CSS11506 Client to server connection

Unanswered Question

Hey guys, I currently have 1 CSS11506 terminating 2 SSL connections to 2 backend web servers. However when I sniff the traffic on the web servers I notice that the client is connected directly to them. Once the ARP for the CSS VIP has been completed, the client directly connects via HTTP to the backend server. I need the CSS to handle all backend traffic to the servers and have the client only talk to the CSS.

Any thoughts ?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Syed Iftekhar Ahmed Fri, 05/11/2007 - 10:15
User Badges:
  • Blue, 1500 points or more

what is the default gateway defined on the Servers?

Golden rule to remember:The return traffic should not bypass the loadbalancer.

If this rule is violated then backend servers can ask clients to use real addresses (not Vip addresses) for requests and hence cause issues.


Here is my config, if you could have a look that would be appreciated.

ip route 1

!************************** CIRCUIT **************************

circuit VLAN1

ip address

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssllist2

ssl-server 95

ssl-server 95 vip address

ssl-server 95 cipher rsa-with-des-cbc-sha 80

ssl-server 95 cipher rsa-with-3des-ede-cbc-sha 80

ssl-server 95 cipher rsa-with-rc4-128-sha 80

ssl-server 95 cipher rsa-with-rc4-128-md5 80

ssl-server 95 rsacert myrsacert1

ssl-server 95 rsakey myrsakey1

ssl-server 95 urlrewrite 22 www.test.com

ssl-server 96

ssl-server 96 vip address

ssl-server 96 cipher rsa-with-des-cbc-sha 80

ssl-server 96 cipher rsa-with-3des-ede-cbc-sha 80

ssl-server 96 cipher rsa-with-rc4-128-sha 80

ssl-server 96 cipher rsa-with-rc4-128-md5 80

ssl-server 96 rsacert myrsacert2

ssl-server 96 rsakey myrsakey2

ssl-server 96 urlrewrite 23 www.test1.com


!************************** SERVICE **************************

service SSLNEW

type ssl-accel

slot 6

keepalive type none

add ssl-proxy-list ssllist2


!*************************** OWNER ***************************

owner CMPA

content SSLNEW1

vip address

application ssl

add service SSLNEW

protocol tcp

port 443


content SSLNEW2

protocol tcp

vip address

application ssl

add service SSLNEW

port 443



This Discussion