It doesn't work fine with http. I attach you the output of sh flows command in the CSS.
The sh summary increments some values.
I see incrementation of values on sh ssl statitics however when i type https://192.168.1.1 whhich is the address of vip i valided the certificate but i have one blank page. My web server have one web page to send.
The purpose of my scenario is to make ssl between client and CSS and http between Css and servers.
When i type http://192.168.1.1 (vip address) i have anything in my navigator, but when i type https://192.168.1.1, the navigator ask me to validate certificate (normally) and after i don't have the web page of my web server. (this is my problem)
I will try the commands you send me and i will notify the evolution of my test.
I add in CSS the group clientnat and i put the default gateway of my web server the address of VRRP. The http://192.168.1.1 works and https://192.168.1.1 works but i don't have trace on sh flows commands to validate my configuration.
Hi, It looks like you are using the CSS in what is referred to as "one-armed" mode - the users and the servers are all out of the same interface of the CSS.
Gilles' question about working on HTTP is important - you may not have an SSL issue at all. My first step in setting up SSL is to get the load balancing working correctly on http before I even think about SSL.
This is not as elegant as using the CSS as a router between the users and the servers but can be made to work.
The awkward bit is the return traffic.
I will assume routers between users and the CSS/severs to explain what may be hapenning.
A packet comes in via the router, s=user,d=VIP. That hits the CSS, which does its bit, and forwards it to the server s=user, d=server. The server will receive that - normall this first one will be a tcp SYN, so if OK the server responds with a SYNACK - s=server,d=user. The server will pass that to its default gateway, which will probably be the router, so the user gets a SYNACK from an address it has not sent a syn to.
Three ways to sort this. One is to create another subnet behind the CSS and put the servers there.
Second is to create a source-group on the CSS to set NAT up so that the packet that gets sent to the server has a source address associated with the CSS so that return traffic goes via the CSS.
The third is to aim the server's default gateway at the CSS address.
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
==================== VIC FNIC driver does not support Virtual Volumes (
second level LUN ID ) An enhancement request has been created to track
this feature - CSCux64473 UPDATE - 12-14-2016 We made some traction on
the enhancement request - The Fix is in t...