Initial connection on port 80, link to 443

Answered Question
May 7th, 2007
User Badges:

I have a my services configured and the intitial conection to the page works fine on port 80.


There is a link on the page the connects the users to a secure login page on 443 which is on the same server (vip 2.1.1.70):

https://server/cgi-bin/start.cgi?start


When the users attempt to go to the secure page, the browser just hangs at the main page trying to connect.


Someone suggested a content rule and service pointing to the 443, do I need this in addition to the existing configuation?


!************************** CIRCUIT **************************

circuit VLAN1


ip address 2.1.1.75 255.255.255.0


!************************** SERVICE **************************



service MCI3

type redirect

port 80

keepalive type none

ip address 2.1.1.73

active


service MCI2

ip address 2.1.1.77

protocol tcp

port 80

keepalive type http

active


service MCI1

ip address 2.1.1.76

protocol tcp

port 80

keepalive type http

active




!*************************** OWNER ***************************

owner MCI


content MCI-rule

add service MCI1

primarySorryServer MCI2

balance aca

secondarySorryServer MCI3

vip address 2.1.1.70

protocol tcp

port 80

url "/*"



!*************************** GROUP ***************************

group MCI-group

add destination service MCI1

add destination service MCI2

vip address 2.1.1.70

active

Correct Answer by joquesada about 10 years 2 weeks ago


Wilson,


Please remove the url line from the 443 content rule. You are doing HTTPS so the CSS is not able to read the layer 5 header as it is encrypted.


Also, have you checked if the services in port 443 are alive? To check that, use this command: sh service summary. Make sure all the configured services are alive, otherwise, you need to find out why the keepalives are failing. Thanks!


Regards,


Jose.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Diego Vargas Mon, 05/07/2007 - 11:58
User Badges:
  • Cisco Employee,

Hi,


The asnwer is yes, you need a content rule and service listening on port 443, something like this:


content MCI-rule_443

add service MCI1_443

balance aca

vip address 2.1.1.70

protocol tcp

port 443

application ssl

active


service MCI1_443

ip address 2.1.1.76

protocol tcp

port 443

keepalive type tcp

keepalive port 443

active


Also include the new service on the group.

wilson_1234_2 Mon, 05/07/2007 - 17:27
User Badges:

I have the following config and still can get no http connection.


A packet capture on the outside Internface shows no attmep to connect on port 443.


I can connect on 80 and 443 directly to the NAT address on the firewall, but the CSS makes the HTTP connection, then (on the same server) does not connect to the https port.


got any ideas?


!************************** CIRCUIT **************************

circuit VLAN1


ip address 2.1.1.75 255.255.255.0


!************************** SERVICE **************************

service MCI-backupredirect

type redirect

port 80

keepalive type none

ip address 2.1.1.73

active


service MCI-dr

ip address 2.1.1.77

protocol tcp

keepalive type http

port 80

active


service MCI-dr-443

ip address 2.1.1.77

protocol tcp

port 443

active


service MCI-hq

ip address 2.1.1.76

protocol tcp

keepalive type http

port 80

active


service MCI-hq-443

ip address 2.1.1.76

protocol tcp

port 443

active



!*************************** OWNER ***************************

owner MCI


content MCI-http-rule

add service MCI-hq

primarySorryServer MCI-dr

balance aca

secondarySorryServer MCI-backupredirect

vip address 2.1.1.70

protocol tcp

port 80

url "/*"

active



owner MCI-443


content MCI-https-rule

add service MCI-hq-443

primarySorryServer MCI-dr-443

secondarySorryServer MCI-backupredirect

vip address 2.1.1.70

protocol tcp

port 443

url "/*"

active




!*************************** GROUP ***************************

group MCI-MCW-http-group

add destination service MCI-hq

add destination service MCI-dr

vip address 2.1.1.70

add destination service MCI-hq-443

add destination service MCI-dr-443

active

Correct Answer
joquesada Mon, 05/07/2007 - 21:58
User Badges:
  • Bronze, 100 points or more


Wilson,


Please remove the url line from the 443 content rule. You are doing HTTPS so the CSS is not able to read the layer 5 header as it is encrypted.


Also, have you checked if the services in port 443 are alive? To check that, use this command: sh service summary. Make sure all the configured services are alive, otherwise, you need to find out why the keepalives are failing. Thanks!


Regards,


Jose.


wilson_1234_2 Tue, 05/08/2007 - 03:07
User Badges:

Thank you Jose,


I will remove the url line, and the services are alive.


I will give it a try.

wilson_1234_2 Tue, 05/08/2007 - 14:28
User Badges:

Jose,


I appreciate your expertise in helping me to resolve my problem.


Your suggestion worked!

Actions

This Discussion