05-11-2007 09:48 AM
Hey guys, I currently have 1 CSS11506 terminating 2 SSL connections to 2 backend web servers. However when I sniff the traffic on the web servers I notice that the client is connected directly to them. Once the ARP for the CSS VIP has been completed, the client directly connects via HTTP to the backend server. I need the CSS to handle all backend traffic to the servers and have the client only talk to the CSS.
Any thoughts ?
Cheers
Dave
05-11-2007 10:15 AM
what is the default gateway defined on the Servers?
Golden rule to remember:The return traffic should not bypass the loadbalancer.
If this rule is violated then backend servers can ask clients to use real addresses (not Vip addresses) for requests and hence cause issues.
Syed
05-11-2007 10:18 AM
Hmm, maybe my test setup is flawed here as I currently have the client, CSS and web servers all on the same segment. Figuring once I had that working I would expand the test setup.
More to follow.
Cheers
Dave
05-11-2007 10:34 AM
Here is my config, if you could have a look that would be appreciated.
ip route 0.0.0.0 0.0.0.0 204.101.28.161 1
!************************** CIRCUIT **************************
circuit VLAN1
ip address 204.101.28.163 255.255.255.224
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list ssllist2
ssl-server 95
ssl-server 95 vip address 204.101.28.166
ssl-server 95 cipher rsa-with-des-cbc-sha 204.101.28.164 80
ssl-server 95 cipher rsa-with-3des-ede-cbc-sha 204.101.28.164 80
ssl-server 95 cipher rsa-with-rc4-128-sha 204.101.28.164 80
ssl-server 95 cipher rsa-with-rc4-128-md5 204.101.28.164 80
ssl-server 95 rsacert myrsacert1
ssl-server 95 rsakey myrsakey1
ssl-server 95 urlrewrite 22 www.test.com
ssl-server 96
ssl-server 96 vip address 204.101.28.167
ssl-server 96 cipher rsa-with-des-cbc-sha 204.101.28.165 80
ssl-server 96 cipher rsa-with-3des-ede-cbc-sha 204.101.28.165 80
ssl-server 96 cipher rsa-with-rc4-128-sha 204.101.28.165 80
ssl-server 96 cipher rsa-with-rc4-128-md5 204.101.28.165 80
ssl-server 96 rsacert myrsacert2
ssl-server 96 rsakey myrsakey2
ssl-server 96 urlrewrite 23 www.test1.com
active
!************************** SERVICE **************************
service SSLNEW
type ssl-accel
slot 6
keepalive type none
add ssl-proxy-list ssllist2
active
!*************************** OWNER ***************************
owner CMPA
content SSLNEW1
vip address 204.101.28.166
application ssl
add service SSLNEW
protocol tcp
port 443
active
content SSLNEW2
protocol tcp
vip address 204.101.28.167
application ssl
add service SSLNEW
port 443
active
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: