11503 Loadbalance SSL sticky and HTTP not sticky to proxy-cache
I am using a 11503 to balance 200 schools traffic to 5 caches. Some of the schools have firewalls so the CSS sees their PCs as coming from a single IP. If I set the rule to balance sticky then the load is not spread evenly to the 5 proxies causing them to get overloaded from time to time.
If I balance the load non-sticky (say leastconn) then users have trouble accessing certain SSL sites.
Does anyone know a good solution for this?
Hi Joerg,
Thanks for your reply. How would you code your solution? Currently I am using the following to work around particular sites:
service Proxy1
ip address 10.0.0.11
type proxy-cache
active
service Proxy2 ... etc
**************************** DQL ****************************
dql domains-no-balance
domain www.dontbalancethissite.com
domain ... etc
!*************************** OWNER ***************************
owner admin
content Proxy-servers
add service Proxy1
add service Proxy2
add service Proxy3
add service Proxy4
add service Proxy5
protocol tcp
port 3128
vip address 10.0.0.100
sticky-inact-timeout 5
balance leastconn
active
content no-load-balance
vip address 10.0.0.100
advanced-balance sticky-srcip
balance leastconn
add service Proxy1
add service Proxy2
add service Proxy3
add service Proxy4
add service Proxy5
protocol tcp
port 3128
url "/*" dql domains-no-balance
sticky-inact-timeout 5
Regards,
Ben
Similar Messages
-
Only HTTPS requests are working for SOAP Sender and HTTP not working
wHi Experts,
We have enabled our HTTPS port ( SSL ) in NWA -- >> Security -- >> SSL and Key stores. So understanding is HTTPS port is now enabled on top of HTTP. So PI should be able to cater requests at both ports.
Now, we have developed a synchronous SOAP to RFC scenario and downloaded WSDL file. This file has both links -
a. http:<host>:<port>
b. https:<host>:<port>
We intend to make a PI system where both ports can work. Now questions.
1. When we test web service exposed from PI using SOAPUI tool, only HTTPS works fine and gets the response back. If we try HTTP URL, an error is encountered - HTTTPS scheme is required.
2. Is this whole understanding that both ports ( HTTP, HTTPS ) should be able to operate simultaneously correct ? Or this is not at all possible ?
3. In SOAP Sender, we tried selecting all 3 options - 1. HTTP 2. HTTPS without client authentication 3. HTTPS with client authentication.
None of the options have any effect on testing, Each time, only HTTPS request works and HTTP doesn't.
Can anyone please provide some hints for troubleshooting ?
Thanks..
regards,
Rajagopal.The error "HTTPS scheme is required" is normally returned when the HTTP Security Level on the SOAP adapter is not set to "HTTP". I can see you have mentioned you have tried all these, maybe a cache refresh has gone wrong? Could try recreating the channel with just HTTP specified as security level and this should allow HTTP or HTTPS
I assume you are using a different port number for your HTTP and HTTPS requests from SOAP UI. Normally the HTTPS port is the same as the HTTP port number but the final zero changed to a 1 i.e. https://<host>:50001 instead of http://<host>:50000.
You should be able to confirm both HTTP and HTTPS work OK by loading some of the system webpages in a browser over HTTP and over HTTPS i.e. http://<host>:<port>/nwa and https://<host>:<port>/nwa
Chris -
Www and http not displaying in pdf files converted from MS Word
When I convert a Word document to pdf using Acrobat Pro 9.0, the website addresses do not display correctly. For instance, if my document shows www.website.com - then the pdf only displays .website.com. Also, if I have the http://www.website.com - I get ://www.website.com. Please HELP! I remember having this problem when I used the trial version of Acrobat 9.0, but stumbled upon the solution. I can't figure it out this time.
You'll want to ask your question in the Acrobat forum rather than here in the Reader forum.
-
Hi,
I wonder if someone could help me please.
I have an issue that extends across my browsers – Firefox and Internet Explorer (Firefox is default) and both are the latest version possible. My machine is fully patched (Win7 Pro x64 SP2).
The issue is as shown below:
'The site xxxx is requesting a user name and password. The site says: "restricted"’
The happens for some (not all) sites and I have to click “cancel” twice to remove the dialogue box, and then the site appears and works normally for a little while. The box will come up again if I attempt to click any links within the same site. It’s incredibly annoying and has been frustrating me for the past month. Here’s what I have tried so far, but hasn’t resolved the issue:<br />
<br />
• Clearing Firefox cache/history manually (set to never remember anything)<br />
• Tried checking/unchecking private browsing<br />
• Made sure “accept 3rd party cookies” is enabled<br />
• Tried all checkboxes for “no proxy”, “use system proxy” and “auto detect system proxy” etc<br />
• Disabled all add-ons/extensions within Firefox and retried<br />
• Performed the option to “Reset Firefox” to its default state from within “Troubleshooting”<br />
• Completely uninstalled and re-installed Firefox (latest version)<br />
• Went to the URL "about:config" and searched for the key "network.websocket.enabled" and switched it to "false".<br />
• Went to the URL "about:config" and searched for the key "network.proxy.share_proxy_settings" and switched it to "false".<br />
• Went to the URL "about:config" and searched for the key "network.automatic-ntlm-auth.allow-proxies" and switched it to "false".<br />
• Run a full AV scan in safe mode (with latest definition files) using Avira Antivirus, Spybot Search & Destroy, MalwareBytes, Super Antispyware and performed full optimisations via Registry Mechanic, Tune-up Utilities 2013 and CC Cleaner (with CC Extender installed). No threats found.<br />
None of the above has helped. The problem is only recent so I’m not entirely sure what’s changed.
Does anyone have any ideas or suggestions? I seem to have exhausted my ability to diagnose the fault via the god of Google
Regards
MalachorIt is always best to avoid using such external cleaners as you can never be sure if they aren't corrupting files and it is usually not worth the trouble to repair damage if that is the case. A lot of the SQLite database files use a complicated table setup that can easily get corrupted.
-
I synced Firefox with my Droid Razr Maxx Firefox. Now Google Calendar hangs on "Loading" and will not function. Clearing cache and cookies does not help. Works the same on any computer Firefox. But Gmail works fine and Calendar is okay under other browsers.
Do a malware check with some malware scanning programs on the Windows computer.<br />
You need to scan with all programs because each program detects different malware.<br />
Make sure that you update each program to get the latest version of their databases before doing a scan.<br /><br />
*http://www.malwarebytes.org/mbam.php - Malwarebytes' Anti-Malware
*http://www.superantispyware.com/ - SuperAntispyware
*http://www.microsoft.com/security/scanner/en-us/default.aspx - Microsoft Safety Scanner
*http://www.microsoft.com/windows/products/winfamily/defender/default.mspx - Windows Defender: Home Page
*http://www.safer-networking.org/en/index.html - Spybot Search & Destroy
*http://www.lavasoft.com/products/ad_aware_free.php - Ad-Aware Free
See also:
*"Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked -
Load Balance Reverse Poxy using ACE and HTTP Header Sticky
Dear all,
I have a reverse proxy that makes HTTP and HTTPS requests to an ACE.
For implement persistence I want to configure HTTP HEADER Stickyness using the X-Forwarder-For information but I don't know:
How to implement it ( I'l apreciate a little example about it).
Which values I need for OFFSET and LENGHT fields.
Can you help me please?
Thanks a lot!!Hi Cesar.
Thanks a lot for your answer but I think you misunderstand the question or I'm not explaninig very well
I don't need to insert anything.
The serverfarm X will be accesed by a reverse proxy. This reverse proxy already inserts the X-Forearder-From header, so the request from the reverse proxy comes with this header to the serverfarm X.
The problem is that now, the serverfarm X sticky the client based on source IP. This is a wrong behavior becasue all the request comes form the same source (Reverse proxy) and all the load forwards to the same real IP address.
This is because I want to change the sticky from source IP to HTTP header and looks for the X-Forwarder-For filed.
Hop it will clarify the question! -
Both http and https on struts in tomcat using SSL
I want to apply both http and https as need, on a single web application on struts. My server is tomcat. I need a complete documentation. Some help me please.
If you are terminating SSL on ACE then there is no way to do it with one policy because of ssl-proxy command. However it is possible to use same serverfarms with two VIP like this:
access-list ACL line 10 extended permit ip any any
rserver host TEST
ip address 20.20.2.11
inservice
serverfarm host TEST
rserver TEST
inservice
ssl-proxy service SSL_SERVER
key KEY12.PEM
cert CERT12.PEM
class-map match-any SSL
2 match virtual-address 10.10.2.101 tcp eq https
class-map match-any HTTP
2 match virtual-address 10.10.2.101 tcp eq http
policy-map type loadbalance first-match L7_POL
class class-default
serverfarm TEST
policy-map multi-match L7
class SSL
loadbalance vip inservice
loadbalance policy L7_POL
loadbalance vip icmp-reply
ssl-proxy server SSL_SERVER
class HTTP
loadbalance vip inservice
loadbalance policy L7_POL
loadbalance vip icmp-reply
interface vlan 210
ip address 10.10.2.1 255.255.255.0
service-policy input L7
access-group input ACL
no shutdown
interface vlan 220
ip address 20.20.2.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.90.15.1
However, if you are not doing SSL termination on ACE and you are just doing L4 load-balancing, you will most likely need to configure SSL stickiness, which again leads to having separate policies because of the sticky serverfarms which need separate loadbalance policy lines. -
Gilles,
Could you please advice the CSS content configured with stickiness SSL ID and balance method round robin is recommended configuration or not.Are there are any issues with SSL stickiness with the browsers i.e IE .
Note:- I am not using SSL Module in the CSS.
Thanks in advance...There are two issues
Some versions of IE (5.0, 5.5 --check http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q265369) will
cause the client to change its SSL ID every 2 minutes and this will break
stickyness with application ssl and advanced balance SSL as this is layer 5
stickyness based on SSL session ID. A sniffer trace from the client will
show the ID field change.
You have to be aware that SSL stickiness will only work with SSL v3,
because it comes with the session ID not encrypted. SSL v2 comes with the session ID encrypted and you can't do stickyness
based on that version.So your appliaction servers must be using SSL v3, if you want to use SSL ID based stickiness.
Hope it helps
Syed Iftekhar Ahmed -
SSL Sticky feature...
We were trying SSL Sticky feature with two real http servers and it
does not seem to work..
When i configure ssl sticky for the https VIP, it apparently, sticks
the connection to the first leg i.e, the SSL Termination. However, the
second leg i.e, the decrypted session between the SSL card and real
server are not sticking together.. I am not
sure if this is supported in the first place.., Can someone confirm this please..? and you if you have some working configuration, please share..Btw, I am looking for a CSM-S config, but a CSM with SSLM config will help as well..
Thanks -
Trying to understand SSL sticky with CSS 11506 / ssl-l4-fallback behavior
Dear experts
I have a CSS 11506 (v7.50) which is used to load balance several SSL-based sites. We use the following textbook content rule:
content mysite-SSL
vip address 10.0.0.1
add service s01
add service s02
add service s03
port 443
protocol tcp
advanced-balance ssl
application ssl
flow-timeout-multiplier 225
active
If I read the manual correctly, SSL L3 session IDs are going to be used till a flow is set up. Then the ssl-l4-fallback (it is enabled) directive kicks in and load balancing is done based on the source IP, destination port.
However, my stats show:
Sticky Statistics - SFM Slot 1, Subslot 1:
Total number of new sticky entries is 4937735
Total number of sticky table hits is 33476045
Total number of sticky rejects (no entry) is 0
Total number of sticky collision is 0
Total number of available sticky entries is 0
Total number of used sticky entries is 131071
Total L3 sticky entries are 131
Total L4 sticky entries are 0
Total SSL sticky entries are 130940
Total WAP sticky entries are 0
Total number of SIPCID sticky entries is 0
So, why don't I see anything in the L4 sticky entries?
Also, I would expect that once the ssl-l4-fallback kicks in, a client will be always directed to the same server (since the CSS uses now source IP, dest port for load balancing). However, if I close and start again my browser I hit a different server.
Your thoughts and suggestions are highly appreciated.
John.Hi Gilles
Thank you for your response. If I may ask the group for a final further clarification, so as to put this matter to rest. Since there are a lot of frames transmitted in either direction, I would expect the following to be happening and overriding the use of SSLv3 session IDs. Following is the section of the manual that seems to contradict what you say (and I see on the stats). Am I reading the manual wrong?
"Cisco Content Services Switch
Content Load-Balancing
Configuration Guide
Software Version 8.20
November 2006
page 11-14
Configuring SSL-Layer 4 Fallback
Insertion of the Layer 4 hash value into the sticky table occurs when more than
three frames are transmitted in either direction (client-to-server, server-to-client)
or if SSL version 2 is in use on the network. If either condition occurs, the CSS
inserts the Layer 4 hash value into the sticky table, overriding the further use of
the SSL version 3 session ID." -
Hi,
I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
a second request with NTLMSSP_AUTH is sent.
Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
Any idea?
ThanksHi,
I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
a second request with NTLMSSP_AUTH is sent.
Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
Any idea?
Thanks -
Have never struck this before. Usually email apps give the choice of "No Encryption" (as against SSL). My system will not brook encryption in this form. Also, when setting up SMTP, there is an option for username and password NOT to be added every time the email is accessed. Yet this app requests that you do. If so, then my emails will not work in this form. Other than that, I like it! :-) NICK
Hey there,
Thank you for contacting Mozilla! I understand that you are having problems with accessing email on your phone. In order to better understand and investigate on the issue that you are encountering, please reply to this message with the following information:
* What is the model of your phone?
* What is the OS version found in the Device Information page? Please visit [http://mzl.la/Gzz6Kp this link] if you need help finding the Build ID of your phone.
* Please provide the exact steps to reproduce the issue you are encountering.
* Who is your current cell phone carrier?
* How often do you encounter this issue?
Please be sure to include as much detail as possible, including any websites that may exhibit this issue, and any error messages that you may be receiving, exactly as they appear. This will ensure that we will have all the information needed to investigate into this. Thank you for your help and we look forward to hearing from you!
Curtis Parfitt-Ford
Mozilla Support -
The SSL support feature is not properly configured. Https is not available.
Hi all
We get the following warning message even though we are not using SSL.
"The SSL support feature is not properly configured. Https is not available."
I tried with the following parameter set to false in the MobileEngine.config, still the same warning occurs for each synchronization done. But the sync works fine.
MobileEngine.Security.SSLSupport=false
Had any body come accross this one, if so please let me know.
Thanks
RajHi Raj
The error "The SSL support feature is not properly configured. Https is not available" will not cause any problems for you during synchronization. The reason that this error is displayed is due to the fact that by default MI is configured to support HTTPS Synchronization and not HTTP. This is because it is recommeded to use HTTPS sync inorder to transmit data in a secure manner and this is very necessary in customer production system. This so called error will not have any impact on sync but is just an information to the administrator. This can be disabled by the use of parameter <b><i>MobileEngine.Security.SSLSupport=false</i></b> but make sure that this parameter is set to false even before performing the first sync i.e before obtaining a device id. If you set this value to false after performing some syncs, the error is still visibile in either the Web Console or the NetWeaver Administrator because it would have been sent by the previous sync and these statments are retained and never purged. Hope this helps and clarifies your doubts.
Best Regards
Sivakumar -
Http not forwarded as https by ssl
I have the following problem with my serverfarm:
http flow initiated from a serverfarm is not being handled by the load balanced ssl blades thats supposed to forward traffic as https to its destination.
To compare the traffic, I am including test flows from 2 serverfarms, one of them is successfully handling the flow translation and the other one is not:
- From real server side, were initiating http connections to destination xx.yy.tt.104
- real server 192.168.11.35 (vip xx.yy.zz.124) http connection is translated to https by the SSL blades
- real server 192.168.11.47 (vip xx.yy.zz.73) http traffic is not translating to https and is not leaving the ContentSwitchingModule via vlan200:
Where:
* SRV-005 real address is 192.168.11.47 (vip xx.yy.zz.73) &
* SRV-001 real address is 192.168.11.35 (vip xx.yy.zz.124)
* real server side vlan: vlan301
* internal ssl vlan: ssl vlan201
* destination side transit vlan: vlan200
http flow from real server 192.168.11.35 leaving the ContentSwitchingModule as https:
LN-PRO-CSW001>sh mod csm 3 conn client 192.168.11.35
prot vlan source destination state
In TCP 301 192.168.11.35:1212 xx.yy.zz.12:389 ESTAB
Out TCP 200 xx.yy.zz.12:389 xx.yy.zz.124:22395 ESTAB
In TCP 201 192.168.11.35:1388 xx.yy.tt.104:443 ESTAB
Out TCP 200 xx.yy.tt.104:443 xx.yy.zz.124:22601 ESTAB
In TCP 301 192.168.11.35:1360 xx.yy.zz.12:389 ESTAB
Out TCP 200 xx.yy.zz.12:389 xx.yy.zz.124:22572 ESTAB
In TCP 301 192.168.11.35:1388 xx.yy.tt.104:80 ESTAB
Out TCP 201 xx.yy.tt.104:80 192.168.11.35:1388 ESTAB
http flow from real server 192.168.11.47 not leaving the ContentSwitchingModule as https:
LN-PRO-CSW001>sh mod csm 3 conn client 192.168.11.47
prot vlan source destination state
In TCP 301 192.168.11.47:1291 xx.yy.tt.104:80 ESTAB
Out TCP 201 xx.yy.tt.104:80 192.168.11.47:1291 ESTAB
In TCP 301 192.168.11.47:1301 xx.yy.tt.104:80 ESTAB
Out TCP 201 xx.yy.tt.104:80 192.168.11.47:1301 ESTAB
The following config is included on the 6500 content switch module and ssl module:
NL-PRO-CSM001#
static nat xx.yy.zz.73
real 192.168.11.47
static nat xx.yy.zz.124
real 192.168.11.41
real 192.168.11.35
serverfarm SRV-01/77
nat server
no nat client
predictor leastconns
real 192.168.11.35
inservice
real 192.168.11.41
inservice
probe LT-T:3389
serverfarm SRV-005
nat server
no nat client
real 192.168.11.47
inservice
vserver SRV-005-VIP
virtual xx.yy.zz.73 tcp 0
serverfarm SRV-005
persistent rebalance
inservice
vserver SSLtt.104:80
virtual xx.yy.tt.104 tcp www
serverfarm SSL_MODULES
persistent rebalance
inservice
serverfarm SSL_MODULES
no nat server
no nat client
real 192.168.10.68
inservice
real 192.168.10.69
inservice
NL-PRO-SSL001#
ssl-proxy service SSL-tt.104:80 client
virtual ipaddr xx.yy.tt.104 protocol tcp port 80 secondary
server ipaddr 192.168.10.67 protocol tcp port 443
certificate rsa general-purpose trustpoint test123
no nat server
trusted-ca ppCA
authenticate verify signature-only
inserviceif you don't have a version higher or equal to 2.1(2) for the SSLM, you are probably hitting bug
CSCed77583
SSL Module invalidate a source IP address using local mask
It looks like it works except for some ip addresses and therefore the bug mentioned above seems like a good match.
Gilles. -
HTTP and HTTPS (SSL) at the same time?
Hi
In our company we will use SAP Portal as a external facing portal and as portal that uses authorisation and authentication (logon) . The question for us is: Is it possible to run the EFP without SSL and the securede portal with SSL? Where do I find documentation?
Thanks
Christian ThulstrupHi Christian,
yes, you can run the portal with HTTP and HTTPS at the same time - it's just a question of the URL you are entering in the browser...
<b>BUT:</b>
If you access your portal with HTTPS <b>all</b> content provided by the portal should be accessed with HTTPS too - otherwise you will get security warnings in IE and maybe some strange behavior of the integrated content. Session Management to SAP backend systems will not work also...
Vice-versa: if you access you portal with HTTP all content should be accessed with HTTP... obviously...
So if your content for the external facing portal is completely seperated from the internal content - yes you can access the portal with differen protocolls.
If it is not seperated - and that includes KM objects also - then better use one protocoll for both only!!
Hth,
Michael
Maybe you are looking for
-
How do I download a lower version of skype for my iphone 2g?
How do I download a lower version of skype for my iphone 2g?
-
Lightroom 4 'Edit in' function not working
When I try to export to another program (have tried Corel PSP X4 photo and Silver Efex 2 I get this error message.
-
I have a library (15GB) of music that I have accumulated over the years outside of itunes. I got most of it from the Zune market place and really don't like the way they have labeled the genre tag of most of the music. When I try to use the "Get CD T
-
"Save Message" - in Task list - Planning 11.1.2.2.302.3
Hi, We have implemented Planning 11.1.2.2.302.3 and following was asked from our customer. When I enter data (numbers) in the task list, I want to be warn with a pop up window, if I click "next" that "data are not save" --> - save yes or no-. As per
-
LCD list needs to be upgraded.
My problem is I don't know what the message means. I push the buttons for a scan. The "scanning" box appears on my screen, then a box with the message "LCD list needs to be upgraded." It then gives me a box divided in half, with instructions on the l