05-06-2007 03:32 PM
I have a CSS set up in a failover situation.
I have my VIP addres and services configured, my question is, if the initial page is on port 80 and I have a link on the page that is on port 443, will the CSS make the client connection to the server on 443?
How does that work?
service MCI
ip address 2.x.x.76
protocol tcp
keepalive type http
port 80
active
owner MCI
content MCI-http-rule
add service MCI
primarySorryServer MCI1
balance aca
protocol tcp
port 80
url "/*"
secondarySorryServer MCI2
vip address 2.1.1.70
active
group MCI
add destination service MCI
add destination service MCI1
vip address 2.1.1.70
active
05-06-2007 03:44 PM
Hi,
You need to create a content rule and a service on port 443 in order for the CSS to process that request; or you can configure the current content rule and services without TCP port ( layer 3 only ) so the CSS uses them for load balancing port 80 and port 443 at the same time.
If you want to use the first option, the new content and services should look like this:
service MCI-443
ip address 2.1.1.76
protocol tcp
port 443
active
owner MCI-443
content MCI-http-rule
add service MCI
primarySorryServer MCI1
protocol tcp
port 443
vip address 2.1.1.70
active
If you want to use option 2, the config should look like this:
service MCI
ip address 2.1.1.76
protocol tcp
active
owner MCI
content MCI-http-rule
add service MCI
primarySorryServer MCI1
protocol tcp
vip address 2.1.1.70
active
I hope this helps. Thanks!
Regards,
Jose Quesada.
05-06-2007 03:46 PM
Hi,
I'm sorry, the content rule for option 1 should look like this:
owner MCI
content MCI-443
add service MCI-443
protocol tcp
port 443
vip address 2.1.1.70
active
Thanks!
Jose.
05-06-2007 04:38 PM
Thanks for the reply,
A couple of questions:
in option one with the content rule pointing to port 443, will it still allow the initial request on port 80 (they are both allowed thru firewall)?
in option 2, what is the difference in not putting the ports in the content rule?
Does it really matter all that much as far as the desing goes? What is gained by adding the port numbers as opposed to not?
05-07-2007 02:48 PM
In option one you will have two content rules, one for port 80 traffic and one for port 443 traffic. If port 443 is configured under a rule then only the traffic destined for port 443 will hit the rule.
In option 2
Specifying a port enables the CSS to associate a content rule with a specific TCP/UDP port number. If you dont define a port, then default "port 0" is configured for the rule, which indicates any port. Since rule in option 2 is ready to accept traffic for any port, CSS will loadbalance both port 80 & 443 traffic.
Syed
Syed
05-07-2007 05:25 PM
I have the following config and still can get no http connection.
A packet capture on the outside Internface shows no attmep to connect on port 443.
I can connect on 80 and 443 directly to the NAT address on the firewall, but the CSS makes the HTTP connection, then (on the same server) does not connect to the https port.
got any ideas?
!************************** CIRCUIT **************************
circuit VLAN1
ip address 2.1.1.75 255.255.255.0
!************************** SERVICE **************************
service MCI-backupredirect
type redirect
port 80
keepalive type none
ip address 2.1.1.73
active
service MCI-dr
ip address 2.1.1.77
protocol tcp
keepalive type http
port 80
active
service MCI-dr-443
ip address 2.1.1.77
protocol tcp
port 443
active
service MCI-hq
ip address 2.1.1.76
protocol tcp
keepalive type http
port 80
active
service MCI-hq-443
ip address 2.1.1.76
protocol tcp
port 443
active
!*************************** OWNER ***************************
owner MCI
content MCI-http-rule
add service MCI-hq
primarySorryServer MCI-dr
balance aca
secondarySorryServer MCI-backupredirect
vip address 2.1.1.70
protocol tcp
port 80
url "/*"
active
owner MCI-443
content MCI-https-rule
add service MCI-hq-443
primarySorryServer MCI-dr-443
secondarySorryServer MCI-backupredirect
vip address 2.1.1.70
protocol tcp
port 443
url "/*"
active
!*************************** GROUP ***************************
group MCI-MCW-http-group
add destination service MCI-hq
add destination service MCI-dr
vip address 2.1.1.70
add destination service MCI-hq-443
add destination service MCI-dr-443
active
05-07-2007 09:59 PM
Wilson,
Follow up this issue on the other conversation you've opened. Thanks!
Regards,
Jose.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide