Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSS Sorry Server for HTTPS

How to configure Sorry server for HTTPS (443) port. Sorry server works fine with HTTP, But not with 443

In the following config if server1 and server2 are down, the HTTP requests goes to the Sorry Server, but for HTTPS nothing is displayed. I am running the sorry server on port 81

Please suggest

!************************** SERVICE **************************

service prisorry

ip address 10.100.11.11

keepalive type http

keepalive port 81

port 81

active

service secsorry

ip address 10.100.11.12

keepalive port 81

keepalive type http

port 81

active

service server1

ip address 10.100.11.11

keepalive type http

keepalive port 80

active

service server2

ip address 10.100.11.12

keepalive type http

keepalive port 80

active

!*************************** OWNER ***************************

owner Loadbalancing

content L4Rule1

protocol tcp

add service server2

add service server1

port 80

url "/*"

vip address 10.100.11.4

advanced-balance sticky-srcip-dstport

primarySorryServer prisorry

secondarySorryServer secsorry

active

content L4Rule2

protocol tcp

add service server2

port 443

add service server1

vip address 10.100.11.4

advanced-balance sticky-srcip-dstport

primarySorryServer prisorry

secondarySorryServer secsorry

application ssl

active

content L4Rule3

add service server2

protocol tcp

port 1443

add service server1

vip address 10.100.11.4

advanced-balance sticky-srcip-dstport

primarySorryServer prisorry

secondarySorryServer secsorry

active

Thanks

  • Application Networking
4 REPLIES
Bronze

Re: CSS Sorry Server for HTTPS

I just deployed a couple 11050's the other day so my experience is limited, but I'd guess your problem is that, when using the Primary Sorry Server, you end up with clients sending HTTPS requests to an HTTP port. Having HTTPS requests redirected to HTTP ports is one thing because the client then makes an HTTP request to that port, but the way you have it above, it appears to me that the client will be talking HTTPS to port 81 on the Sorry Server, which is listening for HTTP.

New Member

Re: CSS Sorry Server for HTTPS

Thanks for your input.

Any suggestion how can I make the HTTPS request to hit SORRY SERVER on port 81 if the main service is down. I can run Sorry server only on this port 81

Please suggest.

Bronze

Re: CSS Sorry Server for HTTPS

Actually, looking at your config again, you have the same services in both the HTTP and HTTPS content rules. The services are both HTTP, right? If so, sending HTTPS requests to them won't work for the same reason that it won't work for the sorry servers.

What exactly are you trying to accomplish with the SSL content rules? Are either of the services able to service SSL requests on port 80?

New Member

Re: CSS Sorry Server for HTTPS

I also have had this problem. The way to do this simply (heh) is to use an SSL Offloading device like the SCA in a one-armed configuration. This way when the cleartext port 80 traffic comes back to your CSS, you can then provide a redirect if your servers are all down and the SCA can re-encrypt the packet before it goes back to the client.

Hope this helps!

Craig

216
Views
4
Helpful
4
Replies
This widget could not be displayed.