CSS SSL - module required?

Unanswered Question
Mar 13th, 2008
User Badges:


Can anyone confirm if this is a valid configuration or if i require a SSL module.

We have a web server at the back of the CSS running http . We are now trying to add https service to this server.

I have added the rules to content switch - a service for 443 and a content rule. We cannot get the service up however, it is showing down. The service is running ok on the server (we can telnet to it on port 443)

Does the CSS pass the encrypted data to the backend server transparently or is a SSL module required?

Any help would be much appreciated

Here is the config:

service server23_443

ip address 192.168.100.x

protocol tcp

port 443

keepalive type tcp

keepalive port 443


content https

vip address 192.168.100.x

protocol tcp

port 443

add service server26_443

add service server23_443


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Thu, 03/13/2008 - 09:18
User Badges:
  • Cisco Employee,

this config does not require an ssl module.

Encrypted traffic can be loadbalanced at layer 4.

The ssl module is only required if you need to see what is inside the encrypted packet to perform the loadbalancing decision.


kurgen727 Thu, 03/20/2008 - 06:04
User Badges:

I've had a similar problem, and can only load balance at Layer 3. We have 2 CSSs without the SSL module.

When I try specifiying layer 5 keepalives in the services at all, I lose https, but can still load balance http traffic.

I've tried content rules using both layer 3 and layer 5 setups, to no resolution. I'll be placing a tech support call today, and will update this post if I get anything usefull from Support.

Gilles Dufour Thu, 03/20/2008 - 08:39
User Badges:
  • Cisco Employee,

you can't do L5 rule without the SSL module.

The traffic is encrypted and the CSS alone can't decrypt it.

All you can do is L3 and L4 loadbalancing.

If you want L5 you need the SSL module.

This is what was mentioned in my previous response.


kurgen727 Thu, 03/20/2008 - 11:44
User Badges:

I would agree if I made any change to the content rule, but I'm only making a change to specify the service port.

I would think I'd be able to sticky source ip by SSLID (layer 4 transport layer) without the SSL module. What use is a CSS without the SSL module if the only thing it can do is load balance layer 3.

If I wanted to sticky based on cookie that would be layer 5 and I agree i'd need the module, or am I missing something simple?

Gilles Dufour Fri, 03/21/2008 - 05:24
User Badges:
  • Cisco Employee,

yes, you can do stickyness on SSLID without the SSL module.

You can do everything that does not require decrypting the traffic.

If your config does not work, you should maybe share it with us if you need our advice.


skumar1969 Mon, 03/31/2008 - 22:58
User Badges:
  • Bronze, 100 points or more

Yes. You do not need one if you don't open the encrypted packets. In reality this doesn't work and you will be heading up to a point of no return after making a huge investment on a CSS box that doesn't support SSL termination. We got couple of boxes here that eats lots of your time lot of frustration when it comes to providing Support.

The biggest limitation here is when you try to select an effective advanced balancing method in order to provide session stickiness you are stuck here.

We are left with only 2 valid choices, (I ignored the src ip-dest port) whether to use SSLID or the src ip as the adv balance method. No way you can use the arrow point and other fine methods here with this box.

If you opt for the src ip as the adv balancing method you are stuffed by the mega proxies.

If you opt for the SSLid you are plagued by the IE browser that keeps changing its SSLid pretty frequently, unless you apply some MS patching on every user PC which is unpractical in the Internet arena.

I would strongly recommend a CSS with an SSL module for an effective load balancing if there is an encrypted traffic that needs to be effective load balanced.



This Discussion