09-03-2008 06:04 AM
Hi,
We have two CSS 11503's running version 8.10 which are load balancing ssl (no offload) accross multiple FARM's for various services. The current keepalive is ap-kal-ssl (default sending hello expecting hello).
This is no longer adequate as the application fails while the port is still active resulting in the keepalive marking the server as Alive and traffic being sent to a server that cannot provide service.
I would like have a script that can perform the same function as the existing ap-kal-ssl keepalive checking the ssl service as well as check the landing page of the site, for example, (no authentication required as it would be the login page).
Is this possible, and if so any assitance with the scripting would be greatly appreciated.
09-04-2008 01:28 PM
Hi,
I am doubtful this can be done, confirmation would be appreciated either way.
Thanks.
09-05-2008 02:17 AM
only possible if you have the css5-ssl module.
Then the keyword encrypt can be used with an http keepalive.
CSS11503-2(config-service[linux1])# keepalive type http ?
encrypt Encrypt Keepalive traffic
Gilles.
09-05-2008 06:53 AM
Thanks for the reply Gilles.
But, we are only load balancing the SSL traffic as per below config. Do I have to configure Back-End SSL Server service or a SSL Initiation service, ssl-proxy lists and so on?
In other words, do I have to be be terminating and/or initiating SSL or can I just do the: "keepalive http non-persistent encrypt" with my "keepalive method ?" and "keepalive uri ?" under my "service Webx"?
Config for SSL FARM:
owner FARM1
content WEBSERVERS
add service Web1
add service Web2
add service Web3
vip address w.x.y.z
application ssl
protocol tcp
port 443
url "/*"
balance aca
add service Web4
add service Web5
sticky-inact-timeout 20
advanced-balance sticky-srcip
add service Web7
add service Web8
add service Web9
add service Web13
active
service Web1
ip address w.x.y.z
protocol tcp
port 443
keepalive type script ap-kal-ssl "w.x.y.z"
active
service Web13
ip address w.x.y.z
protocol tcp
port 443
keepalive type script ap-kal-ssl "w.x.y.z"
active
service Web2
ip address w.x.y.z
protocol tcp
port 443
keepalive type script ap-kal-ssl "w.x.y.z"
active
service Web3
ip address w.x.y.z
protocol tcp
port 443
keepalive type script ap-kal-ssl "w.x.y.z"
active
service Web4
ip address w.x.y.z
protocol tcp
port 443
keepalive type script ap-kal-ssl "w.x.y.z"
active
service Web5
ip address w.x.y.z
protocol tcp
port 443
keepalive type script ap-kal-ssl "w.x.y.z"
active
service Web7
ip address w.x.y.z
protocol tcp
port 443
keepalive type script ap-kal-ssl "w.x.y.z"
active
service Web8
ip address w.x.y.z
protocol tcp
port 443
keepalive type script ap-kal-ssl "w.x.y.z"
active
service Web9
ip address w.x.y.z
protocol tcp
port 443
keepalive type script ap-kal-ssl "w.x.y.z"
active
09-08-2008 12:47 AM
Hi again,
Any feedback or confirmation on my query regarding whether or not I have to be terminating and/or initiating SSL or can I just do the: "keepalive http non-persistent encrypt" with my "keepalive method ?" and "keepalive uri ?" under my "service Webx"?
09-08-2008 12:57 AM
you need to do the probe in 2 steps.
First create a duplicate service of your actual service and configure it for SSL backend or SSL init.
Create the probe such that your server is being targeted.
Then, in your initial service, you create a script that will do a 'show keepalive
Gilles.
08-25-2009 10:40 AM
Did it ever work with just "keepalive http non-persistent encrypt" or you had to do ssl offload and the ssl service etc.
Thanks,
Paul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: