Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

One Armed Config with CSS and SCA 11000 series

I am trying to use the One-armed transparent proxy config found in the SCA 11000 series manual with the One-Armed config for a CSS 11000 series load balancer. I have one SCA hanging off one CSS, and I'm balancing 3 IIS webservers that are connected to a switch. The CSS is also connected to the same switch. The site uses a http:// entry that redirects to https:// page. I am not using any ACL's, and everything is on the same subnet.

Right now, if I make an http (port 80) request I hit the CSS and the content rule sends it to a webserver that redirects to a https (443) page. This sends me back to the CSS and off to the SCA, where I get my cert. The SCA then goes back to the CSS on port 81 where it hits a content rule for the VIP and port 81 which sends it to one of the webservers. However, this is where the page hangs and eventually times out. It never gets back to the webservers, but it hits the content rule. Any ideas on what I'm doing wrong?

3 REPLIES
New Member

Re: One Armed Config with CSS and SCA 11000 series

this is most likely because the physical return path from the real servers does not go through the css, but direct to the router connected to the layer 2 switch. the end result is the client drops the response because the response packet source ip address and port do not match what the client connected to. connect the real servers and the router direct to the CSS ports if possible.

alternative may be to create source group for each non SSL encrypted vip on the CSS. under each, add destination service for all services using that content rule vip. this will make all sessions look like the CSS circuit address is the client source, therefore forcing all traffic to be returned to/through the CSS. this method will load the CSS, so not ideal, and obviously cant be done for the SSL sessions before the SCA.

awo
New Member

Re: One Armed Config with CSS and SCA 11000 series

you need paste here your config from CSS and SCA

remember to remove certs bodies....

also some networing description will be usefull

mostly LAN side and WAN side

and mostly HTTP server stack configuration 8-)

New Member

Re: One Armed Config with CSS and SCA 11000 series

if you are in a one armed config you don't want to use the transparent proxy

I had the same issues once I did this it worked just fine

(config[SCA101])# ssl

(config-ssl[SCA101])# server test-monster

(config-ssl-server[test-monster])# no transparent

(config-ssl-server[test-monster])# exit

(config-ssl[SCA101])# exit

136
Views
0
Helpful
3
Replies
CreatePlease login to create content