ssl is not getting loadbalanced in css11503

Unanswered Question
Sep 2nd, 2009


I have configured CSS11503 so that it loadbalances http and https traffic.It works fine.

But if i introduce a symantec gateway( for vireus issues) in my network only http trafiic is getting load balanced.

https traffic is not getting load balanced,the https traffic is hitting only 1 server

If i remove the symantec gateway both http and https gets load balanced

Please advise



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
paul.matthews Wed, 09/02/2009 - 23:47

I am not familiar with the Symantec box, but it looks like you are having issues with sticky - is the Symantec translating source addresses perhaps?

Adding your config would help.

Gilles Dufour Thu, 09/03/2009 - 00:42

Is your symantec box configured to decrypt HTTPS traffic ?

If it does not have the key/cert to do so, it won't see the content of the traffic and it may block it.

I don't think this is a CSS issue.

Usually, people say "With the Cisco device it does not work. Without the Cisco device it works, so this is a Cisco issue."

But here, you add a Symantec device, and still this is a Cisco issue :-) Funny.

Sounds like your GW is the culprit.

Get a sniffer trace in front of the CSS to see if we get the https traffic first.


paul.matthews Thu, 09/03/2009 - 07:07

Gilles, I read the problem to be that it was getting through, just not being load balanced, which looks like the gateway is messing sticky up.


Gilles Dufour Thu, 09/03/2009 - 08:37

is the symantec gateway working like a proxy and using its own ip to connect with the CSS ?

If you do sticky src ip and everything comes from a single ip, there is no more loadbalancing.

You then need to do stickyness on something else. Like cookies. But for that, you need to terminate SSL traffic on the CSS.


arulkumar80 Fri, 09/04/2009 - 03:05

I am attaching the configuration files.

file1:ssl loadbalanced.

file2:ssl not loadbalanced.

Please let me know what i need to do for ssl to be loadbalanced



paul.matthews Fri, 09/04/2009 - 06:06

On your SSL rule in both cases you have sticky set by source IP address. The configs are quite different in other respects, but SSL is the same. Do you use one config with this gateway, and the other without?

That sticky rather supports my first thought that the gateway is doing source NAT. I think to get SSL balanced, you will probaby have to turn the NAT off.

Gilles may be able to offer a firmer solution, but if you have the SSL module in the CSS, I would use that to terminate SSL. That way I know advanced-balance ssl on the content rule will work. You could try advanced-balance ssl on your existing rule, but I don't guarantee it will work without termininating the SSL locally.

arulkumar80 Fri, 09/04/2009 - 08:51

I use one config with gateway and other without the gateway.

If i dont use the gateway ssl is loadbalanced

But if i use gateway ssl is not loadbalanced



paul.matthews Fri, 09/04/2009 - 09:24

I think I can say pretty definitively the gateway is the problem. It is doing source NAT. The advanced-balance you have on the content rule means that anything through the gateway will be stickied to one server.

I am afraid I cannot help with the config of the symantec gateway. You need to turn NAT off on that to load balance, or at least get the symantec to translate to two addrsses.

The symantec is where your issue lies.

It could be that you are unfortunately in the position that the symantec box is doing exactly what it should, but the combination of the CSS and the symantec do not work together.

arulkumar80 Fri, 09/04/2009 - 09:50

Dear Paul,

Can you please explain me what do you mean by

"get the symantec to translate to two addreses"

what is that i need to do?



paul.matthews Sun, 09/06/2009 - 23:50

Right, your problem is that the symantec box is translatin all source addresses to a single address. The CSS is configured for source-ip for sticky. That makes the CSS keep all your SSL users to a single server.

I have no idea if it is possible to change the symantec box - you need to speak to symantec people rather than Cisco people, but if you can get it to translate source addresses and use two rather than one, then that will allow the CSS to balance.

You could also see if that source NAT can be turned off on the symantec box, but you need someone that knows about the symantec box to tell you if/how.

arulkumar80 Mon, 09/07/2009 - 03:05

Dear Paul,

Thank you for all your responses.

I will contact symantec and check if source NAT can be turned off in symantec box.

I am sorry i am not able to understand what do you mean by

"get it to translate source addresses and use two rather than one"

can you please explain me what you mean by the above line.

waiting for your reply to proceed further.



paul.matthews Mon, 09/07/2009 - 04:57

Simple. At the moment, the symantec box translates all users to a single IP address. The behaviour is your problem. If instead of translating to one, you can get the symantec box to translate to two (no NAT at all would be better) then the CSS is free to load balance.

You need to talk to symantec.

Gilles Dufour Mon, 09/07/2009 - 00:37

What kind of symantec device is it ?

Googling symantec security gateway and nat provides many results.

You may find your answer there.



This Discussion