Some Functionality of Application not working with SSL offload
We have a customer who is running an application which is load balanced through CSS and SSL offloading is performed by CSS. Customer is testing a newer version of the same application through CSS by offloading SSL on CSS and some of the functionality of the Application is not working. The difference between the two versions of the application is that the previous version uses asp and it's database is run on MS-SQL2000 server and for the new version which the customer is testing is using aspx with .NET and database is run on MS-SQL2008 server.
Configuration on CSS is pretty straight forward(443 on front end and port 80 on backend) and it is configured the exact same way as the previous application version is configured.
CSS's are in Box-to-Box redundancy and are one-armed.(CSS is running 8.20 code) with SSL module
Everything works fine on the application with SSL offload except for a search function(search function uses XML to call a java script),as soon as the user invokes the serach he gets an error on the web page. (Error is attached to the discussion)
We have tried the following tests and application works fine:
1. Launching the application by directly going to server real IP address on port 443
2. Launching the application by directly going to URL on port 80
3. Launching the application by using vip address on port 80
4. Launching the application by configuring the CSS in passthrough for port 443
Application's search function fails when SSL is offloaded on CSS otherwise it works fine. We have taken several sniffer captureson client and server side but we have not found anything conclusive that points us to an issue. We have contacted Cisco TAC but they are also not able to debug the issue.
Can somebody help us understand as to what is going on. (I can provide all the sniffer traces as well as the topology diagram)
Re: Some Functionality of Application not working with SSL offlo
The first thing I would want to see is a log of the connection from the browser. If you use Firefox, then you could use LiveHTTPHeaders for this. Also, HTTPWatch will work with Internet Explorer or Firefox. This would allow us to view the decrypted requests and responses from the browswer's perspective. Maybe we can find the problem with that.
If the above doesn't help, then you'll have to get the full boat of data:
Start capturing from the browser tool as mentioned above.
Start a network capture on the client and server side (should be a single capture since one-armed)
Run your test again until you get the failure
Stop the browser capture tool and network capture.
Be sure that your browser is not reusing an existing SSL session ID so that the full SSL handshake is captured. You may want to change your key and cert for the SSL on the CSS, so that you can send in your key to decrypt the capture. This may or may not be necessary.
Moquery is the command line cousin of Vizore, it's very helpful and efficient sometimes during the troubleshooting. This article aims to provide moquery cheat sheet to the users for some most common seen scenarios.
Here is the checklist before customers/partners contact Cisco TAC:
Firmware Version of APIC and Switch
Download Switch and APIC techsupport logs
Problem description (Symptoms with details)
Business impact (eg, what kind of services...
moquery usageAPIC moquerySwitchmoquery
This document discuss a common issue observed during the VMM integration & VM workload migration to ACI fabric.
VMware Virtual machines are hosted in Cisco UCS-B seri...