05-07-2007 03:24 AM
I have a my services configured and the intitial conection to the page works fine on port 80.
There is a link on the page the connects the users to a secure login page on 443 which is on the same server (vip 2.1.1.70):
https://server/cgi-bin/start.cgi?start
When the users attempt to go to the secure page, the browser just hangs at the main page trying to connect.
Someone suggested a content rule and service pointing to the 443, do I need this in addition to the existing configuation?
!************************** CIRCUIT **************************
circuit VLAN1
ip address 2.1.1.75 255.255.255.0
!************************** SERVICE **************************
service MCI3
type redirect
port 80
keepalive type none
ip address 2.1.1.73
active
service MCI2
ip address 2.1.1.77
protocol tcp
port 80
keepalive type http
active
service MCI1
ip address 2.1.1.76
protocol tcp
port 80
keepalive type http
active
!*************************** OWNER ***************************
owner MCI
content MCI-rule
add service MCI1
primarySorryServer MCI2
balance aca
secondarySorryServer MCI3
vip address 2.1.1.70
protocol tcp
port 80
url "/*"
!*************************** GROUP ***************************
group MCI-group
add destination service MCI1
add destination service MCI2
vip address 2.1.1.70
active
Solved! Go to Solution.
05-07-2007 09:58 PM
Wilson,
Please remove the url line from the 443 content rule. You are doing HTTPS so the CSS is not able to read the layer 5 header as it is encrypted.
Also, have you checked if the services in port 443 are alive? To check that, use this command: sh service summary. Make sure all the configured services are alive, otherwise, you need to find out why the keepalives are failing. Thanks!
Regards,
Jose.
05-07-2007 11:58 AM
Hi,
The asnwer is yes, you need a content rule and service listening on port 443, something like this:
content MCI-rule_443
add service MCI1_443
balance aca
vip address 2.1.1.70
protocol tcp
port 443
application ssl
active
service MCI1_443
ip address 2.1.1.76
protocol tcp
port 443
keepalive type tcp
keepalive port 443
active
Also include the new service on the group.
05-07-2007 05:27 PM
I have the following config and still can get no http connection.
A packet capture on the outside Internface shows no attmep to connect on port 443.
I can connect on 80 and 443 directly to the NAT address on the firewall, but the CSS makes the HTTP connection, then (on the same server) does not connect to the https port.
got any ideas?
!************************** CIRCUIT **************************
circuit VLAN1
ip address 2.1.1.75 255.255.255.0
!************************** SERVICE **************************
service MCI-backupredirect
type redirect
port 80
keepalive type none
ip address 2.1.1.73
active
service MCI-dr
ip address 2.1.1.77
protocol tcp
keepalive type http
port 80
active
service MCI-dr-443
ip address 2.1.1.77
protocol tcp
port 443
active
service MCI-hq
ip address 2.1.1.76
protocol tcp
keepalive type http
port 80
active
service MCI-hq-443
ip address 2.1.1.76
protocol tcp
port 443
active
!*************************** OWNER ***************************
owner MCI
content MCI-http-rule
add service MCI-hq
primarySorryServer MCI-dr
balance aca
secondarySorryServer MCI-backupredirect
vip address 2.1.1.70
protocol tcp
port 80
url "/*"
active
owner MCI-443
content MCI-https-rule
add service MCI-hq-443
primarySorryServer MCI-dr-443
secondarySorryServer MCI-backupredirect
vip address 2.1.1.70
protocol tcp
port 443
url "/*"
active
!*************************** GROUP ***************************
group MCI-MCW-http-group
add destination service MCI-hq
add destination service MCI-dr
vip address 2.1.1.70
add destination service MCI-hq-443
add destination service MCI-dr-443
active
05-07-2007 09:58 PM
Wilson,
Please remove the url line from the 443 content rule. You are doing HTTPS so the CSS is not able to read the layer 5 header as it is encrypted.
Also, have you checked if the services in port 443 are alive? To check that, use this command: sh service summary. Make sure all the configured services are alive, otherwise, you need to find out why the keepalives are failing. Thanks!
Regards,
Jose.
05-08-2007 03:07 AM
Thank you Jose,
I will remove the url line, and the services are alive.
I will give it a try.
05-08-2007 02:28 PM
Jose,
I appreciate your expertise in helping me to resolve my problem.
Your suggestion worked!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide