SSL termination and Loadbalancing on the same CSS

Unanswered Question
Nov 30th, 2008

Hi,

I am trying to set up a CSS11503 for SSL termination and load-balancing to two servers. I am having problems with slow performance, I think due to stickyness. It would appear that a new SSL session is started for each request. I'll start by describing what I want to happen, and will finish with a description of the current config.

WHAT I WANT:

Connection comes from the internet, and SSL is terminated on single CSS. CSS then load balances (with stickyness) to one of two IIS servers. The load balancing must not be based on source IP as we potentially would have multiple users from a company coming from the one source NAT.

Once a client is connected, I need them to continue to go to the same IIS server.

i.e if the user is load balanced to server1, I want all subsequent traffic in that session to go to server1.

The website is run by an application team, so not 100% sure on the setup, but I believe that there are both ASP.NET session cookies and other cookies set, which could be used as the basis for load balancing.

OK, so that's what I want, here is WHAT I HAVE:

The setup is:

website.company.com = x.x.x.x

CSS VIP = y.y.y.y

Server1 IP = a.a.a.a

Server2 IP = b.b.b.b

Firewall has static NAT x.x.x.x <-> y.y.y.y

The network infrastructure is:

INTERNET -- FIREWALL -- CSS VLAN 1 (VIP and FW connect) -- CSS VLAN 2 (Web DMZ) -- Server1, Server2 etc

The relevant CSS config is:

!

content website.company.com_ssl

application ssl

vip address y.y.y.y

add service ssl

protocol tcp

port 443

active

!

content website.company.com_lb

vip address y.y.y.y

add service server1

add service server2

advanced-balance cookies

protocol tcp

port 81

active

!

! CSS SSL-PROXY-LIST EXCERPT:

ssl-server 16

ssl-server 16 vip address y.y.y.y

ssl-server 16 cipher rsa-with-rc4-128-sha y.y.y.y 81 weight 5

ssl-server 16 cipher rsa-with-rc4-128-md5 y.y.y.y 81 weight 10

ssl-server 16 rsacert website_cert

ssl-server 16 rsakey website_key

!

!

service ssl

keepalive type none

slot 3

type ssl-accel

add ssl-proxy-list ssl

active

!

service server1

ip address a.a.a.a

keepalive type http

protocol tcp

port 81

active

!

service server2

ip address b.b.b.b

keepalive type http

protocol tcp

port 81

active

!

Any help is much appreciated!

Thanks,

Andy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion