11503 Loadbalance SSL sticky and HTTP not sticky to proxy-cache

Similar Messages

• Only HTTPS requests are working for SOAP Sender and HTTP not working

  wHi Experts,
  We have enabled our HTTPS port ( SSL ) in NWA -- >> Security -- >> SSL and Key stores. So understanding is HTTPS port is now enabled on top of HTTP. So PI should be able to cater requests at both ports.
  Now, we have developed a synchronous SOAP to RFC scenario and downloaded WSDL file. This file has both links -
  a. http:<host>:<port>
  b. https:<host>:<port>
  We intend to make a PI system where both ports can work. Now questions.
  1. When we test web service exposed from PI using SOAPUI tool, only HTTPS works fine and gets the response back. If we try HTTP URL, an error is encountered - HTTTPS scheme is required.
  2. Is this whole understanding that both ports  ( HTTP, HTTPS ) should be able to operate simultaneously correct ? Or this is not at all possible ?
  3. In SOAP Sender, we tried selecting all 3 options - 1. HTTP 2. HTTPS without client authentication 3. HTTPS with client authentication.
     None of the options have any effect on testing, Each time, only HTTPS request works and HTTP doesn't.
  Can anyone please provide some hints for troubleshooting ?
  Thanks..
  regards,
  Rajagopal.

  The error "HTTPS scheme is required" is normally returned when the HTTP Security Level on the SOAP adapter is not set to "HTTP". I can see you have mentioned you have tried all these, maybe a cache refresh has gone wrong? Could try recreating the channel with just HTTP specified as security level and this should allow HTTP or HTTPS
  I assume you are using a different port number for  your HTTP and HTTPS requests from SOAP UI. Normally the HTTPS port is the same as the HTTP port number but the final zero changed to a 1 i.e. https://<host>:50001 instead of http://<host>:50000.
  You should be able to confirm both HTTP and HTTPS work OK by loading some of the system webpages in a browser over HTTP and over HTTPS i.e. http://<host>:<port>/nwa and https://<host>:<port>/nwa
  Chris

• Www and http not displaying in pdf files converted from MS Word

  When I convert a Word document to pdf using Acrobat Pro 9.0, the website addresses do not display correctly. For instance, if my document shows www.website.com - then the pdf only displays .website.com. Also, if I have the http://www.website.com - I get ://www.website.com. Please HELP! I remember having this problem when I used the trial version of Acrobat 9.0, but stumbled upon the solution. I can't figure it out this time.

  You'll want to ask your question in the Acrobat forum rather than here in the Reader forum.

• Sites keep asking for username and password and say "restricted". I've tried numerous fixes and am not using a proxy.

  Hi,
  I wonder if someone could help me please.
  I have an issue that extends across my browsers – Firefox and Internet Explorer (Firefox is default) and both are the latest version possible. My machine is fully patched (Win7 Pro x64 SP2).
  The issue is as shown below:
  'The site xxxx is requesting a user name and password. The site says: "restricted"’
  The happens for some (not all) sites and I have to click “cancel” twice to remove the dialogue box, and then the site appears and works normally for a little while. The box will come up again if I attempt to click any links within the same site. It’s incredibly annoying and has been frustrating me for the past month. Here’s what I have tried so far, but hasn’t resolved the issue:<br />
  <br />
  • Clearing Firefox cache/history manually (set to never remember anything)<br />
  • Tried checking/unchecking private browsing<br />
  • Made sure “accept 3rd party cookies” is enabled<br />
  • Tried all checkboxes for “no proxy”, “use system proxy” and “auto detect system proxy” etc<br />
  • Disabled all add-ons/extensions within Firefox and retried<br />
  • Performed the option to “Reset Firefox” to its default state from within “Troubleshooting”<br />
  • Completely uninstalled and re-installed Firefox (latest version)<br />
  • Went to the URL "about:config" and searched for the key "network.websocket.enabled" and switched it to "false".<br />
  • Went to the URL "about:config" and searched for the key "network.proxy.share_proxy_settings" and switched it to "false".<br />
  • Went to the URL "about:config" and searched for the key "network.automatic-ntlm-auth.allow-proxies" and switched it to "false".<br />
  • Run a full AV scan in safe mode (with latest definition files) using Avira Antivirus, Spybot Search & Destroy, MalwareBytes, Super Antispyware and performed full optimisations via Registry Mechanic, Tune-up Utilities 2013 and CC Cleaner (with CC Extender installed). No threats found.<br />
  None of the above has helped. The problem is only recent so I’m not entirely sure what’s changed.
  Does anyone have any ideas or suggestions? I seem to have exhausted my ability to diagnose the fault via the god of Google 
  Regards
  Malachor

  It is always best to avoid using such external cleaners as you can never be sure if they aren't corrupting files and it is usually not worth the trouble to repair damage if that is the case. A lot of the SQLite database files use a complicated table setup that can easily get corrupted.

• After syncing Firefox with my Android phone, Google calendar is not functional. It hangs on "Loading" and will not allow updates or edits. Calendar works in IE, just not Firefox on any computer. Clearing cookies and cache no help.

  I synced Firefox with my Droid Razr Maxx Firefox. Now Google Calendar hangs on "Loading" and will not function. Clearing cache and cookies does not help. Works the same on any computer Firefox. But Gmail works fine and Calendar is okay under other browsers.

  Do a malware check with some malware scanning programs on the Windows computer.<br />
  You need to scan with all programs because each program detects different malware.<br />
  Make sure that you update each program to get the latest version of their databases before doing a scan.<br /><br />
  *http://www.malwarebytes.org/mbam.php - Malwarebytes' Anti-Malware
  *http://www.superantispyware.com/ - SuperAntispyware
  *http://www.microsoft.com/security/scanner/en-us/default.aspx - Microsoft Safety Scanner
  *http://www.microsoft.com/windows/products/winfamily/defender/default.mspx - Windows Defender: Home Page
  *http://www.safer-networking.org/en/index.html - Spybot Search & Destroy
  *http://www.lavasoft.com/products/ad_aware_free.php - Ad-Aware Free
  See also:
  *"Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked

• Load Balance Reverse Poxy using ACE and HTTP Header Sticky

  Dear all,
  I have a reverse proxy that makes HTTP and HTTPS requests to an ACE.
  For implement persistence I want to configure HTTP HEADER Stickyness using the X-Forwarder-For information but I don't know:
  How to implement it ( I'l apreciate a little example about it).
  Which values I need for OFFSET and LENGHT fields.
  Can you help me please?
  Thanks a lot!!

  Hi Cesar.
  Thanks a lot for your answer but I think you misunderstand the question or I'm not explaninig very well
  I don't need to insert anything.
  The serverfarm X will be accesed by a reverse proxy. This reverse proxy already inserts the X-Forearder-From header, so the request from the reverse proxy comes with this header to the serverfarm X.
  The problem is that now, the serverfarm X sticky the client based on source IP. This is a wrong behavior becasue all the request comes form the same source (Reverse proxy) and all the load forwards to the same real IP address.
  This is because I want to change the sticky from source IP to HTTP header and looks for the X-Forwarder-For filed.
  Hop it will clarify the question!

• Both http and https on struts in tomcat using SSL

  I want to apply both http and https as need, on a single web application on struts. My server is tomcat. I need a complete documentation. Some help me please.

  If you are terminating SSL on ACE then there is no way to do it with one policy because of ssl-proxy command. However it is possible to use same serverfarms with two VIP like this:
  access-list ACL line 10 extended permit ip any any
  rserver host TEST
    ip address 20.20.2.11
    inservice
  serverfarm host TEST
    rserver TEST
      inservice
  ssl-proxy service SSL_SERVER
    key KEY12.PEM
    cert CERT12.PEM
  class-map match-any SSL
    2 match virtual-address 10.10.2.101 tcp eq https
  class-map match-any HTTP
    2 match virtual-address 10.10.2.101 tcp eq http
  policy-map type loadbalance first-match L7_POL
     class class-default
       serverfarm TEST
  policy-map multi-match L7
     class SSL
       loadbalance vip inservice
       loadbalance policy L7_POL
       loadbalance vip icmp-reply
       ssl-proxy server SSL_SERVER
      class HTTP
      loadbalance vip inservice
      loadbalance policy L7_POL
      loadbalance vip icmp-reply
  interface vlan 210
     ip address 10.10.2.1 255.255.255.0
     service-policy input L7
     access-group input ACL
     no shutdown
  interface vlan 220
     ip address 20.20.2.1 255.255.255.0
     no shutdown
  ip route 0.0.0.0 0.0.0.0 10.90.15.1
  However, if you are not doing SSL termination on ACE and you are just doing L4 load-balancing, you will most likely need to configure SSL stickiness, which again leads to having separate policies because of the sticky serverfarms which need separate loadbalance policy lines.

• CSS - SSL Stickiness

  Gilles,
  Could you please advice the CSS content configured with stickiness SSL ID and balance method round robin is recommended configuration or not.Are there are any issues with SSL stickiness with the browsers i.e IE .
  Note:- I am not using SSL Module in the CSS.
  Thanks in advance...

  There are two issues
  Some versions of IE (5.0, 5.5 --check http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q265369) will
  cause the client to change its SSL ID every 2 minutes and this will break
  stickyness with application ssl and advanced balance SSL as this is layer 5
  stickyness based on SSL session ID. A sniffer trace from the client will
  show the ID field change.
  You have to be aware that SSL stickiness will only work with SSL v3,
  because it comes with the session ID not encrypted. SSL v2 comes with the session ID encrypted and you can't do stickyness
  based on that version.So your appliaction servers must be using SSL v3, if you want to use SSL ID based stickiness.
  Hope it helps
  Syed Iftekhar Ahmed

• SSL Sticky feature...

  We were trying SSL Sticky feature with two real http servers and it
  does not seem to work..
  When i configure ssl sticky for the https VIP, it apparently, sticks
  the connection to the first leg i.e, the SSL Termination. However, the
  second leg i.e, the decrypted session between the SSL card and real
  server are not sticking together.. I am not
  sure if this is supported in the first place.., Can someone confirm this please..? and you if you have some working configuration, please share..

  Btw, I am looking for a CSM-S config, but a CSM with SSLM config will help as well..
  Thanks

• Trying to understand SSL sticky with CSS 11506 / ssl-l4-fallback behavior

  Dear experts
  I have a CSS 11506 (v7.50) which is used to load balance several SSL-based sites. We use the following textbook content rule:
  content mysite-SSL
  vip address 10.0.0.1
  add service s01
  add service s02
  add service s03
  port 443
  protocol tcp
  advanced-balance ssl
  application ssl
  flow-timeout-multiplier 225
  active
  If I read the manual correctly, SSL L3 session IDs are going to be used till a flow is set up. Then the ssl-l4-fallback (it is enabled) directive kicks in and load balancing is done based on the source IP, destination port.
  However, my stats show:
  Sticky Statistics - SFM Slot 1, Subslot 1:
  Total number of new sticky entries is 4937735
  Total number of sticky table hits is 33476045
  Total number of sticky rejects (no entry) is 0
  Total number of sticky collision is 0
  Total number of available sticky entries is 0
  Total number of used sticky entries is 131071
  Total L3 sticky entries are 131
  Total L4 sticky entries are 0
  Total SSL sticky entries are 130940
  Total WAP sticky entries are 0
  Total number of SIPCID sticky entries is 0
  So, why don't I see anything in the L4 sticky entries?
  Also, I would expect that once the ssl-l4-fallback kicks in, a client will be always directed to the same server (since the CSS uses now source IP, dest port for load balancing). However, if I close and start again my browser I hit a different server.
  Your thoughts and suggestions are highly appreciated.
  John.

  Hi Gilles
  Thank you for your response. If I may ask the group for a final further clarification, so as to put this matter to rest. Since there are a lot of frames transmitted in either direction, I would expect the following to be happening and overriding the use of SSLv3 session IDs. Following is the section of the manual that seems to contradict what you say (and I see on the stats). Am I reading the manual wrong?
  "Cisco Content Services Switch
  Content Load-Balancing
  Configuration Guide
  Software Version 8.20
  November 2006
  page 11-14
  Configuring SSL-Layer 4 Fallback
  Insertion of the Layer 4 hash value into the sticky table occurs when more than
  three frames are transmitted in either direction (client-to-server, server-to-client)
  or if SSL version 2 is in use on the network. If either condition occurs, the CSS
  inserts the Layer 4 hash value into the sticky table, overriding the further use of
  the SSL version 3 session ID."

• WWSAPI - Cannot connect to web service via SSL and HTTP proxy authentication with NTLM, errorCode 0x803d0016, HTTP status 407

  Hi,
  I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
  0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
  In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
  a second request with NTLMSSP_AUTH is sent.
  Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
  I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
  Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
  WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
  Any idea?
  Thanks

  Hi,
  I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
  0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
  In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
  a second request with NTLMSSP_AUTH is sent.
  Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
  I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
  Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
  WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
  Any idea?
  Thanks

• My email provider uses no encryption (no SSL), and does not require me to log onto SMTP with username/password. If I do, it doesn't configure. Please help. NICK

  Have never struck this before. Usually email apps give the choice of "No Encryption" (as against SSL). My system will not brook encryption in this form. Also, when setting up SMTP, there is an option for username and password NOT to be added every time the email is accessed. Yet this app requests that you do. If so, then my emails will not work in this form. Other than that, I like it! :-) NICK

  Hey there,
  Thank you for contacting Mozilla! I understand that you are having problems with accessing email on your phone. In order to better understand and investigate on the issue that you are encountering, please reply to this message with the following information:
  * What is the model of your phone?
  * What is the OS version found in the Device Information page? Please visit [http://mzl.la/Gzz6Kp this link] if you need help finding the Build ID of your phone.
  * Please provide the exact steps to reproduce the issue you are encountering.
  * Who is your current cell phone carrier?
  * How often do you encounter this issue?
  Please be sure to include as much detail as possible, including any websites that may exhibit this issue, and any error messages that you may be receiving, exactly as they appear. This will ensure that we will have all the information needed to investigate into this. Thank you for your help and we look forward to hearing from you!
  Curtis Parfitt-Ford
  Mozilla Support

• The SSL support feature is not properly configured. Https is not available.

  Hi all
  We get the following warning message even though we are not using SSL.
  "The SSL support feature is not properly configured. Https is not available."
  I tried with the following parameter set to false in the MobileEngine.config, still the same warning occurs for each synchronization done. But the sync works fine. 
  MobileEngine.Security.SSLSupport=false
  Had any body come accross this one, if so please let me know.
  Thanks
  Raj

  Hi Raj
      The error "The SSL support feature is not properly configured. Https is not available" will not cause any problems for you during synchronization.  The reason that this error is displayed is due to the fact that by default MI is configured to support HTTPS Synchronization and not HTTP. This is because it is recommeded to use HTTPS sync inorder to transmit data in a secure manner and this is very necessary in customer production system.  This so called error will not have any impact on sync but is just an information to the administrator.  This can be disabled by the use of parameter <b><i>MobileEngine.Security.SSLSupport=false</i></b> but make sure that this parameter is set to false even before performing the first sync i.e before obtaining a device id.  If you set this value to false after performing some syncs, the error is still visibile in either the Web Console or the NetWeaver Administrator because it would have been sent by the previous sync and these statments are retained and never purged.  Hope this helps and clarifies your doubts.
  Best Regards
  Sivakumar

• Http not forwarded as https by ssl

  I have the following problem with my serverfarm:
  http flow initiated from a serverfarm is not being handled by the load balanced ssl blades that’s supposed to forward traffic as https to its destination.
  To compare the traffic, I am including test flows from 2 serverfarms, one of them is successfully handling the flow translation and the other one is not:
  - From real server side, we’re initiating http connections to destination xx.yy.tt.104
  - real server 192.168.11.35 (vip xx.yy.zz.124) http connection is translated to https by the SSL blades
  - real server 192.168.11.47 (vip xx.yy.zz.73) http traffic is not translating to https and is not leaving the ContentSwitchingModule via vlan200:
  Where:
  * SRV-005 real address is 192.168.11.47 (vip xx.yy.zz.73) &
  * SRV-001 real address is 192.168.11.35 (vip xx.yy.zz.124)
  * real server side vlan: vlan301
  * internal ssl vlan: ssl vlan201
  * destination side transit vlan: vlan200
  http flow from real server 192.168.11.35 leaving the ContentSwitchingModule as https:
  LN-PRO-CSW001>sh mod csm 3 conn client 192.168.11.35
  prot vlan source destination state
  In TCP 301 192.168.11.35:1212 xx.yy.zz.12:389 ESTAB
  Out TCP 200 xx.yy.zz.12:389 xx.yy.zz.124:22395 ESTAB
  In TCP 201 192.168.11.35:1388 xx.yy.tt.104:443 ESTAB
  Out TCP 200 xx.yy.tt.104:443 xx.yy.zz.124:22601 ESTAB
  In TCP 301 192.168.11.35:1360 xx.yy.zz.12:389 ESTAB
  Out TCP 200 xx.yy.zz.12:389 xx.yy.zz.124:22572 ESTAB
  In TCP 301 192.168.11.35:1388 xx.yy.tt.104:80 ESTAB
  Out TCP 201 xx.yy.tt.104:80 192.168.11.35:1388 ESTAB
  http flow from real server 192.168.11.47 not leaving the ContentSwitchingModule as https:
  LN-PRO-CSW001>sh mod csm 3 conn client 192.168.11.47
  prot vlan source destination state
  In TCP 301 192.168.11.47:1291 xx.yy.tt.104:80 ESTAB
  Out TCP 201 xx.yy.tt.104:80 192.168.11.47:1291 ESTAB
  In TCP 301 192.168.11.47:1301 xx.yy.tt.104:80 ESTAB
  Out TCP 201 xx.yy.tt.104:80 192.168.11.47:1301 ESTAB
  The following config is included on the 6500 content switch module and ssl module:
  NL-PRO-CSM001#
  static nat xx.yy.zz.73
  real 192.168.11.47
  static nat xx.yy.zz.124
  real 192.168.11.41
  real 192.168.11.35
  serverfarm SRV-01/77
  nat server
  no nat client
  predictor leastconns
  real 192.168.11.35
  inservice
  real 192.168.11.41
  inservice
  probe LT-T:3389
  serverfarm SRV-005
  nat server
  no nat client
  real 192.168.11.47
  inservice
  vserver SRV-005-VIP
  virtual xx.yy.zz.73 tcp 0
  serverfarm SRV-005
  persistent rebalance
  inservice
  vserver SSLtt.104:80
  virtual xx.yy.tt.104 tcp www
  serverfarm SSL_MODULES
  persistent rebalance
  inservice
  serverfarm SSL_MODULES
  no nat server
  no nat client
  real 192.168.10.68
  inservice
  real 192.168.10.69
  inservice
  NL-PRO-SSL001#
  ssl-proxy service SSL-tt.104:80 client
  virtual ipaddr xx.yy.tt.104 protocol tcp port 80 secondary
  server ipaddr 192.168.10.67 protocol tcp port 443
  certificate rsa general-purpose trustpoint test123
  no nat server
  trusted-ca ppCA
  authenticate verify signature-only
  inservice

  if you don't have a version higher or equal to 2.1(2) for the SSLM, you are probably hitting bug
  CSCed77583
  SSL Module invalidate a source IP address using local mask
  It looks like it works except for some ip addresses and therefore the bug mentioned above seems like a good match.
  Gilles.

• HTTP and HTTPS (SSL) at the same time?

  Hi
  In our company we will use SAP Portal as a external facing portal and as portal  that uses authorisation and authentication (logon) . The question for us is: Is it possible to run the EFP without SSL and the “securede  portal” with SSL? Where do I find documentation?
  Thanks
  Christian Thulstrup

  Hi Christian,
  yes, you can run the portal with HTTP and HTTPS at the same time - it's just a question of the URL you are entering in the browser...
  <b>BUT:</b>
  If you access your portal with HTTPS <b>all</b> content provided by the portal should be accessed with HTTPS too - otherwise you will get security warnings in IE and maybe some strange behavior of the integrated content. Session Management to SAP backend systems will not work also...
  Vice-versa: if you access you portal with HTTP all content should be accessed with HTTP... obviously...
  So if your content for the external facing portal is completely seperated from the internal content - yes you can access the portal with differen protocolls.
  If it is not seperated - and that includes KM objects also - then better use one protocoll for both only!!
  Hth,
  Michael