Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL termination and Loadbalancing on the same CSS

Hi,

I am trying to set up a CSS11503 for SSL termination and load-balancing to two servers. I am having problems with slow performance, I think due to stickyness. It would appear that a new SSL session is started for each request. I'll start by describing what I want to happen, and will finish with a description of the current config.

WHAT I WANT:

Connection comes from the internet, and SSL is terminated on single CSS. CSS then load balances (with stickyness) to one of two IIS servers. The load balancing must not be based on source IP as we potentially would have multiple users from a company coming from the one source NAT.

Once a client is connected, I need them to continue to go to the same IIS server.

i.e if the user is load balanced to server1, I want all subsequent traffic in that session to go to server1.

The website is run by an application team, so not 100% sure on the setup, but I believe that there are both ASP.NET session cookies and other cookies set, which could be used as the basis for load balancing.

OK, so that's what I want, here is WHAT I HAVE:

The setup is:

website.company.com = x.x.x.x

CSS VIP = y.y.y.y

Server1 IP = a.a.a.a

Server2 IP = b.b.b.b

Firewall has static NAT x.x.x.x <-> y.y.y.y

The network infrastructure is:

INTERNET -- FIREWALL -- CSS VLAN 1 (VIP and FW connect) -- CSS VLAN 2 (Web DMZ) -- Server1, Server2 etc

The relevant CSS config is:

!

content website.company.com_ssl

application ssl

vip address y.y.y.y

add service ssl

protocol tcp

port 443

active

!

content website.company.com_lb

vip address y.y.y.y

add service server1

add service server2

advanced-balance cookies

protocol tcp

port 81

active

!

! CSS SSL-PROXY-LIST EXCERPT:

ssl-server 16

ssl-server 16 vip address y.y.y.y

ssl-server 16 cipher rsa-with-rc4-128-sha y.y.y.y 81 weight 5

ssl-server 16 cipher rsa-with-rc4-128-md5 y.y.y.y 81 weight 10

ssl-server 16 rsacert website_cert

ssl-server 16 rsakey website_key

!

!

service ssl

keepalive type none

slot 3

type ssl-accel

add ssl-proxy-list ssl

active

!

service server1

ip address a.a.a.a

keepalive type http

protocol tcp

port 81

active

!

service server2

ip address b.b.b.b

keepalive type http

protocol tcp

port 81

active

!

Any help is much appreciated!

Thanks,

Andy

144
Views
0
Helpful
0
Replies
CreatePlease login to create content