12-06-2006 02:13 AM
Hi,
We have a CSS11501 (no SSL module) which we're using to balance SSL connections to three servers. All three servers are "alive" but only two are getting hits:
content Gateway_Other_SSL
vip address 10.48.3.69
application ssl
advanced-balance ssl
protocol tcp
port 443
add service WARWEB102
add service WARWEB104
add service WARWEB103
active
The incoming client connections go through a firewall and then an ISA cluster before being presented to the CSS with one of two source ip addresses (the ISA server ips).
Having looked at the invidual hash entries in the sticky table I can see that all of the connections to one server came from one ISA server, and all of the rest came from the other one.
The sticky stats show hits on SSL rather than L4 but I'm wondering if the CSS is not seeing the SSL session ID and is using L4 fallback instead.
How can I tell if L4 fallback is being used??
12-06-2006 02:16 AM
capture a sniffer trace.
If you can see the SSLID, the CSS also can.
If you can't, then the CSS did a fallback to L4.
Gilles.
12-06-2006 04:57 AM
Thanks, we'll set up a trace.
One more question though, would the sticky stats report fallbacks to L4 as L4 sticky entries or ssl sticky entries?
Our sticky stats are as follows:
DfEE-WWK01-CSS1# sh sticky-stats
Sticky Statistics - SFM Slot 1, Subslot 1:
Total number of new sticky entries is 9490
Total number of sticky table hits is 8857
Total number of sticky rejects (no entry) is 0
Total number of sticky collision is 0
Total number of available sticky entries is 122317
Total number of used sticky entries is 8754
Total L3 sticky entries are 0
Total L4 sticky entries are 0
Total SSL sticky entries are 8754
Total WAP sticky entries are 0
Total number of SIPCID sticky entries is 0
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide