Initial connection on port 80, link to 443

Answered Question
May 7th, 2007

I have a my services configured and the intitial conection to the page works fine on port 80.

There is a link on the page the connects the users to a secure login page on 443 which is on the same server (vip 2.1.1.70):

https://server/cgi-bin/start.cgi?start

When the users attempt to go to the secure page, the browser just hangs at the main page trying to connect.

Someone suggested a content rule and service pointing to the 443, do I need this in addition to the existing configuation?

!************************** CIRCUIT **************************

circuit VLAN1

ip address 2.1.1.75 255.255.255.0

!************************** SERVICE **************************

service MCI3

type redirect

port 80

keepalive type none

ip address 2.1.1.73

active

service MCI2

ip address 2.1.1.77

protocol tcp

port 80

keepalive type http

active

service MCI1

ip address 2.1.1.76

protocol tcp

port 80

keepalive type http

active

!*************************** OWNER ***************************

owner MCI

content MCI-rule

add service MCI1

primarySorryServer MCI2

balance aca

secondarySorryServer MCI3

vip address 2.1.1.70

protocol tcp

port 80

url "/*"

!*************************** GROUP ***************************

group MCI-group

add destination service MCI1

add destination service MCI2

vip address 2.1.1.70

active

I have this problem too.
0 votes
Correct Answer by joquesada about 9 years 8 months ago

Wilson,

Please remove the url line from the 443 content rule. You are doing HTTPS so the CSS is not able to read the layer 5 header as it is encrypted.

Also, have you checked if the services in port 443 are alive? To check that, use this command: sh service summary. Make sure all the configured services are alive, otherwise, you need to find out why the keepalives are failing. Thanks!

Regards,

Jose.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Diego Vargas Mon, 05/07/2007 - 11:58

Hi,

The asnwer is yes, you need a content rule and service listening on port 443, something like this:

content MCI-rule_443

add service MCI1_443

balance aca

vip address 2.1.1.70

protocol tcp

port 443

application ssl

active

service MCI1_443

ip address 2.1.1.76

protocol tcp

port 443

keepalive type tcp

keepalive port 443

active

Also include the new service on the group.

wilson_1234_2 Mon, 05/07/2007 - 17:27

I have the following config and still can get no http connection.

A packet capture on the outside Internface shows no attmep to connect on port 443.

I can connect on 80 and 443 directly to the NAT address on the firewall, but the CSS makes the HTTP connection, then (on the same server) does not connect to the https port.

got any ideas?

!************************** CIRCUIT **************************

circuit VLAN1

ip address 2.1.1.75 255.255.255.0

!************************** SERVICE **************************

service MCI-backupredirect

type redirect

port 80

keepalive type none

ip address 2.1.1.73

active

service MCI-dr

ip address 2.1.1.77

protocol tcp

keepalive type http

port 80

active

service MCI-dr-443

ip address 2.1.1.77

protocol tcp

port 443

active

service MCI-hq

ip address 2.1.1.76

protocol tcp

keepalive type http

port 80

active

service MCI-hq-443

ip address 2.1.1.76

protocol tcp

port 443

active

!*************************** OWNER ***************************

owner MCI

content MCI-http-rule

add service MCI-hq

primarySorryServer MCI-dr

balance aca

secondarySorryServer MCI-backupredirect

vip address 2.1.1.70

protocol tcp

port 80

url "/*"

active

owner MCI-443

content MCI-https-rule

add service MCI-hq-443

primarySorryServer MCI-dr-443

secondarySorryServer MCI-backupredirect

vip address 2.1.1.70

protocol tcp

port 443

url "/*"

active

!*************************** GROUP ***************************

group MCI-MCW-http-group

add destination service MCI-hq

add destination service MCI-dr

vip address 2.1.1.70

add destination service MCI-hq-443

add destination service MCI-dr-443

active

Correct Answer
joquesada Mon, 05/07/2007 - 21:58

Wilson,

Please remove the url line from the 443 content rule. You are doing HTTPS so the CSS is not able to read the layer 5 header as it is encrypted.

Also, have you checked if the services in port 443 are alive? To check that, use this command: sh service summary. Make sure all the configured services are alive, otherwise, you need to find out why the keepalives are failing. Thanks!

Regards,

Jose.

wilson_1234_2 Tue, 05/08/2007 - 03:07

Thank you Jose,

I will remove the url line, and the services are alive.

I will give it a try.

wilson_1234_2 Tue, 05/08/2007 - 14:28

Jose,

I appreciate your expertise in helping me to resolve my problem.

Your suggestion worked!

Actions

This Discussion