Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
3
Replies

SSL Sticky on Local Director 417

kham.nguyen
Level 1
Level 1

‎11-04-2003 11:04 AM

We have a Local Director 417 with 4 servers behind it. We require stateful SSL sessions for our web application that runs on our web servers. Currently we are using Generic SSL, but a vast majority of our clients are sitting behind Server Load Balancing Proxies. Thus, their IP addresses have a tendency to change and cause their session to terminate.

As an alternative, we decided to use the Sticky SSL. However, upon testing we cannot get this to work at all when the client connects through a proxy. From the LD's point of view, I can see an SSL Proxy connection being initiated (show conns), but running traces from the servers shows no communication b/w the LD and the server for that session. Eventually the connection times out. From the client's point of view, I can see a connection to the proxy being established, but eventually a "HTTP 1.0 500 error from proxy" is returned.

One other scenario I tested was to bypass the local proxy. When I do this, the connection is established and the SSL Sticky seems to work fine. However, I cannot expect the clients to "bypass" their proxy in order to gain access to our web apps.

Has anyone else seen this problem?

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎11-05-2003 04:07 AM

the LD will proxy the SSL connection since it needs to see the SSL ID before chosing the real server.

if you don't see a connection coming to the real server, it means the ssl negotiation between the LD and the proxy failed.

Could you capture a trace between these 2 devices ?

Do you have a default route on the LD to route back to the proxy ?

What's your software version ?

Thanks,

Gilles.

0 Helpful

kham.nguyen
Level 1
Level 1
In response to Gilles Dufour

‎11-05-2003 05:44 AM

Capturing b/w these 2 devices is the one piece I don't have. It would require the assistance of another group in our environment...not an easy task, but I agree it's something that will need to be done to see exactly what is going on.

I have not setup any sort of route within the LD.

Software version is 4.2.5 (latest version).

Question: Would the Cisco CSS Switch resolve the problem we are currently seeing with session states being dropped when using Generic Sticky?

0 Helpful

kham.nguyen
Level 1
Level 1
In response to Gilles Dufour

‎11-05-2003 07:53 AM

You mentioned a default route on the LD.

Well, I did not have one set in the LD and after I set it, the SSL sticky started to work.

Thank you for your assistance, it is much appreciated!

Thanks,

Kham

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents