Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSM terminating SSL for Outlook Web Access


Be most grateful if anyone is able to offer some insight as to why I I can't get this to be sticky - I know it's not working as if I take one of the servers out of service in the serverfarm everything functions as it should, but as soon as I add another back, I get various results, mostly to do with getting shunted back to the login screen after getting a brief glimpse of the main inbox screen, which I think is because part of my test flow is hitting the server that didn't handle the successful login transaction. Initially I also had issue with the 302s the server sends but a url-rewrite policy seems to have sorted those... I tried adding a sticky group to the MAIL-BE vserver but this kills the whole app altogether for some reason. Config snippets below:

From CSM:

serverfarm MAIL-BE
  nat server
  nat client BE_MAIL_NAT
  real name <server1>

  real name <server2>

serverfarm MAIL-FE
  nat server
  nat client FE_MAIL_NAT
  real <ssl module vip ipaddr> local

sticky 2 ssl timeout 60

vserver MAIL-BE
  virtual <ipaddr> any
  serverfarm MAIL-BE
  replicate csrp connection
  persistent rebalance

vserver MAIL-FE
  virtual <ipaddr> tcp https
  serverfarm MAIL-FE
  sticky 60 group 2
  replicate csrp connection
  persistent rebalance

From SSL module on CSM:

ssl-proxy policy url-rewrite MAIL-RED
url <string>

ssl-proxy service mail-ssl-vip
virtual ipaddr <ssl module vip ipaddr> protocol tcp port 443 secondary
server ipaddr <mail-be ipaddr> protocol tcp port 80

policy url-rewrite MAIL-RED
certificate rsa general-purpose trustpoint <tp>

Thanks in advance !

Everyone's tags (4)
Cisco Employee

Re: CSM terminating SSL for Outlook Web Access


It looks like you have the sticky applied to the wrong vserver. You have it tied to the SSL vserver that has only one sslm in the serverfarm. There is no need for sticky here if you only have a single real in the farm.

I think the problem is when you terminate and hit the CSM clear text vip you do not have sticky applied here and that is why you keep bouncing servers. You will need to create a sticky group based on source IP, or cookie and apply it to the clear text vserver your proxy service points to.



New Member

Re: CSM terminating SSL for Outlook Web Access


Thanks very much for the reply - you are right, the sticky shown above is not needed, I had misunderstood what it was doing until you explained it. When I initially tried to put it on the other vserver instead it broke the flow completely for some unknown reason, but after I cleared all the config out and rebuilt it cleanly in conjunction with no nat client as well, it all works fine. Much obliged for the suggestion, thanks again!

Kind regards, Jake.