Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
553
Views
0
Helpful
6
Replies

CSS scripting - ssl and url checking

Paul Pinto
Level 1
Level 1

‎09-03-2008 06:04 AM

Hi,

We have two CSS 11503's running version 8.10 which are load balancing ssl (no offload) accross multiple FARM's for various services. The current keepalive is ap-kal-ssl (default sending hello expecting hello).

This is no longer adequate as the application fails while the port is still active resulting in the keepalive marking the server as Alive and traffic being sent to a server that cannot provide service.

I would like have a script that can perform the same function as the existing ap-kal-ssl keepalive checking the ssl service as well as check the landing page of the site, for example, (no authentication required as it would be the login page).

Is this possible, and if so any assitance with the scripting would be greatly appreciated.

Labels:
0 Helpful
6 Replies 6

Paul Pinto
Level 1
Level 1

‎09-04-2008 01:28 PM

Hi,

I am doubtful this can be done, confirmation would be appreciated either way.

Thanks.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to Paul Pinto

‎09-05-2008 02:17 AM

only possible if you have the css5-ssl module.

Then the keyword encrypt can be used with an http keepalive.

CSS11503-2(config-service[linux1])# keepalive type http ?

Execute command

encrypt Encrypt Keepalive traffic

Gilles.

0 Helpful

Paul Pinto
Level 1
Level 1
In response to Gilles Dufour

‎09-05-2008 06:53 AM

Thanks for the reply Gilles.

But, we are only load balancing the SSL traffic as per below config. Do I have to configure Back-End SSL Server service or a SSL Initiation service, ssl-proxy lists and so on?

In other words, do I have to be be terminating and/or initiating SSL or can I just do the: "keepalive http non-persistent encrypt" with my "keepalive method ?" and "keepalive uri ?" under my "service Webx"?

Config for SSL FARM:

owner FARM1

content WEBSERVERS

add service Web1

add service Web2

add service Web3

vip address w.x.y.z

application ssl

protocol tcp

port 443

url "/*"

balance aca

add service Web4

add service Web5

sticky-inact-timeout 20

advanced-balance sticky-srcip

add service Web7

add service Web8

add service Web9

add service Web13

active

service Web1

ip address w.x.y.z

protocol tcp

port 443

keepalive type script ap-kal-ssl "w.x.y.z"

active

service Web13

ip address w.x.y.z

protocol tcp

port 443

keepalive type script ap-kal-ssl "w.x.y.z"

active

service Web2

ip address w.x.y.z

protocol tcp

port 443

keepalive type script ap-kal-ssl "w.x.y.z"

active

service Web3

ip address w.x.y.z

protocol tcp

port 443

keepalive type script ap-kal-ssl "w.x.y.z"

active

service Web4

ip address w.x.y.z

protocol tcp

port 443

keepalive type script ap-kal-ssl "w.x.y.z"

active

service Web5

ip address w.x.y.z

protocol tcp

port 443

keepalive type script ap-kal-ssl "w.x.y.z"

active

service Web7

ip address w.x.y.z

protocol tcp

port 443

keepalive type script ap-kal-ssl "w.x.y.z"

active

service Web8

ip address w.x.y.z

protocol tcp

port 443

keepalive type script ap-kal-ssl "w.x.y.z"

active

service Web9

ip address w.x.y.z

protocol tcp

port 443

keepalive type script ap-kal-ssl "w.x.y.z"

active

0 Helpful

Paul Pinto
Level 1
Level 1
In response to Paul Pinto

‎09-08-2008 12:47 AM

Hi again,

Any feedback or confirmation on my query regarding whether or not I have to be terminating and/or initiating SSL or can I just do the: "keepalive http non-persistent encrypt" with my "keepalive method ?" and "keepalive uri ?" under my "service Webx"?

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to Paul Pinto

‎09-08-2008 12:57 AM

you need to do the probe in 2 steps.

First create a duplicate service of your actual service and configure it for SSL backend or SSL init.

Create the probe such that your server is being targeted.

Then, in your initial service, you create a script that will do a 'show keepalive ' and detect if the duplicate is up or down and if down, your service goes down as well.

Gilles.

0 Helpful

paul.rehill
Level 1
Level 1
In response to Paul Pinto

‎08-25-2009 10:40 AM

Did it ever work with just "keepalive http non-persistent encrypt" or you had to do ssl offload and the ssl service etc.

Thanks,

Paul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents