Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1303
Views
0
Helpful
3
Replies

CSS 11501 Not Passing HTTPS or 443

jdmonroe
Level 1
Level 1

‎12-03-2008 02:42 PM

When I go directly to the server address I can resolve both 80 and 443.

When I go via vip I get port 80 but can't connect to port 443.

Simple pass-thru config not terminating the Cert on the CSS or using the SCM.

!*************************** GLOBAL ***************************

ip redundancy

bridge spanning-tree disabled

no restrict web-mgmt

idle timeout web-mgmt 15

app

app session 1.1.1.2 14 authChallenge cisco encryptMd5hash rcmdEnable

dns primary xxx.xxx.13.41

dns secondary xxx.xxx.15.248

ip route 0.0.0.0 0.0.0.0 10.1.104.253 1

-INTERFACE-

interface e1

bridge vlan 10

phy 100Mbits-FD

description "Client-Side VLAN"

interface e4

bridge vlan 20

description "Redundancy Protocol Heartbeat"

phy 100Mbits-FD

interface e8

phy 100Mbits-FD

bridge vlan 30

description "Server-Side VLAN"

interface Ethernet-Mgmt

description "Management"

phy 10Mbits-HD

- CIRCUIT -

circuit VLAN10

description "Client-Side VLAN"

redundancy

ip address 10.1.104.3 255.255.255.0

circuit VLAN20

description "Redundancy Protocol Heartbeat"

ip address 1.1.1.1 255.255.255.252

redundancy-protocol

circuit VLAN30

description "Server-Side VLAN"

redundancy

ip address xxx.xxx.14.52 255.255.255.0

no redirects

- SERVICE -

service Mmobile01

ip address xxx.xxx.14.192

port 80

keepalive type tcp

active

service Mmobile01-443

ip address xxx.xxx.14.192

port 443

keepalive type tcp

active

service Mmobile02

ip address xxx.xxx.14.101

port 80

keepalive type tcp

active

service Mmobile02-443

ip address xxx.xxx.14.101

port 443

keepalive type tcp

active

service Mmobile03

ip address xxx.xxx.14.143

port 80

keepalive type tcp

active

service Mmobile03-443

ip address xxx.xxx.14.143

port 443

keepalive type tcp

active

service Mmobile04

ip address xxx.xxx.14.208

port 80

keepalive type tcp

service Mmobile04-443

ip address xxx.xxx.14.208

port 443

keepalive type tcp

keepalive port 443

service Mmobile05

ip address xxx.xxx.14.169

port 80

keepalive type tcp

active

service Mmobile05-443

ip address xxx.xxx.14.169

port 443

keepalive type tcp

keepalive port 443

active

service UpStreamRouter

ip address 10.1.104.253

type redundancy-up

active

- OWNER -

owner XXXX

content Web-NonProd

vip address xxx.xxx.14.46

add service Mmobile04

add service Mmobile05

balance leastconn

advanced-balance sticky-srcip

protocol tcp

port 80

url "/*"

active

content Web-NonProd-443

vip address xxx.xxx.14.46

balance leastconn

advanced-balance sticky-srcip

protocol tcp

port 443

add service Mmobile04-443

add service Mmobile05-443

content Web-Prod

vip address xxx.xxx.14.39

add service Mmobile01

add service Mmobile02

add service Mmobile03

balance leastconn

protocol tcp

port 80

url "/*"

advanced-balance sticky-srcip

active

content Web-Prod-443

vip address xxx.xxx.14.39

balance leastconn

advanced-balance sticky-srcip

protocol tcp

port 443

url "/*"

add service Mmobile01-443

add service Mmobile02-443

add service Mmobile03-443

active

- GROUP -

group XXXX-NonProd

vip address xxx.xxx.14.46

add destination service Mmobile04

add destination service Mmobile04-443

add destination service Mmobile05-443

add destination service Mmobile05

active

group XXXX-Prod

vip address xxx.xxx.14.39

add destination service Mmobile01

add destination service Mmobile01-443

add destination service Mmobile02

add destination service Mmobile02-443

add destination service Mmobile03

add destination service Mmobile03-443

Labels:
0 Helpful
3 Replies 3

sachinga.hcl
Level 4
Level 4

‎12-03-2008 11:04 PM

HI,

During the session of the client, the transition is made to SSL port 443 when the client selects a link on the page that redirects to https. This causes a new content rule to be hit and the client may be load-balanced to another server. As the traffic is now encrypted https (SSL/TLS), the CSS is not able to check above layer 4 (the TCP port number) for cookies, URLs etc., because the requests are encrypted when the information passes the CSS. In order to prevent the occurrence of this issue, configure the redirecting HREF on each server to point back to https at the same servers public address, not the VIP address, as shown here:

https://servers_own_ip_address/path"> secure site If your servers are in a private address space, configure SSL content rules for each server with a HREF on each server that points to the SSL Content rules VIP.

Below is the configuration example for your reference:

!Generated on 10/10/2001 18:12:17

!Active version: ap0500015s

configure

!************************** SERVICE**************************

service s1

ip address 10.10.1.101

active

service s2

ip address 10.10.1.102

active

!*************************** OWNER***************************

owner cookie-ssl

content layer5cookie

vip address 10.10.1.66

protocol tcp

port 80

url "/*"

advanced-balance arrowpoint-cookie

!--- Specify a port in the content rule to use this option.

!--- Port 80 traffic is used here.

!--- All clients must enable cookies on their browser.

add service s1

add service s2

active

content s1-ssl

vip address 10.10.1.88

protocol tcp

port 443

application ssl

add service s1

active

content s2-ssl

vip address 10.10.1.99

protocol tcp

port 443

application ssl

add service s2

active

!--- Use this HREF on server S1 where switching from http to https:

https://10.10.1.101/applicationpath1/"> secure site s1

!--- Use this HREF on server S2 where switching from http to https:

https://10.10.1.102/applicationpath2"> secure site s2

!--- In the example, the addresses for servers s1 and s2 must be

!--- reachable from the client. If this is not the case, you must add a

!--- content rule for each server with a unique publicly routable VIP

!--- address and one service for each SSL server, as shown here:

content s1-ssl

vip address 10.10.1.88

protocol tcp port 443

application ssl

add service s1

active

content s2-ssl

vip address 10.10.1.99

protocol tcp port 443

application ssl

add service s2

active

!--- Use this HREF on server s1 where the switch from http to https occurs:

https://10.10.1.88/applicationpath1/> secure site s1

!--- Use this HREF on server s2 where the switch from http to https occurs:

https://10.10.1.99/applicationpath2> secure site s2

Hope this will help you.

Here are the reference url:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a00801de8d6.shtml

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a008009450d.shtml

0 Helpful

jdmonroe
Level 1
Level 1
In response to sachinga.hcl

‎12-04-2008 11:22 AM

Here are the error messages we are getting from the websphere box:

[Wed Dec 03 12:23:47 2008] [info] [client 10.1.104.174] [963db0] SSL0230I: SSL Handshake Failed, An incorrectly formatted SSL message was received.

[Wed Dec 03 12:23:50 2008] [info] [client 205.189.14.52] [963db0] SSL0226I: SSL Handshake Failed, I/O error during handshake.

Also, we haven't seen this to be an issue in the past. Typically, we allow access via 443 the client types the https://vipaddress and everything works as expected.

The request is going to 1 of 3 JVM sessions running on the Websphere box.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to jdmonroe

‎12-05-2008 02:59 AM

you should capture a sniffer trace frontend and backend of the css to verify what is going on.

Your config looks alright.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents