Can you capture a sniffer trace and attach it to the discussion or send it to me at gdufour@cisco.com.

Regards,

Gilles.

Gilles Dufour · ‎04-25-2005

After reviewing the trace, it appears that the server is using a zero length session id which can't be used for stickyness.

Moreover, there is a CSS bugs that will break the connection when receiving this type of server hello:

CSCef19704 The CSS is configured with "advanced-balance ssl". The CSS does not NAT the server hello when the session id is 0 (no session id is set).

As usual, a good sniffer trace is always helpful to understand a problem.

Gilles.