05-14-2007 06:40 AM
I have several CSS infrastructures and recently received an ACE for testing. I am working through converting the configurations to the ACE and have some issues. The simplest explanation of what I am trying to do is this:
https://xxx.yyy.zzz/abc* -> realserver 10.10.10.10 port 81
https://xxx.yyy.zzz/def* -> realserver 10.10.10.10 port 82
https://xxx.yyy.zzz/ghi* -> realserver 10.10.10.10 port 83
https://xxx.yyy.zzz/jkl* -> realserver 10.10.10.20 port 81
https://xxx.yyy.zzz/mno* -> realserver 10.10.10.20 port 82
etc.
I am able to do it without SSL termination (using port xxx.yyy.zzz on port 80). I have also tried creating a separate realserver/serverfarm for SSL termination and sending to another IP on the ACE for the Layer 7 piece without success. Is there some technique or configuration options I am missing to get this working? Is if even possible within one context? Any advise would be greatly appreciated.
Thanks,
John Spannagel
Solved! Go to Solution.
05-15-2007 05:15 AM
before going for L7 with ssl, could you try to configure a simply SSL policy-map and see if that works.
Normally, if you have everything working for http, all you have to do is create a new class-map for the HTTPS traffic, then configure the same policy as for http and simply add the ssl proxy-server
ie:
policy-map multi-match SLB1
class VIP-122-80
loadbalance vip inservice
loadbalance policy SF_Linux1_80
loadbalance vip icmp-reply
class VIP-122-443
loadbalance vip inservice
loadbalance policy SF_linux1_80
loadbalance vip icmp-reply
ssl-proxy server CSS11503-2
Gilles.
05-15-2007 05:15 AM
before going for L7 with ssl, could you try to configure a simply SSL policy-map and see if that works.
Normally, if you have everything working for http, all you have to do is create a new class-map for the HTTPS traffic, then configure the same policy as for http and simply add the ssl proxy-server
ie:
policy-map multi-match SLB1
class VIP-122-80
loadbalance vip inservice
loadbalance policy SF_Linux1_80
loadbalance vip icmp-reply
class VIP-122-443
loadbalance vip inservice
loadbalance policy SF_linux1_80
loadbalance vip icmp-reply
ssl-proxy server CSS11503-2
Gilles.
05-15-2007 10:55 AM
After some more thorough testing, it does work as expected. I did what you suggested but has some minor issues, however turning on "persistence-rebalance" resolved all my issues.
Thanks a lot for your time.
John Spannagel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: