CSS restore sticky ssl

Similar Messages

• Question on CSS cookie sticky

  Hi everyone,
  I have a question about CSS cookie sticky.
  - Server issues the following cookie string to the client and it is fixed to 18 bytes.
  Set-Cookie: JSESSIONID=aaabbbcccdddeeefff; path=/
  - Client embedded the following cookie string in the subsequent HTTP header.
  Cookie: xx_user_id=ZZZZ03; com.dummy.xyz.session.cookie=|user|pc|ja|Shift_JIS|default||yellow|/oooo/default.portal|; JSESSIONID=aaabbbcccdddeeefff
  * Note that I made cookie information suitable as example.
  There is the cookie string (JSESSIONID=aaabbbcccdddeeefff) issued by Server in the HTTP header from client but that cookie string (JSESSIONID=aaabbbcccdddeeefff) is located following the cookie string that the client made by oneself at the end of cookie string. And the cookie string and the length of cookie string that client made by oneself might change so the total length of cookie string also might change. It means I can not clarify the total length of the cookie string.
  In this situation, I want CSS to stick with cookie string "JSESSIONID=aaabbbcccdddeeefff".
  The characters of string located following the "JSESSIONID=" (in this case, "aaabbbcccdddeeefff") might change but it is fixed to 18 bytes. The total length of cookie string is 141 bytes in above mentioned example.
  So I informed customer to configure the following parameters to get CSS done cookie sticky for above mentioned cookie string. CSS software version is sg0750303.
  owner test
  content testsv-tcp80
  add service testsv1-tcp80
  add service testsv2-tcp80
  advanced-balance cookie
  　string range 1 to 200
  string process-length 18
  url "/*"
  redundant-index 1001
  protocol tcp
  port 80
  vip address xxx.xxx.xxx.xxx
  active
  However CSS was not able to treat the above mentioned cookie correctly which means the subsequent HTTP request was not stuck (persisted) to same server.
  I do not understand why CSS cookie sticky did not work correctly with this configuration.
  Then customer configured CSS with the following parameters to get CSS inserted cookie string and, of course, the result is OK that is CSS could stick the connection to same server.
  owner test
  content testsv-tcp80
  add service testsv1-tcp80
  add service testsv2-tcp80
  advanced-balance arrowpoint-cookie
  url "/*"
  redundant-index 1001
  protocol tcp
  port 80
  vip address xxx.xxx.xxx.xxx
  active
  Has anybody experienced similar thing ?
  Could you please let me know if you have any comment, information
  Your information would be appreciated.
  Best regards,

  the CSS does not learn dynamic cookie.
  You can match a fixed string inside a cookie and pre-define which server to use with that specific string.
  That's why your solution did not work.
  Arrowpoint-cookie is a better solution and easier to implement.
  Gilles.

• CSS with single SSL module.. balance option needed?

  Hi all,
  Quick question. If you have a CSS 11503 with one SSL offload module installed.. is there any point in using the "application ssl" and "advanced-balance ssl" options in the content rule? I can't find any info that tells me for sure but I'm guessing that these options can be used to balance between multiple ssl modules and provide stickiness to the modules etc.. but doesn't have any effect on the traffic distribution and stickiness to the backend server services?
  For example if I have a L5 content rule like the one below and only one SSL module, should i remove the "application ssl" and "advanced-balance ssl" options and just use the port 80 content rule which the ssl proxy lists offloads traffic too and apply the "advanced-balance sticky-srcip-dstport" and "balance leastconn" there ?
    content DEVCOM_TCP443_L5
      vip address x.x.x.x
      application ssl
      advanced-balance ssl
      protocol tcp
      port 443
      url "//dev.subdomain.domain.com/*"
      add service ssl_module1
      active
  I have read various forum postings and i read the CSS SSL config guide but the examples all seem to differ in their implementation.
  Many thanks
  Scott

  You're correct.
  There is no need to specify the application type as ssl and the advanced-balance method when using a single ssl module.
  Gilles.

• CSS bad stickiness

  Hi all,
  seems we have some problems with stickiness src-ip on a CSS 11506. 6 clients are calling 4 servers.
  The four servers are balanced this way:
  content Prodotti_9503
  add service Prodotti_BEA_WLS_9501_1
  add service Prodotti_BEA_WLS_9501_2
  protocol tcp
  port 9503
  vip address 10.216.86.153
  advanced-balance sticky-srcip
  add service Prodotti_BEA_WLS_9501_206
  add service Prodotti_BEA_WLS_9501_207
  active
  All the traffic goes to Prodotti_BEA_WLS_9501_1 regardless of the client source IP.
  All the servers are active.
  Do you think this is due to the limited number of clients (the clients are frontend web servers)?
  Do you know how the CSS hashing algorithm works in detail?
  Thanks in advance.
  Fausto

  I just upgraded from a set of 11800's to 11506's. I'm running 7.20 build 206. We are doing a data center migration so it was a perfect time to upgrade and break my load-balancing out between internal and external users.
  We made the change two nights ago and I spent most of the next day and yesterday troubleshooting some css issues that cropped up. One was with our online bill payment app and the other an agent and reseller site. Both have standard port 80 URL's that then redirect to https for login. Both were configured for sticky-srcip-dstport and immediately began having issues. If you went to servers directly everything worked fine.
  Because of the way the redirects are setup we had a hard time getting them working when the sites were first setup. The port 80 rule listens, hits a server then it redirects back to the VIP address and the port 443 rule then reflects it back to the server. After the migration it appeared that intermittenly users would be redirected back to a server that didn't know about their session and browser errors would occur. I was able to set both of those to use ssl session ID and it fixed the issue.
  I have another application that seems to be doing something very similar but it has no ssl piece so advanced-balance ssl will do no good with that one. I'm still searching for a workaround.
  If anyone here has any suggestions they would be greatly appreciated.

• CSS 115xx and SSL module.

  Good day, I have a general question on the SSL module. Currently we have a pair of CSS's handeling our external site web sites. We are starting to run out of external IP addresses, If we installed the SSL module and terminated the Certificates on the CSS would we be able to read the ssl header and utilize 1 ip for multiple ssl sites?
  thx
  -Rich

  Check the URL: Overview of CSS SSL:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/ssl/guide/overview.html
  Examples of CSS SSL Configurations:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html

• CSS 11501 and SSL

  Hi,
  I have a few questions regarding the CSS and SSL certificates.
  I have 2 CSS 11501 and 3 web servers, how many SSL certificates do I need?
  I want to configure the CSS as active - active, is this supported using the SSL accelleration module? If it is, is it configured the same way as a standalone CSS. The documentation only mentions configurations using single module and 2 modules in the same CSS.
  And a clarificacion: Does the term Backend in the CSS SSL config refer to servers on a different subnet (in our case physically separated). Our config is 2 FW -> 2 CSS -> 3 Web servers -> 2 backend FW -> 6 Backend servers (app and DB). Am I correct in assuming that Backend refer to this backend? (This might seem like a silly question but the documentation has me confused)
  Any help is much appreciated.
  Thanks,
  Niels

  Niels,
  there is currently an ASK THE EXPERT event.
  Please join us if you have more questions.
  Regarding the certificate, you could just use one.
  Get 1 certificate for your VIP and upload it on both SSL module.
  However, you might have to get 2, because certificate providers usually say it's one per physical device.
  If you plan on doing SSL on the servers as well, you need 3 more certificates. Or you coul use a single certificate if this is allowed by the company that will give it to you.
  Backend refers to server behind the CSS.
  Like a firewall defines inside and outside interfaces, the CSS define the frontend and the backend.
  The frontend is the client side and the backend the server side.
  When you say active/active, what do you want to achieve exactly ?
  You can indeed have 2 Vip and one is active on CSS1 while the other is active on CSS2.
  However, if the CSS shares the same set of servers, you need to be careful that the return traffic from the server to the client goes back to the same server. This may require client nat (group config).
  Regards,
  Gilles.

• How do I restore default SSL security certificates/authorities/servers?

  A website I visit often was having SSL certificate issues. I did not know what certificate I needed to remove in order to get it working again... So I removed ALL of my security certificates/authorities.
  I did not realize it would be near impossible to restore them.
  Now every website I go to is "untrusted" and I need to confirm a security exception.
  How do I restore the certificates/authorities to the default state?
  I tried removing firefox and reinstalling, but that did not fix it.
  Any help would be greatly appreciated. At this point I'm tempted to just switch to Chrome or another browser.

  See '''cor-el''' reply - Solution Chosen
  https://support.mozilla.org/en-US/questions/878694
  thank you

• Exploring CSS 11503 sticky table / sticky mask

  Hi All
  I am currently undergoing some testing with a client.
  We have a VIP load balancing 8 instances. We are testing with the following configs
  content test-test
      add service a
      add service b
      add service c
      add service d
      add service e
      add service f
      add service g
      add service h
      vip address 10.10.10.1
      flow-timeout-multiplier 225
      sticky-mask 255.255.255.252
      redundant-index 1000
      port 443
      protocol tcp
      advanced-balance sticky-srcip-dstport
      sticky-inact-timeout 360
      balance leastconn
  active
  We  have traffic been sourced from 32 IP addresses and want all 8 instances  to be used/hit, but this is not happening in all instances.
  (from the above config, 4 consecutive IPs will be stuck to the same instance based on the sticky mask -- yes?)
  For instance I would expect the following: with the Test IP addresses used based on the sticky mask:
  10.120.1.168
  10.120.1.169
  10.120.1.170
  10.120.1.171 
  (to be stuck to maybe instance a)
  10.120.1.176
  10.120.1.177
  10.120.1.178
  10.120.1.179
  (to be stuck to maybe instance b)
  I have tried the following command during tests:
  show sticky-table l4-sticky ipaddress 10.10.10.1  255.255.255.252  443
  and get an empty table back.
  L4 Sticky List on Slot 1, subslot 1:
  Entries for page 1.
  Entry   Hash    Rule Rule  Srv  Srv      Time(Sec)     Hit Col  Elem Inact
  Number  Value   Indx State Indx State    Elapsed       Cnt Cnt  Type Cfg(Min)
  Total number of entries found is 0.
  L4 Sticky List on Slot 2, subslot 1:
  Entries for page 1.
  Entry   Hash    Rule Rule  Srv  Srv      Time(Sec)     Hit Col  Elem Inact
  Number  Value   Indx State Indx State    Elapsed       Cnt Cnt  Type Cfg(Min)
  Total number of entries found is 0.
  I would like to ascertain what source IP address is been stuck to what load balanced instance at any one time.
  I have tried looking at the flow table but, that clears out quite quicky so not really an accurate method.
  Thanks!

  Hi All
  I am currently undergoing some testing with a client.
  We have a VIP load balancing 8 instances. We are testing with the following configs
  content test-test
      add service a
      add service b
      add service c
      add service d
      add service e
      add service f
      add service g
      add service h
      vip address 10.10.10.1
      flow-timeout-multiplier 225
      sticky-mask 255.255.255.252
      redundant-index 1000
      port 443
      protocol tcp
      advanced-balance sticky-srcip-dstport
      sticky-inact-timeout 360
      balance leastconn
  active
  We  have traffic been sourced from 32 IP addresses and want all 8 instances  to be used/hit, but this is not happening in all instances.
  (from the above config, 4 consecutive IPs will be stuck to the same instance based on the sticky mask -- yes?)
  For instance I would expect the following: with the Test IP addresses used based on the sticky mask:
  10.120.1.168
  10.120.1.169
  10.120.1.170
  10.120.1.171 
  (to be stuck to maybe instance a)
  10.120.1.176
  10.120.1.177
  10.120.1.178
  10.120.1.179
  (to be stuck to maybe instance b)
  I have tried the following command during tests:
  show sticky-table l4-sticky ipaddress 10.10.10.1  255.255.255.252  443
  and get an empty table back.
  L4 Sticky List on Slot 1, subslot 1:
  Entries for page 1.
  Entry   Hash    Rule Rule  Srv  Srv      Time(Sec)     Hit Col  Elem Inact
  Number  Value   Indx State Indx State    Elapsed       Cnt Cnt  Type Cfg(Min)
  Total number of entries found is 0.
  L4 Sticky List on Slot 2, subslot 1:
  Entries for page 1.
  Entry   Hash    Rule Rule  Srv  Srv      Time(Sec)     Hit Col  Elem Inact
  Number  Value   Indx State Indx State    Elapsed       Cnt Cnt  Type Cfg(Min)
  Total number of entries found is 0.
  I would like to ascertain what source IP address is been stuck to what load balanced instance at any one time.
  I have tried looking at the flow table but, that clears out quite quicky so not really an accurate method.
  Thanks!

• CSS 11150 and SSL module function

  Hi, Pro:
  There is any way I could find what ssl module could be used on CSS11150?
  Thanks,

  there is none.
  The css111xx and css110xx are not modular so you can't add or remove anything from it.
  You will need a CSS115xx.
  Regards,
  Gilles.

• CSS with no SSL offloader config

  I would like to terminate both http and https to the 2 servers with stickyiness. Is the config below correct??? OR is there a better config??
  owner website1
  content website 1
  vip address x.x.x.x
  add sevices web1
  add sevices web2
  protocol tcp
  advanced-balance sticky-srcip
  active
  thanks

  this is correct.
  Gilles.

• Restoring sticky 'notes'  from time machine

  I lost the 'notes' in Stickies.
  I went back a month to time machine selected Applications, then Time Machine, the back a month,
  Then I selected restore.......it finished........then I saw a notice on the desk top that 'IT'  was part of OSX and couldn't be modified
  I went back and repeated the process, only this time I double clicked on the Stickies icon thing I might 'see' the content I lost........and then restore; I deism see a different 'page' and tried restoring that........but got the same message ........'IT'  was part of OSX and couldn't be modified
  Hopefully, Thanks
  Shelgor

  Triple-click anywhere in the line below on this page to select it:
  ~/Library/StickiesDatabase
  Right-click or control-click the line and select
            Services ▹ Reveal in Finder (or just Reveal)
  from the contextual menu.* A folder should open with an item selected. Quit the application if it's running. Enter Time Machine and restore the selected item.
  *If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination  command-C. In the Finder, select
            Go ▹ Go to Folder...
  from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

• CSS - SSL Stickiness

  Gilles,
  Could you please advice the CSS content configured with stickiness SSL ID and balance method round robin is recommended configuration or not.Are there are any issues with SSL stickiness with the browsers i.e IE .
  Note:- I am not using SSL Module in the CSS.
  Thanks in advance...

  There are two issues
  Some versions of IE (5.0, 5.5 --check http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q265369) will
  cause the client to change its SSL ID every 2 minutes and this will break
  stickyness with application ssl and advanced balance SSL as this is layer 5
  stickyness based on SSL session ID. A sniffer trace from the client will
  show the ID field change.
  You have to be aware that SSL stickiness will only work with SSL v3,
  because it comes with the session ID not encrypted. SSL v2 comes with the session ID encrypted and you can't do stickyness
  based on that version.So your appliaction servers must be using SSL v3, if you want to use SSL ID based stickiness.
  Hope it helps
  Syed Iftekhar Ahmed

• CSM command similar to CSS sticky-srcip-dstport

  Is there a command in the CSM similar to the CSS command sticky-srcip-dstport?
  If thre isn't...is there still a way to do something similar on the CSM?

  CSM sticky functionality with multiple SSL connections with resumption.
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml

• HTTPS ans SSL with CSS (No SSL Module)

  Hi,
  My customers have two server and need to load balance.
  These servers initiate SSL.
  and VIP address is :
  https://erpappl.erp.mis.blabla.tgc:8005
  My CSS has no ssl module. An dconfiguration is:
  service venice
  ip address 10.200.104.32
  protocol tcp
  port 8005
  keepalive type tcp
  keepalive port 8005
  redundant-index 120
  active
  service calgary
  ip address 10.200.104.33
  protocol tcp
  port 8005
  keepalive type tcp
  keepalive port 8005
  redundant-index 121
  active
  owner ERPAPPL
  content erpapp_test
  add service venice
  add service calgary
  redundant-index 60
  vip address 10.200.104.28
  protocol tcp
  port 8005
  url "/*"
  arrowpoint-cookie expiration 00:00:03:00
  advanced-balance arrowpoint-cookie
  application ssl
  active
  After this configuration I cannot reach the URL shown above.
  Can you help me?

  if this is encrypted traffic [HTTPS] the CSS can't see the content of the packet.
  So the CSS can't see the url [-> so the command url "/*" is incorrtect and should be removed] and the CSS can't see cookies [so the arrowpoint-cookie command is wrong and should be removed].
  If we sell an SSL module, there is a reason :-)
  The only sticky option you can use are :
  - sticky based on srcip
  - sticky on sslid
  The first option [srcip] has a problem with mega proxy [many users being nated with the same ip] and the 2nd option has the problem that it only works with SSLV2 and that some browsers do not use the sslid.
  Gilles.

• CSS + SSL - unable to create RSA association

  Hello,
  I am having troubles creating an RSA association on our CSS11506.
  Here are the steps I've tried:
  1.) I take the original "Digital ID Class 3 - VeriSign Server OnSite" certificate provided to us and move to the CSS via FTP. I have used the openssl verify process to make sure it was a good cert.
  CSS-EC1# copy ssl ftp FTPSRV import websrv-gr.pem PEM "thepassword"
  Connecting (/)
  Completed successfully.
  (also at this step - I have tried this with and without a passphrase with the same results)
  OpenSSL verify:
  C:\OpenSSL\bin>openssl verify -verbose -CAfile .\PEM\verisign.pem websrv-gr.pem
  websrv-gr.pem: OK
  2.) I then create a certificate association:
  CSS-EC1(config)# ssl associate cert WWW websrv-gr.pem
  3.) I then attempt to create and RSA association:
  CSS-EC1(config)# ssl associate rsakey WWW-RSA websrv-gr.pem
  %% File does not contain an RSA key
  What can I do to get rid of this error? Does the certificate we recieved from Verisign need to be chained with the Verisign Intermediate certificate?
  Any ideas?
  Thanks in advance...
  Regards,
  Ben

  Hi
  we have a customer with a similar problem,
  CSS11501(config)# ssl associate rsakey vimageprivkey privkeyvimages.pem
  Error: %% File does not contain an RSA key
  The openssl utility has been used to extract the rsakey from the PKCS12 file.
  They have used this method numerous times before without this error.
  RSA key below:-
  Bag Attributes
  localKeyID: 31 31 36 33 30 38 34 35 35 32 32 33 30
  friendlyName: vimages 2006 certificate
  Key Attributes:
  -----BEGIN RSA PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: DES-EDE3-CBC,4B31C6E8188C1E2C
  L2zTgx4mEUBG0465IxpNOfeyoMX8vTXF6TTrClc5BCDqEYa+K8/9yu6ZwQ+GKdV2
  WN0NES4mNMyqB+j2K9ysQi59Zw661MSf/ToTLPgbFlI7xK434ZpMiy6K0VIK8cSW
  Nz8yTSbjarpsrigUYzoJ83p10a6vVXA/dEDGrMn84EQeYWjQdStcHU8DKmgaOMLY
  c3s68BHex2oNOdG4P4Uo4lTG1zmQOyP0aY7KHv0KNVrR/RNSW4j01nAdPZ09YiiZ
  Uu83Kvh/kwkGBhGYAr0vnlqPlsdUarfXams39F/Imp3NQdofXsrVencUjST4zjPK
  1xpptY2RYa4lCEZBF5+Y00QhxaQR8IuLkh0x2niR/Nz+KBHxOJ8hacB/bcIpZKv0
  ikFDiXoGLgRNCRM1qhECyfUk4Gt95J4qKSAsyUNOTjhaz73q+sUPu6eLffwUQ1U2
  g6fNcqAu6z5xJkpPjVtGVt+opERqGrnlCW2R6I1QYio+U21p4Cx+7qfxrGGpZtt+
  p0kYhEH9ZMODh8QhDEDv7qqLASQ5aQMcJSLIXCrV13R+yN/qr8qOUDKA88a9avIg
  cArcSEWSQ91ZxYYIijnqMHNBWs1REM6U/FRuW28yM4JtZTyxB8baZUVczAfOnOja
  yAuJ0UVyshNOZxk5W1OJTjrkqY7+JM0CdnJuYUSqvsQb9L3hiAJ/wHzUQw5pN1J3
  Igoo6eLoBj2QC2Fgz1TwJEohelF3F+BVlEvjWjPHi5D0r2e1+HDNNjpWWZctebp7
  Aw7kguV1bymfiG3stoHkP/VU2MyCznS6vXI/PWh4KgI=
  -----END RSA PRIVATE KEY-----
  Any Ideas ??