05-05-2010 01:54 PM
We have a customer who is running an application which is load balanced through CSS and SSL offloading is performed by CSS. Customer is testing a newer version of the same application through CSS by offloading SSL on CSS and some of the functionality of the Application is not working. The difference between the two versions of the application is that the previous version uses asp and it's database is run on MS-SQL2000 server and for the new version which the customer is testing is using aspx with .NET and database is run on MS-SQL2008 server.
Configuration on CSS is pretty straight forward(443 on front end and port 80 on backend) and it is configured the exact same way as the previous application version is configured.
CSS's are in Box-to-Box redundancy and are one-armed.(CSS is running 8.20 code) with SSL module
Everything works fine on the application with SSL offload except for a search function(search function uses XML to call a java script),as soon as the user invokes the serach he gets an error on the web page. (Error is attached to the discussion)
We have tried the following tests and application works fine:
1. Launching the application by directly going to server real IP address on port 443
2. Launching the application by directly going to URL on port 80
3. Launching the application by using vip address on port 80
4. Launching the application by configuring the CSS in passthrough for port 443
Application's search function fails when SSL is offloaded on CSS otherwise it works fine. We have taken several sniffer captureson client and server side but we have not found anything conclusive that points us to an issue. We have contacted Cisco TAC but they are also not able to debug the issue.
Can somebody help us understand as to what is going on. (I can provide all the sniffer traces as well as the topology diagram)
Regards,
Dev
05-06-2010 06:12 AM
Hi Dev,
The first thing I would want to see is a log of the connection from the browser. If you use Firefox, then you could use LiveHTTPHeaders for this. Also, HTTPWatch will work with Internet Explorer or Firefox. This would allow us to view the decrypted requests and responses from the browswer's perspective. Maybe we can find the problem with that.
If the above doesn't help, then you'll have to get the full boat of data:
Be sure that your browser is not reusing an existing SSL session ID so that the full SSL handshake is captured. You may want to change your key and cert for the SSL on the CSS, so that you can send in your key to decrypt the capture. This may or may not be necessary.
Sean
05-06-2010 10:08 AM
Sean,
Thanks a lot for a quick turn around. I have all the data required for troubleshooting. The sniffer traces are quite huge, I am wondering how I can ship it to you. I have data from Fiddler.
Regards,
Dev
05-06-2010 01:04 PM
Dev,
You mentioned in your original post that you had a case open with TAC. Can you please include the SR number?
Thanks,
Sean
05-06-2010 10:54 PM
Sean,
The TAC case number is
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: