Some Functionality of Application not working with SSL offload

Unanswered Question
May 5th, 2010

We have a customer who is running an application which is load balanced through CSS and SSL offloading is performed by CSS. Customer is testing a newer version of the same application through CSS by offloading SSL on CSS and some of the functionality of the Application is not working. The difference between the two versions of the application is that the previous version uses asp and it's database is run on MS-SQL2000 server and for the new version which the customer is testing is using aspx with .NET and database is run on MS-SQL2008 server.

Configuration on CSS is pretty straight forward(443 on front end and port 80 on backend) and it is configured the exact same way as the previous application version is configured.

CSS's are in Box-to-Box redundancy and are one-armed.(CSS is running 8.20 code) with SSL module

Everything works fine on the application with SSL offload except for a search function(search function uses XML to call a java script),as soon as the user invokes the serach he gets an error on the web page. (Error is attached to the discussion)

We have tried the following tests and application works fine:

1. Launching the application by directly going to server real IP address on port 443

2. Launching the application by directly going to URL on port 80

3. Launching the application by using vip address on port 80

4. Launching the application by configuring the CSS in passthrough for port 443

Application's search function fails when SSL is offloaded on CSS otherwise it works fine. We have taken several sniffer captureson client and server side but we have not found anything conclusive that points us to an issue. We have contacted Cisco TAC but they are also not able to debug the issue.

Can somebody help us understand as to what is going on. (I can provide all the sniffer traces as well as the topology diagram)



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Sean Merrow Thu, 05/06/2010 - 06:12

Hi Dev,

The first thing I would want to see is a log of the connection from the browser.  If you use Firefox, then you could use LiveHTTPHeaders for this.  Also, HTTPWatch will work with Internet Explorer or Firefox.  This would allow us to view the decrypted requests and responses from the browswer's perspective.  Maybe we can find the problem with that.

If the above doesn't help, then you'll have to get the full boat of data:

  1. Start capturing from the browser tool as mentioned above.
  2. Start a network capture on the client and server side (should be a single capture since one-armed)
  3. Run your test again until you get the failure
  4. Stop the browser capture tool and network capture.

Be sure that your browser is not reusing an existing SSL session ID so that the full SSL handshake is captured.  You may want to change your key and cert for the SSL on the CSS, so that you can send in your key to decrypt the capture.  This may or may not be necessary.


devsharma Thu, 05/06/2010 - 10:08


Thanks a lot for a quick turn around. I have all the data required for troubleshooting. The sniffer traces are quite huge, I am wondering how I can ship it to you. I have data from Fiddler.



Sean Merrow Thu, 05/06/2010 - 13:04


You mentioned in your original post that you had a case open with TAC.  Can you please include the SR number?




This Discussion