Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS11506 Client to server connection

Hey guys, I currently have 1 CSS11506 terminating 2 SSL connections to 2 backend web servers. However when I sniff the traffic on the web servers I notice that the client is connected directly to them. Once the ARP for the CSS VIP has been completed, the client directly connects via HTTP to the backend server. I need the CSS to handle all backend traffic to the servers and have the client only talk to the CSS.

Any thoughts ?

Cheers

Dave

3 REPLIES

Re: CSS11506 Client to server connection

what is the default gateway defined on the Servers?

Golden rule to remember:The return traffic should not bypass the loadbalancer.

If this rule is violated then backend servers can ask clients to use real addresses (not Vip addresses) for requests and hence cause issues.

Syed

New Member

Re: CSS11506 Client to server connection

Hmm, maybe my test setup is flawed here as I currently have the client, CSS and web servers all on the same segment. Figuring once I had that working I would expand the test setup.

More to follow.

Cheers

Dave

New Member

Re: CSS11506 Client to server connection

Here is my config, if you could have a look that would be appreciated.

ip route 0.0.0.0 0.0.0.0 204.101.28.161 1

!************************** CIRCUIT **************************

circuit VLAN1

ip address 204.101.28.163 255.255.255.224

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list ssllist2

ssl-server 95

ssl-server 95 vip address 204.101.28.166

ssl-server 95 cipher rsa-with-des-cbc-sha 204.101.28.164 80

ssl-server 95 cipher rsa-with-3des-ede-cbc-sha 204.101.28.164 80

ssl-server 95 cipher rsa-with-rc4-128-sha 204.101.28.164 80

ssl-server 95 cipher rsa-with-rc4-128-md5 204.101.28.164 80

ssl-server 95 rsacert myrsacert1

ssl-server 95 rsakey myrsakey1

ssl-server 95 urlrewrite 22 www.test.com

ssl-server 96

ssl-server 96 vip address 204.101.28.167

ssl-server 96 cipher rsa-with-des-cbc-sha 204.101.28.165 80

ssl-server 96 cipher rsa-with-3des-ede-cbc-sha 204.101.28.165 80

ssl-server 96 cipher rsa-with-rc4-128-sha 204.101.28.165 80

ssl-server 96 cipher rsa-with-rc4-128-md5 204.101.28.165 80

ssl-server 96 rsacert myrsacert2

ssl-server 96 rsakey myrsakey2

ssl-server 96 urlrewrite 23 www.test1.com

active

!************************** SERVICE **************************

service SSLNEW

type ssl-accel

slot 6

keepalive type none

add ssl-proxy-list ssllist2

active

!*************************** OWNER ***************************

owner CMPA

content SSLNEW1

vip address 204.101.28.166

application ssl

add service SSLNEW

protocol tcp

port 443

active

content SSLNEW2

protocol tcp

vip address 204.101.28.167

application ssl

add service SSLNEW

port 443

active

180
Views
0
Helpful
3
Replies