05-14-2007 06:40 AM
I have several CSS infrastructures and recently received an ACE for testing. I am working through converting the configurations to the ACE and have some issues. The simplest explanation of what I am trying to do is this:
https://xxx.yyy.zzz/abc* -> realserver 10.10.10.10 port 81
https://xxx.yyy.zzz/def* -> realserver 10.10.10.10 port 82
https://xxx.yyy.zzz/ghi* -> realserver 10.10.10.10 port 83
https://xxx.yyy.zzz/jkl* -> realserver 10.10.10.20 port 81
https://xxx.yyy.zzz/mno* -> realserver 10.10.10.20 port 82
etc.
I am able to do it without SSL termination (using port xxx.yyy.zzz on port 80). I have also tried creating a separate realserver/serverfarm for SSL termination and sending to another IP on the ACE for the Layer 7 piece without success. Is there some technique or configuration options I am missing to get this working? Is if even possible within one context? Any advise would be greatly appreciated.
Thanks,
John Spannagel
Solved! Go to Solution.
05-15-2007 05:15 AM
before going for L7 with ssl, could you try to configure a simply SSL policy-map and see if that works.
Normally, if you have everything working for http, all you have to do is create a new class-map for the HTTPS traffic, then configure the same policy as for http and simply add the ssl proxy-server
ie:
policy-map multi-match SLB1
class VIP-122-80
loadbalance vip inservice
loadbalance policy SF_Linux1_80
loadbalance vip icmp-reply
class VIP-122-443
loadbalance vip inservice
loadbalance policy SF_linux1_80
loadbalance vip icmp-reply
ssl-proxy server CSS11503-2
Gilles.
05-15-2007 05:15 AM
before going for L7 with ssl, could you try to configure a simply SSL policy-map and see if that works.
Normally, if you have everything working for http, all you have to do is create a new class-map for the HTTPS traffic, then configure the same policy as for http and simply add the ssl proxy-server
ie:
policy-map multi-match SLB1
class VIP-122-80
loadbalance vip inservice
loadbalance policy SF_Linux1_80
loadbalance vip icmp-reply
class VIP-122-443
loadbalance vip inservice
loadbalance policy SF_linux1_80
loadbalance vip icmp-reply
ssl-proxy server CSS11503-2
Gilles.
05-15-2007 10:55 AM
After some more thorough testing, it does work as expected. I did what you suggested but has some minor issues, however turning on "persistence-rebalance" resolved all my issues.
Thanks a lot for your time.
John Spannagel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide