CSS with single SSL module.. balance option needed?
Hi all,
Quick question. If you have a CSS 11503 with one SSL offload module installed.. is there any point in using the "application ssl" and "advanced-balance ssl" options in the content rule? I can't find any info that tells me for sure but I'm guessing that these options can be used to balance between multiple ssl modules and provide stickiness to the modules etc.. but doesn't have any effect on the traffic distribution and stickiness to the backend server services?
For example if I have a L5 content rule like the one below and only one SSL module, should i remove the "application ssl" and "advanced-balance ssl" options and just use the port 80 content rule which the ssl proxy lists offloads traffic too and apply the "advanced-balance sticky-srcip-dstport" and "balance leastconn" there ?
content DEVCOM_TCP443_L5
vip address x.x.x.x
application ssl
advanced-balance ssl
protocol tcp
port 443
url "//dev.subdomain.domain.com/*"
add service ssl_module1
active
I have read various forum postings and i read the CSS SSL config guide but the examples all seem to differ in their implementation.
Many thanks
Scott
You're correct.
There is no need to specify the application type as ssl and the advanced-balance method when using a single ssl module.
Gilles.
Similar Messages
-
CSS - 11506 - Adding New SSL Services on Single SSL Modules
Hi,
We are having one pair of CCS 11506 currently SSL services are running on slot4 with single SSL module.Now we are planning to add one more SSL application with different certificates & keys on different VIP.
Can we use the same slot4 for new application & using different certicates & keys on same SSL modules.Your reponse is appriecatedHi Sean,
Thanks for replying back just want few clarifcations in configuration part.
1. If new vlan is given for new application then how to point routes to the new vlan as default routes to exisitng vlan is already present.
2. I've prepare sample config template with details steps & let us know will it work & if changes is required kindly let us know.
1.# ftp-record ssl_record 192.168.19.21 johndoe "abc123"
/home/johndoe
2.# copy ssl sftp ssl_record import rsacert.pem PEM "passwd123"
Connecting
Completed successfully
3.# copy ssl sftp ssl_record import rsakey.pem PEM "passwd123"
Connecting
Completed successfully
4.Enter configuration mode.
# config
(config) #
4. To use RSA public key exchange and authentication:
a. Associate the imported RSA certificate with a file.
(config) # ssl associate cert myrsacert1 rsacert.pem
b. Associate the imported RSA key pair with a file.
(config) # ssl associate rsakey myrsakey1 rsakey.pem
5. Compare the public key in the associated certificate with the public key
stored with the associated private key and verify that they are identical.
(config) # ssl verify myrsacert1 myrsakey1
Certificate mycert1 matches key mykey1
ssl associate rsakey NEWKEY newkey.pem
ssl associate cert NEWCERT newcert.pem
!************************* INTERFACE *************************
interface 3/3
description "****WEB SIDE****"
bridge vlan _ID_X.X.X.X
bridge port-fast enable
interface 3/4
bridge vlan_ID_Y.Y.Y.Y
bridge port-fast enable
description "****PIX SIDE****"
!************************** CIRCUIT **************************
circuit VLAN_ID_X
ip address A.A.A.A B.B.B.0
ip virtual-router 2 priority 101 preempt
ip redundant-interface 3 C.C.C.C
ip critical-service 3 chk-con-pix_Y.Y.Y.Y
ip critical-service 3 chk-con-web_X.X.X.X
circuit VLAN_ID_Y
ip address D.D.D.D E.E.E.0
ip virtual-router 4 priority 101 preempt
ip redundant-vip 4 F.F.F.F
ip critical-service 4 chk-con-pix_Y.Y.Y.Y
ip critical-service 4 chk-con-web_X.X.X.X
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list NEW
ssl-server 20
ssl-server 20 vip address F.F.F.F
ssl-server 20 cipher rsa-with-rc4-128-sha F.F.F.F 81
ssl-server 20 cipher rsa-with-rc4-128-md5 F.F.F.F 81
ssl-server 20 rsacert NEWCERT
ssl-server 20 rsakey NEWKEY
active
!************************** SERVICE **************************
service FRONT_SSL
type ssl-accel
slot 4
keepalive type none
add ssl-proxy-list NEW
active
service WEBSERVER-03
ip address G.G.G.G
redundant-index 3
protocol tcp
port 80
active
service WEBSERVER-04
ip address H.H.H.H
redundant-index 4
protocol tcp
port 80
active
service chk-con-pix_Y.Y.Y.Y
keepalive type script ap-kal-pinglist "N.N.N.N"
ip address J.J.J.J
keepalive frequency 2
keepalive maxfailure 2
keepalive retryperiod 2
active
service chk-con-web_X
ip address K.K.K.K
keepalive type script ap-kal-pinglist "P.P.P.P"
keepalive frequency 2
keepalive maxfailure 2
keepalive retryperiod 2
active
!*************************** OWNER ***************************
owner NEW
content BACKNEW_HTTP
vip address F.F.F.F
add service WEBSERVER-03
add service WEBSERVER-04
protocol tcp
port 81
url "/*"
redundant-index 5
no persistent
active
content FRONTENDNEW_SSL
vip address F.F.F.F
protocol tcp
port 443
application ssl
add service FRONT_SSL
active
content NEW
url "//www.ABC.com/*"
vip address F.F.F.F
protocol tcp
port 80
redundant-index 4
redirect "https://ABC.com"
active
your reply on this would be highly appericated. -
RPS 2300 with single PW of 750wac ----- Help needed
hi,
I have a rps2300 plugged in with one power supply module of 750WAC.
Currently i have connected 2x2960G to it. And the RPS is able to feed the power to one 2960 at a time and brings the other port ( which is connected to the other 2960G) in disabled state ie, the port2 starts blinking amber.
How many 2960G can be connected in this state..Please advice.
I could find it written anywhere as to howmany switches i can connect to the RPS2300 with single powersupply of 750wac.
--HassanHi Philip,
I am glad it worked!
Regarding the MTU, it is kind of complicated. Your basic connection type is PPPoE that incurs 8 bytes of overhead, causing the MTU of the DSL/PPPoE to be 1500-8=1492 bytes. However, the L2TP/PPP tunnel incurs another 20 (IP) + 8 (UDP) + 8 (L2TP) + 4 (PPP) = 40 bytes. The MTU therefore drops to 1492-40=1452 bytes.
I would need to know more about the way you have determined that the fragmentation occurs beyond 1460 bytes. The outputs do not provide any hints about the occurrence of fragmentation. You also have to be aware that this test is unable to detect whether the resulting L2TP+PPP-encapsulated packets get fragmented, as they are defragmented on the L2TP access concentrator.
It is, in general, suggested that in these scenarios with more complex tunneling and encapsulation, an MTU of 1400 and TCP MSS of 1360 bytes is used, to provide for a certain reserve in maximum packet sizes.
Therefore, what I suggest is this:
On your Dialer0 interface, use ip mtu 1492 and ip tcp adjust-mss 1452 commands.
On your Virtual-PPP1 interface, use ip mtu 1400 and ip tcp adjust-mss 1360 commands.
Best regards,
Peter -
CSS 11150 and SSL module function
Hi, Pro:
There is any way I could find what ssl module could be used on CSS11150?
Thanks,there is none.
The css111xx and css110xx are not modular so you can't add or remove anything from it.
You will need a CSS115xx.
Regards,
Gilles. -
CSS 115xx and SSL module.
Good day, I have a general question on the SSL module. Currently we have a pair of CSS's handeling our external site web sites. We are starting to run out of external IP addresses, If we installed the SSL module and terminated the Certificates on the CSS would we be able to read the ssl header and utilize 1 ip for multiple ssl sites?
thx
-RichCheck the URL: Overview of CSS SSL:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/ssl/guide/overview.html
Examples of CSS SSL Configurations:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html -
CSS with no SSL offloader config
I would like to terminate both http and https to the 2 servers with stickyiness. Is the config below correct??? OR is there a better config??
owner website1
content website 1
vip address x.x.x.x
add sevices web1
add sevices web2
protocol tcp
advanced-balance sticky-srcip
active
thanksthis is correct.
Gilles. -
HTTPS ans SSL with CSS (No SSL Module)
Hi,
My customers have two server and need to load balance.
These servers initiate SSL.
and VIP address is :
https://erpappl.erp.mis.blabla.tgc:8005
My CSS has no ssl module. An dconfiguration is:
service venice
ip address 10.200.104.32
protocol tcp
port 8005
keepalive type tcp
keepalive port 8005
redundant-index 120
active
service calgary
ip address 10.200.104.33
protocol tcp
port 8005
keepalive type tcp
keepalive port 8005
redundant-index 121
active
owner ERPAPPL
content erpapp_test
add service venice
add service calgary
redundant-index 60
vip address 10.200.104.28
protocol tcp
port 8005
url "/*"
arrowpoint-cookie expiration 00:00:03:00
advanced-balance arrowpoint-cookie
application ssl
active
After this configuration I cannot reach the URL shown above.
Can you help me?if this is encrypted traffic [HTTPS] the CSS can't see the content of the packet.
So the CSS can't see the url [-> so the command url "/*" is incorrtect and should be removed] and the CSS can't see cookies [so the arrowpoint-cookie command is wrong and should be removed].
If we sell an SSL module, there is a reason :-)
The only sticky option you can use are :
- sticky based on srcip
- sticky on sslid
The first option [srcip] has a problem with mega proxy [many users being nated with the same ip] and the 2nd option has the problem that it only works with SSLV2 and that some browsers do not use the sslid.
Gilles. -
How many ssl modules are needed for a redundant configuration?
Hi, apologies but I can't seem to find a definite answer for this question. I have two css 11506's set up using vip/virtual interface redundancy (active/standby). Each css 11506 has a single ssl module.
Is this adequate for ssl redundancy? I've read in this forum that if an ssl module fails, the css will reboot causing failover to the standby css so ssl connections will simply reset and as long as I have ASR set up on the back end http content, users will not notice the failover.
Am I correct in this thinking or do you recommend using two ssl modules in each css? Thinking there is that if one ssl module fails, there will still be a 2nd module to handle ssl traffic and the css's will not failover.
Thanks
-Danthere is no need for 2 modules.
You would use 2 modules if you need more power [handle more connections].
However, your assumption is incorrect.
Nowadays, there is no device in the worl [cisco and non-cisco] that can do SSL ststeful failover.
In other words, upon failure, all SSL users will have to restart their connection.
Gilles. -
Hello
I have four servers that I want to load balance based on a URL both HTTP and HTTPS. Two are tomcat and two are IIS and I would like to use something like /jsp/* and /aspx/*. I can get the http L5 rules setup just fine but when I try and use port 443 with a layer 5 content rule I get nothing. The show flows command shows the external ip, the vip but 0.0.0.0 for the NAT IP. Is it possible to do what I'm trying to do?
my config is
service iis1
ip address 10.0.0.1
active
service iis2
ip address 10.0.0.2
active
service tomcat1
ip address 10.0.0.3
active
service tomcat2
ip address 10.0.0.4
active
owner test
content iis
vip address 10.1.1.1
url "/aspx/*"
advanced-balance arrowpoint-cookie
add service iis1
add service iis2
protocol tcp
port 80
active
content iis_ssl
vip address 10.1.1.1
url "/aspx/*"
advanced-balance ssl
application ssl
add service iis1
add service iis2
protocol tcp
port 443
active
Thanks in advance
JustinThanks for the response Giles. I've been working on doing that and I think I have it working but the problem now is that we have some apps that look to make sure the conversation is secure and redirect if not. With the SSL module, it doesn't look like the servers will ever see whether or not the user is connecting via HTTPS. Is there any way around that?
-
HTTPS Keepalive with the CSM & SSL Module
Has anyone had any success getting a secured web page for a keepalive using the CSM with and SSL module. If so can post an example?
Thank you,
DaveHi David,
Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
Sachin garg -
CSS 11503 SSL Module: .pfx file export to sftp
Hello
I wanted to know of there was a way to export the .pfx files off of the SSL Module to an SFTP server.....preferably in bulk not one at a time. I want a central storage location for these files in the event that the CSS or the SSL module crashes.
ThanksHi Jay,
Sure you can export the .pfx files out of the CSS but you need to do this one by one, there is no way you can get them out all at once.
To export the files you first need to define your SFTP server IP address, username and passwd:
CSS(config)# ftp-record SFTP_Server 10.10.10.1 username "password"
Once you have the file name you need to enter this command:
CSS# copy ssl sftp SFTP_Server export Certificate.pfx PKCS12 "passphrase" "password"
: This is the password used to protect the file when it was created.
: This is a local significant password on the CSS used when the file was
imported into the box.
* If you don't know these passwds you can't export the files out of the CSS.
HTH
Pablo -
Disabling SSL 3.0 closure alerts in CSM with SSL module?
Hi: I have a CSM with a SSL module. How do I disable the CSM from sending SSL closure alerts to the client?
Also is there a way to increase the amount of time the CSM waits before it send the SSL closure alert. Looks like the default is 14 seconds.
Thanks
Ravifound my answer: ssl-server 20 unclean-shutdown
-
How to Filter Initial Client HTTP Headers on a CSS11506 SSL module
Is there any way to filter the initial client headers on a css11506 ssl module ?? (software version 8.1)
This is one of the default options on the "old" SCA11000 appliances.Douglas, with an SSL module, the CSS can decrypt HTTPS traffic and see the cleartext HTTP traffic.
We can then apply any rules to the header.
I think in this case, the question refered to some data injected in the http header by the CSS and filter what data from the client certificate should be dropped or inserted.
We currently do not have this option on the CSS.
Gilles. -
Using SSL Module to Encrypt HTTP post to external Server
I would like to know if it's possible for a CSM with its SSL module to receive an HTTP POST from our internal web servers, encrypt that POST w/ SSL, and finally to forward the newly created SSL transmission to a remote external SSL server? If it is possible, is this good practice or is it better to let the web server do the encryption?
this is possible.
It is good practice if you do not want to overload your server with the heavy task of encryption/decryption.
If your server is very powerfull and far from being used to its maximum capacity, you can do it on the server.
Another advantage of using an SSL module is that the CSM will see your request in clear text and can therefore perform so *smart* loadbalancing before it gets encrypted by the SSL module.
[ie: cookie stickyness, url hashing, ...]
Regards,
Gilles. -
CSS without SSL Module needing sticky sessions
Hello All,
If anyone can help with this sticky situation I'd appreciate it.
I have a customer with a CSS11501. He does not have an SSL module installed.
He has 2 blade servers, when he adds a web site, which is accessible over SSL, the CSS load balances client requests causing lost sessions, mostly lost pop-ups, it does not want stick to the same server.
I've configured the following:-
service web1
protocol tcp
port 443
keepalive type tcp
ip address 192.168.200.50
string web1
active
service web2
rotocol tcp
port 443
eepalive type tcp
ip address 192.168.200.51
string web2
active
content SSL_Web
add service web1
add service web2
rotocol tcp
port 443
vip address 1.2.3.4
application ssl
advanced-balance sticky-srcip-dstport
active
group web_Farm
add service web1
add service web2
vip address 1.2.3.4
active
I was attempting to get the client to stick to the server but unfortunately, this didn't work, the CSS seems to continue to send requests to both servers and they are getting scripting errors.
Once the customer turns off the second blade, all is ok.
I did try adding the string value to the service and configuring 'advanced-balance arrowpoint-cookie' in the content but the clients were unable to reach any web sites.
Best Regards TonyTony,
The config looks fine other than the "application SSL" under the content rule, and right now you are probing the servers with a tcp probe on port 80. If you want the probe to be on port 443 you should add the command "keepalive port 443" to both of the services. The CSS will default to port 80 for a tcp probe.
Regards
Jim
Maybe you are looking for
-
Unable to install SQL Server 2012 along with BIDS & VS 2012 on Windows 7
Unable to install SQL Server 2012 along with BIDS & VS 2012 on Windows 7 professional. I get the below error Could not find vsjitdebugger.exe Blogs say anti-virus is stopping but I dont have one on the system. Note: I had used SQL 2008 on the system
-
I can no longer see any Notifications from my FaceBook account in the notifications area on my Mac. I have it in the Notifications Area and it is still not providing me my notifications. Any suggestions?
-
Hi, I was wonder which is the best solution to connect my iMac to my TV.
-
Oracle UCM Production instance
we are proposing the oracle UCM 11g Solution to one of my client, here i have doubt about the list of products, please correct us? 1) Oracle Database 2) Oracle Weblogic Server 3) Oracle UCM 4) Oracle HTTP Server???????????? is this required? and we a
-
hi all, 1.is it possible to write a function module in BI transformations to call a function mod. in ECC side? Then how. 2. can we create a cluster table in BI?