Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

HTTPS balance without a SSL Module

I have read thru the forum and found a couple threads talking about this issue but didnt find a solution to my problem.

I have 2 CSS11503s without SSL modules. I now have a need to balance a KVMoIP system that uses ssl on the servers(currently only 5 concurrent users). My balance is simply for ease of use for my customers so they dont have to know the url for the primary and secondary servers. Here is what I have right now:

interface 1/1

bridge vlan 241

description "to users"

interface 1/2

description "to servers"

bridge vlan 700

circuit VLAN700

ip address 172.20.241.181 255.255.255.192

ip virtual-router 100 priority 1

ip redundant-interface 100 172.20.241.183

ip critical-service 100 css-up-down

ip critical-reporter 100 css-sc1

circuit VLAN241

ip address 172.20.241.71 255.255.255.192

ip virtual-router 1 priority 1

ip redundant-interface 1 172.20.241.73

ip redundant-vip 1 172.20.241.100

ip critical-service 1 css-up-down

ip critical-reporter 1 css-sc1

service obsidian

ip address 172.20.241.172

keepalive port 80

keepalive type tcp

active

owner avocent

content kvm (Does not work)

vip address 172.20.241.100

protocol tcp

port 443

add service obsidian

content kvm_80 (This works)

protocol tcp

port 80

add service obsidian

vip address 172.20.241.100

active

The http to the server works fine but the https get "The page can not be displayed" when you go to https://172.20.241.100

Thanks for any insight into this issue.

9 REPLIES
Bronze

Re: HTTPS balance without a SSL Module

I would at minimum create a second service for the 443 rule like this:

service obsidian_443

ip address 172.20.241.172

keepalive port 443

keepalive type tcp

active

and use it for the 443 rule. Atleast then when you look at the rule and service you should see things alive if the 443 part is working fine. By using a service with a keepalive type of 80 on a 443, it kind of gives a false sense of security that the service is up.

Can you give that a try and then let us know the results..

Regards

Pete..

New Member

Re: HTTPS balance without a SSL Module

Boy do I feel like a noob now!!

I have made so many changes over the last 2 days trying to get this going, I miss one very obvious mistake along the way.

Content kvm

ACTIVE

Pete, Thanks for the advice, I have changed my keepalive as you recommended. Everything looks good at this point.

New Member

Re: HTTPS balance without a SSL Module

Hi All.

must i not configure in the content

application ssl to support https ??!!

bye joerg

Cisco Employee

Re: HTTPS balance without a SSL Module

Joerg,

it is not mandatory.

This command is required only if you use sticky-ssl. It tells the CSS to interpret the traffic as SSL and look for the SSLID.

If you do not use sticky-ssl then I would recommend not to configure this command.

Gilles.

New Member

Re: HTTPS balance without a SSL Module

Hi Gilles,

i had configured the same stuff as here mentioned before, but it doesn?t work. After i had configured the app ssl stuff it works as i want.

Cisco Employee

Re: HTTPS balance without a SSL Module

not needed.

You must have configured stickyness or it works for other reasons than this command.

Gilles.

New Member

Re: HTTPS balance without a SSL Module

Hi Gill,

thats what i?ve found:

config-owner-content) application

To specify the application type associated with the content rule, use the application command. The application type enables the CSS to correctly interpret the data stream matching the content rule and parse them. Otherwise, the data stream packets are rejected. Use the no form of this command to reset the application type to its default setting of HTTP.

application type

no application

Syntax Description

type

Application type. Enter one of the following:

?bypass - Bypasses the matching of the content rule and send the request directly to the origin server

?http (default) - Processes HTTP data streams

?ftp-control - Processes FTP data streams

?sip - Processes Session Initiation Protocol (SIP) data streams

?ssl - Processes Secure Sockets Layer (SSL) protocol data streams

Cisco Employee

Re: HTTPS balance without a SSL Module

Joerg,

thanks for the info, but it clearly says that this is required if you need to interpret the data.

However, to loadbalance HTTPS traffic or any TCP traffic, you do not need to interpret the data.

For example, you do not need 'application telnet' to loadbalance telnet traffic.

As I said the command is only needed if you're CSS is spoofing the connection.

I think if you do not have stickyness and you need 'application ssl' this is because you have configured a url /* which is a mistake as well since the CSS can't decrypt the traffic.

Configuring the url forces the CSS to spoof the connection and by default it will try to identify http traffic. Since this is ssl it fails.

Do you have the url configured ?

Gilles.

New Member

Re: HTTPS balance without a SSL Module

hi gilles,

aha you are right. I had configured url/*, now i have deconfigured and now it?s working also without this command.

Thanks to clarify this and for your help.

bye joerg

138
Views
0
Helpful
9
Replies