Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2428
Views
0
Helpful
2
Replies

How do i temporarily disable TLS/SSL port 443 going to server on CSS

nygenxny123
Level 1
Level 1

‎03-03-2010 02:02 PM

We are having issues with truncating packets that go through the CSS

I did a capture after the CSS and there is truncation............however i cant read it before the since everything is encrypted.

They hit vip address 172.20.120.16. on the CSS and get redirected to 2 servers depening on what the url says

They server team would like to turn it off just to test..i tried removing

"add service ARR-public-ssl" from the contetn below and we lost http and https to the server

so in essence i want to try and turn the 443 connection to a port 80---than it goes to port 7777 backend to 172.20.212.6

content BYE-WEB-SSL
   vip address 172.20.120.16
   protocol tcp
   port 443
   advanced-balance ssl
   application ssl
   add service ARR-public-ssl
   active

ssl-server 40
ssl-server 40 rsacert byetest
ssl-server 40 vip address 172.20.120.16
ssl-server 40 cipher rsa-with-rc4-128-sha 172.20.120.17 80
ssl-server 40 cipher rsa-with-rc4-128-md5 172.20.120.17 80
ssl-server 40 urlrewrite 1 *
ssl-server 40 cipher rsa-with-3des-ede-cbc-sha 172.20.120.17 80
ssl-server 40 rsakey byekey
backend-server 50
backend-server 50 type initiation
backend-server 50 server-ip 69.xxx.xxx.xxx
backend-server 50 ip address 69.xxx.181.xxx
backend-server 50 rsacert byetest
backend-server 50 rsakey byekey
active

!************************** SERVICE **************************
service TIE-SSLINIT
  protocol tcp
  ip address 69.xxx.xxx.xxx
  keepalive type tcp
  keepalive port 443
  slot 2
  type ssl-init
  add ssl-proxy-list HR-SSL
  active

owner PublicBYE

  content BYE-WEB-ARRR
    vip address 172.20.120.17
    protocol tcp
    port 80
    url "/arr*"
    advanced-balance arrowpoint-cookie
    balance aca
    arpt-lct http-100-reinsert
    add service BYE-ods-web1
    active

  content BY-WEB-TIX
    protocol tcp
    port 80
    url "/tix*"
    advanced-balance arrowpoint-cookie
    balance aca
    arpt-lct http-100-reinsert
    add service BYE-ods-web2
    vip address 172.20.120.17
    active

  content BYE-WEB-TIX-CLEARTEXT
    add service TIX-SSLINIT
    vip address 172.20.120.19
    protocol tcp
    port 80
    active

content BYE-WEB-Nav
  vip address 172.20.120.17
  protocol tcp
  port 80
  url "/na*"
  balance aca
  arpt-lct http-100-reinsert
  add service BYE-ods-web1
  active

content BYE-WEB-SSL
  vip address 172.20.120.16
  protocol tcp
  port 443
  advanced-balance ssl
  application ssl
  add service ARR-public-ssl
  active

service BYE-ds-web1-ssl
  ip address 172.20.212.5
  port 443
  keepalive type ssl
  active

service BYE-ds-web2
  ip address 172.20.212.6
  port 7777
  keepalive port 7777
  keepalive type tcp
  active

service BYE-ds-web2
  ip address 172.20.212.6
  port 7777
  keepalive port 7777
  keepalive type tcp
  active

service BYEos-web2-ssl
  ip address 172.20.212.6
  port 443
  keepalive type ssl
  active

Labels:
0 Helpful
2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

‎03-04-2010 12:46 AM

Hi,

" want to try and turn the 443 connection to a port 80"

You can't do this without decrypting the traffic with the SSL module.

You could try going to your :80 rule directly in cleartext (HTTP) and see if it works.

Or you can send the HTTPS traffic to your server assuming they can decrypt it.

What version do you run on the CSS ?

Do you have the sniffer trace where we can see the packets being truncated ?

I can have a look.

Doing config changes will not help you understand the problem.

You first need to define the problem exactly and then apply the correct solution.

Trial and error is not a good troubleshooting approach.

Gilles.

0 Helpful

nygenxny123
Level 1
Level 1
In response to Gilles Dufour

‎03-04-2010 06:50 AM

CSS11506# sh ver
Version:               sg0810205 (08.10.2.05)
Flash (Locked):        08.10.1.06
Flash (Operational):   08.10.2.05
Type:                  PRIMARY
Licensed Cmd Set(s):   Standard Feature Set
                       Secure Management

Yeah..if done a packet trace before it hits the CSS and after......the only issue is that everything is engrypted before it hits the LB so i cant really read anythign....i did a pacet trace after the LB and on the Server itself its seems we get this

I thought i saw some bug info from cisco but i cant tell if its related

CSCsx05640—When you configure the CSS for a Layer 5 (L5) content rule and it receives an HTTP method POST with the HTTP header in one packet that is quickly followed by many packets of POST data or payload, it could fail to deliver all the data to the back-end server. The CSS Flow Manager (FM) application could incorrectly handle the POST and the data packet as a spanned content request and could cause the data to be mishandled. Workaround: Use less than 1-Gb connections in the network; a 100-Mb link does not exhibit this issue.

As you can see after the content-length..........nothing comes across........sometimes addtional stuff will come in ...but usually nothing

Is there a bug related to this on the CSS?

POST /TIXX/DocumentRepository_Service HTTP/1.1

Accept-Encoding: gzip,deflate

Content-Type: application/soap+xml;charset=UTF-8;action="urn:ihe:iti:2007:ProvideAndRegisterDocumentSet-b"

User-Agent: Jakarta Commons-HttpClient/3.1

Host: www.xxxxxxxxxxxx.net

Content-Length: 9044

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents