Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

HTTPS ans SSL with CSS (No SSL Module)

Hi,

My customers have two server and need to load balance.

These servers initiate SSL.

and VIP address is :

https://erpappl.erp.mis.blabla.tgc:8005

My CSS has no ssl module. An dconfiguration is:

service venice

ip address 10.200.104.32

protocol tcp

port 8005

keepalive type tcp

keepalive port 8005

redundant-index 120

active

service calgary

ip address 10.200.104.33

protocol tcp

port 8005

keepalive type tcp

keepalive port 8005

redundant-index 121

active

owner ERPAPPL

content erpapp_test

add service venice

add service calgary

redundant-index 60

vip address 10.200.104.28

protocol tcp

port 8005

url "/*"

arrowpoint-cookie expiration 00:00:03:00

advanced-balance arrowpoint-cookie

application ssl

active

After this configuration I cannot reach the URL shown above.

Can you help me?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: HTTPS ans SSL with CSS (No SSL Module)

if this is encrypted traffic [HTTPS] the CSS can't see the content of the packet.

So the CSS can't see the url [-> so the command url "/*" is incorrtect and should be removed] and the CSS can't see cookies [so the arrowpoint-cookie command is wrong and should be removed].

If we sell an SSL module, there is a reason :-)

The only sticky option you can use are :

- sticky based on srcip

- sticky on sslid

The first option [srcip] has a problem with mega proxy [many users being nated with the same ip] and the 2nd option has the problem that it only works with SSLV2 and that some browsers do not use the sslid.

Gilles.

3 REPLIES
Cisco Employee

Re: HTTPS ans SSL with CSS (No SSL Module)

if this is encrypted traffic [HTTPS] the CSS can't see the content of the packet.

So the CSS can't see the url [-> so the command url "/*" is incorrtect and should be removed] and the CSS can't see cookies [so the arrowpoint-cookie command is wrong and should be removed].

If we sell an SSL module, there is a reason :-)

The only sticky option you can use are :

- sticky based on srcip

- sticky on sslid

The first option [srcip] has a problem with mega proxy [many users being nated with the same ip] and the 2nd option has the problem that it only works with SSLV2 and that some browsers do not use the sslid.

Gilles.

New Member

Re: HTTPS ans SSL with CSS (No SSL Module)

Thanks for reply,

I start from first option :-)

Changing configuration became like this:

content erpapp_test

add service venice

add service calgary

redundant-index 60

vip address 10.200.104.28

protocol tcp

port 8005

advanced-balance sticky-srcip

active

But I still cannot reach the https://10.200.104.28:85 web page.

Is there any mistake?

P.S . How can add (- sticky on sslid ) row ?

New Member

Re: HTTPS ans SSL with CSS (No SSL Module)

Hi,

I found the problem.

A mistake configuration in group part.

I used add service instead of add destination service.

I changed now it works.

Thanks

165
Views
0
Helpful
3
Replies