05-22-2007 12:29 PM
guys please help...
i have 2 servers setting behind CSS 11503 working as load balancing and it has SSL module...
all https requests comming from windows xp IE version 6 or 7 is working fine, but when try from Vista IE it's not working,
is this problem related to CSS ? or it's something else on vista IE ?
thanks in advance
05-23-2007 04:24 AM
Probably best to get a capture. I had a case on this a while ago, but we couldn't ever get to the bottom of it and replicate the issue in the lab.
Could you please post the relevant portion of the SSL-Proxy-List, Services and Content Rule?
From the Vista PC, could you please get the output of "ver" from the command line so I can check the version?
We have a Vista PC in the lab, but haven't been able to replicate this issue.
05-23-2007 04:32 AM
thanks for tour reply,
so what do you suspect in your case or my case ?
this is the ssl proxy list:
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list Proxy_list1
ssl-server 20
ssl-server 20 rsacert CERT_SSL_NEW
ssl-server 20 rsakey css2rsakey
ssl-server 20 cipher rsa-export-with-rc4-40-md5 192.168.10.55 80 weight 5
ssl-server 20 vip address 192.168.10.55
ssl-server 20 urlrewrite 22 xxx.yyy.com
active
05-23-2007 04:51 AM
Thanks Hassan.
That is a very basic SSL config, with no tweaks at all, so it seems very odd.
The previous case we had on this ended up being a Firewall issue, as captures taken on the CSS itself showed packets leaving the CSS, but not being received by the Client.
I'd suggest raising a TAC case to get to the bottom of it so that it can be tracked better and a bug raised if it does look like the CSS.
Essentially, what needs to be done is a capture taken on the CSS by spanning a port (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/configuration/routing/guide/Intface.html#wp1099686) and on the client simultaneously, and then tracking down the point of failure.
In the previous case, what we found was that the CSS was sending back the SYN/ACK, but it wasn't being received by the Client. From memory it was being dropped somewhere upstream, and we suspected the firewall, but never fully got to the root cause of it.
If you raise a TAC case during the Australian shift (10am - 4pm Sydney Time or 00:00 - 06:00 GMT), I'll be happy to take a look in more detail and try to replicate in the lab again.
05-23-2007 12:05 PM
Thanks.
as you said "SSL config is very basic" can you please give me like example of the best config that i can configure or tweak for my case ! or document guide ?
and as i understood from what you are saying it might be a Firewall problem as well !
in case of opening case with tac engineer, should i assign the case to CSS team or Firewall team!
Thanks,
05-23-2007 06:47 PM
Hi Hassan,
There are a number of buffer tweaks and other options you can do with SSL.
The default values are quite good and designed with HTTP traffic in mind, but you can often get better response rates and throughput by tweaking some of this depending on your application.
Have a look at the following URL for a description and some examples:
Regarding a TAC case, open it with the CSS as the product and we can then get captures and determine the best way to go forward.
08-24-2007 07:11 AM
Hi Guy,
did you open the case? I have the same problem with Vista client and I had a look to the Bugs but nothing special.
my release is: SW Version: 08.20.1.01
Thanks a lot
Ira
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: