Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS 11050 and SSL handling


Client type HTTPS -> Internet/FW -> CSS public VIP -> HTTPS Web servers

= SSL terminators

In ordinary situation, e.g. HTTP traffic to web server through CSS, CSS spoof

TCP session, establish what backend server is best, then make TCP session

w/ that server and forward first HTTP GET.

In case of Client -> CSS -> SCA (which can be considered as "server" because

terminate SSL), Cisco says CSS transparently forward first TCP SYN to

SCA="server". So, there is no session spoofing?

What is real behavior, when client makes HTTPS port 443 session to VIP?


Cisco Employee

Re: CSS 11050 and SSL handling

let me correct what you said.

The CSS does not always spoof a session for HTTP traffic.

The CSS will spoof a session if it needs to see information not contained in the SYN to make is loadbalancing decision.

So, for a Layer 3 or Layer 4 content rule, where the CSS does loadbalancing based on IP addresses or TCP ports, the CSS doesn't spoof the connection.

If the CSS needs to see the url or a cookie to decide how where to forward the connection, it will spoof the connection.

For the case of HTTPS, if we do SSLID stickyness, the CSS will spoof the connection. Otherwise, we can simply loadbalance without spoofing.

I hope this is clear enough.


CreatePlease login to create content