CSS11506 Client to server connection

Unanswered Question

Hey guys, I currently have 1 CSS11506 terminating 2 SSL connections to 2 backend web servers. However when I sniff the traffic on the web servers I notice that the client is connected directly to them. Once the ARP for the CSS VIP has been completed, the client directly connects via HTTP to the backend server. I need the CSS to handle all backend traffic to the servers and have the client only talk to the CSS.


Any thoughts ?


Cheers


Dave

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Syed Iftekhar Ahmed Fri, 05/11/2007 - 10:15
User Badges:
  • Blue, 1500 points or more

what is the default gateway defined on the Servers?


Golden rule to remember:The return traffic should not bypass the loadbalancer.


If this rule is violated then backend servers can ask clients to use real addresses (not Vip addresses) for requests and hence cause issues.


Syed


Here is my config, if you could have a look that would be appreciated.


ip route 0.0.0.0 0.0.0.0 204.101.28.161 1


!************************** CIRCUIT **************************

circuit VLAN1


ip address 204.101.28.163 255.255.255.224


!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssllist2

ssl-server 95

ssl-server 95 vip address 204.101.28.166

ssl-server 95 cipher rsa-with-des-cbc-sha 204.101.28.164 80

ssl-server 95 cipher rsa-with-3des-ede-cbc-sha 204.101.28.164 80

ssl-server 95 cipher rsa-with-rc4-128-sha 204.101.28.164 80

ssl-server 95 cipher rsa-with-rc4-128-md5 204.101.28.164 80

ssl-server 95 rsacert myrsacert1

ssl-server 95 rsakey myrsakey1

ssl-server 95 urlrewrite 22 www.test.com

ssl-server 96

ssl-server 96 vip address 204.101.28.167

ssl-server 96 cipher rsa-with-des-cbc-sha 204.101.28.165 80

ssl-server 96 cipher rsa-with-3des-ede-cbc-sha 204.101.28.165 80

ssl-server 96 cipher rsa-with-rc4-128-sha 204.101.28.165 80

ssl-server 96 cipher rsa-with-rc4-128-md5 204.101.28.165 80

ssl-server 96 rsacert myrsacert2

ssl-server 96 rsakey myrsakey2

ssl-server 96 urlrewrite 23 www.test1.com

active


!************************** SERVICE **************************

service SSLNEW

type ssl-accel

slot 6

keepalive type none

add ssl-proxy-list ssllist2

active


!*************************** OWNER ***************************

owner CMPA


content SSLNEW1

vip address 204.101.28.166

application ssl

add service SSLNEW

protocol tcp

port 443

active


content SSLNEW2

protocol tcp

vip address 204.101.28.167

application ssl

add service SSLNEW

port 443

active

Actions

This Discussion