internet Dashboard and 11501's

jphilope · ‎03-03-2008

I am having a heck of a time getting SSL Offloading and load balancing to work with a product from a company called internet Dashboard. I really believe the isses to be the APP.

I have the SSL offloading configured and it works. The load balancing is straight forward and working as well. The setup is two servers and the DB server (not involoved in LB or SSL) in our DMZ. The 11501's (in an ASR pair) are one armed into the DMZ switches. Everything is cross connected in the switching environment. Proxy-Arp is disabled. Config is attached and showing good Cert associations.

What has been happening is we will get a loss of connection between the App servers and the DB server resulting in a General Network Error (Microsoft's latest equivilant to the famous General Protection Fault). This now appears to have been a problem with Win2K3 and SP2 and Broadcom drivers and was eliminated with a driver upgrade and disabling 'Chimney Offloading" on the servers.

Now, when I place the servers behind the 11501s and enable the SSL, I get a "Bad Request (Invalid Hostname)" error right after the cert exchange. However, when I go directly to the server by IP and bypass the VIP and SSL, it works fine.

This leads me to believe there is a DNS issue or other App based problem, but as I'm the only one who works with the CSSs here, I would like a second opinion.

Can anyone see something I have overlooked? I would appreciate any comments.

TIA

One last thing about the config. I know I have all the services, content and group suspended. I've had to back out the SSL termination and LB - again.

Diego Vargas · ‎03-03-2008

Hi,

I have been seen this same issue once but in that case the error message and the issue in general was showing up only when using Mozilla, is this happening with browsers?

At the end we found the issue was that the CSS has a chained certificate installed and was not properly concatenated, are yours a chained cert or just the server cert?

At this point all your configuration is suspended, I guess this is on purpose.

A couple of things to consider:

1. The command "application ssl" should be used when doing SSL balancing but not when doing Offloading, so it would be better to get rid of that command on the ssl rule

2. The command "advance-balance ssl" should not be used since the SSL rule sends the traffic to the SSL module, you have only one module so there is no need for stickiness on that rule

3. URL rewrite needs to have only the hostname not the "https:" part, it would look like this:

ssl-server 1 urlrewrite 1 cshorizons.cswg.com

Hope it helps!!

Diego M

jphilope · ‎03-03-2008

Diego,

Thanks for the quick answer. You are correct, the problem occurs in a browser and it is Firefox. The cert is not chained, just a standard server cert and key pair. Funny thing is it would work for a while and then the error issues. No reason for the application to stop. iD (product author) has been less than helpful.

Your three recommendations make sense. I have made them. I'll give it another shot and see what happens.

Diego Vargas · ‎03-03-2008

Hi, perhaps you can export the cert out of the CSS and make sure is on good shape, in the case that I mentioned, Firefox showed the issue because the Cert was missing the line:

--END OF CERTIFICATE--

Since you mentioned the issue is with Firefox as well, it might be something related.

Hope it Helps!!

Diego M