CSS with single SSL module.. balance option needed?

Hi all,
Quick question. If you have a CSS 11503 with one SSL offload module installed.. is there any point in using the "application ssl" and "advanced-balance ssl" options in the content rule? I can't find any info that tells me for sure but I'm guessing that these options can be used to balance between multiple ssl modules and provide stickiness to the modules etc.. but doesn't have any effect on the traffic distribution and stickiness to the backend server services?
For example if I have a L5 content rule like the one below and only one SSL module, should i remove the "application ssl" and "advanced-balance ssl" options and just use the port 80 content rule which the ssl proxy lists offloads traffic too and apply the "advanced-balance sticky-srcip-dstport" and "balance leastconn" there ?
  content DEVCOM_TCP443_L5
    vip address x.x.x.x
    application ssl
    advanced-balance ssl
    protocol tcp
    port 443
    url "//dev.subdomain.domain.com/*"
    add service ssl_module1
    active
I have read various forum postings and i read the CSS SSL config guide but the examples all seem to differ in their implementation.
Many thanks
Scott

You're correct.
There is no need to specify the application type as ssl and the advanced-balance method when using a single ssl module.
Gilles.

Similar Messages

  • CSS - 11506 - Adding New SSL Services on Single SSL Modules

    Hi,
    We are having one pair of CCS 11506 currently SSL services are running on slot4 with single SSL module.Now we are planning to add one more SSL application with different certificates & keys on different VIP.
    Can we use the same slot4 for new application & using different certicates & keys on same SSL modules.Your reponse is appriecated

    Hi Sean,
    Thanks for replying back just want few clarifcations in configuration part.
    1. If new vlan is given for new application then how to point routes to the new vlan as default routes to exisitng vlan is already present.
    2. I've prepare sample config template with details steps & let us know will it work & if changes is required kindly let us know.
    1.# ftp-record ssl_record 192.168.19.21 johndoe "abc123"
    /home/johndoe
    2.# copy ssl sftp ssl_record import rsacert.pem PEM "passwd123"
    Connecting
    Completed successfully
    3.# copy ssl sftp ssl_record import rsakey.pem PEM "passwd123"
    Connecting
    Completed successfully
    4.Enter configuration mode.
    # config
    (config) #
    4. To use RSA public key exchange and authentication:
    a. Associate the imported RSA certificate with a file.
    (config) # ssl associate cert myrsacert1 rsacert.pem
    b. Associate the imported RSA key pair with a file.
    (config) # ssl associate rsakey myrsakey1 rsakey.pem
    5. Compare the public key in the associated certificate with the public key
    stored with the associated private key and verify that they are identical.
    (config) # ssl verify myrsacert1 myrsakey1
    Certificate mycert1 matches key mykey1
    ssl associate rsakey NEWKEY newkey.pem
    ssl associate cert NEWCERT newcert.pem
    !************************* INTERFACE *************************
    interface 3/3
    description "****WEB SIDE****"
    bridge vlan _ID_X.X.X.X
    bridge port-fast enable
    interface 3/4
    bridge vlan_ID_Y.Y.Y.Y
    bridge port-fast enable
    description "****PIX SIDE****"
    !************************** CIRCUIT **************************
    circuit VLAN_ID_X
    ip address A.A.A.A B.B.B.0
    ip virtual-router 2 priority 101 preempt
    ip redundant-interface 3 C.C.C.C
    ip critical-service 3 chk-con-pix_Y.Y.Y.Y
    ip critical-service 3 chk-con-web_X.X.X.X
    circuit VLAN_ID_Y
    ip address D.D.D.D E.E.E.0
    ip virtual-router 4 priority 101 preempt
    ip redundant-vip 4 F.F.F.F
    ip critical-service 4 chk-con-pix_Y.Y.Y.Y
    ip critical-service 4 chk-con-web_X.X.X.X
    !*********************** SSL PROXY LIST ***********************
    ssl-proxy-list NEW
    ssl-server 20
    ssl-server 20 vip address F.F.F.F
    ssl-server 20 cipher rsa-with-rc4-128-sha F.F.F.F 81
    ssl-server 20 cipher rsa-with-rc4-128-md5 F.F.F.F 81
    ssl-server 20 rsacert NEWCERT
    ssl-server 20 rsakey NEWKEY
    active
    !************************** SERVICE **************************
    service FRONT_SSL
    type ssl-accel
    slot 4
    keepalive type none
    add ssl-proxy-list NEW
    active
    service WEBSERVER-03
    ip address G.G.G.G
    redundant-index 3
    protocol tcp
    port 80
    active
    service WEBSERVER-04
    ip address H.H.H.H
    redundant-index 4
    protocol tcp
    port 80
    active
    service chk-con-pix_Y.Y.Y.Y
    keepalive type script ap-kal-pinglist "N.N.N.N"
    ip address J.J.J.J
    keepalive frequency 2
    keepalive maxfailure 2
    keepalive retryperiod 2
    active
    service chk-con-web_X
    ip address K.K.K.K
    keepalive type script ap-kal-pinglist "P.P.P.P"
    keepalive frequency 2
    keepalive maxfailure 2
    keepalive retryperiod 2
    active
    !*************************** OWNER ***************************
    owner NEW
    content BACKNEW_HTTP
    vip address F.F.F.F
    add service WEBSERVER-03
    add service WEBSERVER-04
    protocol tcp
    port 81
    url "/*"
    redundant-index 5
    no persistent
    active
    content FRONTENDNEW_SSL
    vip address F.F.F.F
    protocol tcp
    port 443
    application ssl
    add service FRONT_SSL
    active
    content NEW
    url "//www.ABC.com/*"
    vip address F.F.F.F
    protocol tcp
    port 80
    redundant-index 4
    redirect "https://ABC.com"
    active
    your reply on this would be highly appericated.

  • RPS 2300 with single PW of 750wac ----- Help needed

    hi,
    I have a rps2300 plugged in with one power supply module of 750WAC.
    Currently i have connected 2x2960G to it. And the RPS is able to feed the power to one 2960 at a time and brings the other port ( which is connected to the other 2960G) in disabled state ie, the port2 starts blinking amber.
    How many 2960G can be connected in this state..Please advice.
    I could find it written anywhere as to howmany switches i can connect to the RPS2300 with single powersupply of 750wac.
    --Hassan

    Hi Philip,
    I am glad it worked!
    Regarding the MTU, it is kind of complicated. Your basic connection type is PPPoE that incurs 8 bytes of overhead, causing the MTU of the DSL/PPPoE to be 1500-8=1492 bytes. However, the L2TP/PPP tunnel incurs another 20 (IP) + 8 (UDP) + 8 (L2TP) + 4 (PPP) = 40 bytes. The MTU therefore drops to 1492-40=1452 bytes.
    I would need to know more about the way you have determined that the fragmentation occurs beyond 1460 bytes. The outputs do not provide any hints about the occurrence of fragmentation. You also have to be aware that this test is unable to detect whether the resulting L2TP+PPP-encapsulated packets get fragmented, as they are defragmented on the L2TP access concentrator.
    It is, in general, suggested that in these scenarios with more complex tunneling and encapsulation, an MTU of 1400 and TCP MSS of 1360 bytes is used, to provide for a certain reserve in maximum packet sizes.
    Therefore, what I suggest is this:
    On your Dialer0 interface, use ip mtu 1492 and ip tcp adjust-mss 1452 commands.
    On your Virtual-PPP1 interface, use ip mtu 1400 and ip tcp adjust-mss 1360 commands.
    Best regards,
    Peter

  • CSS 11150 and SSL module function

    Hi, Pro:
    There is any way I could find what ssl module could be used on CSS11150?
    Thanks,

    there is none.
    The css111xx and css110xx are not modular so you can't add or remove anything from it.
    You will need a CSS115xx.
    Regards,
    Gilles.

  • CSS 115xx and SSL module.

    Good day, I have a general question on the SSL module. Currently we have a pair of CSS's handeling our external site web sites. We are starting to run out of external IP addresses, If we installed the SSL module and terminated the Certificates on the CSS would we be able to read the ssl header and utilize 1 ip for multiple ssl sites?
    thx
    -Rich

    Check the URL: Overview of CSS SSL:
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/ssl/guide/overview.html
    Examples of CSS SSL Configurations:
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html

  • CSS with no SSL offloader config

    I would like to terminate both http and https to the 2 servers with stickyiness. Is the config below correct??? OR is there a better config??
    owner website1
    content website 1
    vip address x.x.x.x
    add sevices web1
    add sevices web2
    protocol tcp
    advanced-balance sticky-srcip
    active
    thanks

    this is correct.
    Gilles.

  • HTTPS ans SSL with CSS (No SSL Module)

    Hi,
    My customers have two server and need to load balance.
    These servers initiate SSL.
    and VIP address is :
    https://erpappl.erp.mis.blabla.tgc:8005
    My CSS has no ssl module. An dconfiguration is:
    service venice
    ip address 10.200.104.32
    protocol tcp
    port 8005
    keepalive type tcp
    keepalive port 8005
    redundant-index 120
    active
    service calgary
    ip address 10.200.104.33
    protocol tcp
    port 8005
    keepalive type tcp
    keepalive port 8005
    redundant-index 121
    active
    owner ERPAPPL
    content erpapp_test
    add service venice
    add service calgary
    redundant-index 60
    vip address 10.200.104.28
    protocol tcp
    port 8005
    url "/*"
    arrowpoint-cookie expiration 00:00:03:00
    advanced-balance arrowpoint-cookie
    application ssl
    active
    After this configuration I cannot reach the URL shown above.
    Can you help me?

    if this is encrypted traffic [HTTPS] the CSS can't see the content of the packet.
    So the CSS can't see the url [-> so the command url "/*" is incorrtect and should be removed] and the CSS can't see cookies [so the arrowpoint-cookie command is wrong and should be removed].
    If we sell an SSL module, there is a reason :-)
    The only sticky option you can use are :
    - sticky based on srcip
    - sticky on sslid
    The first option [srcip] has a problem with mega proxy [many users being nated with the same ip] and the 2nd option has the problem that it only works with SSLV2 and that some browsers do not use the sslid.
    Gilles.

  • How many ssl modules are needed for a redundant configuration?

    Hi, apologies but I can't seem to find a definite answer for this question. I have two css 11506's set up using vip/virtual interface redundancy (active/standby). Each css 11506 has a single ssl module.
    Is this adequate for ssl redundancy? I've read in this forum that if an ssl module fails, the css will reboot causing failover to the standby css so ssl connections will simply reset and as long as I have ASR set up on the back end http content, users will not notice the failover.
    Am I correct in this thinking or do you recommend using two ssl modules in each css? Thinking there is that if one ssl module fails, there will still be a 2nd module to handle ssl traffic and the css's will not failover.
    Thanks
    -Dan

    there is no need for 2 modules.
    You would use 2 modules if you need more power [handle more connections].
    However, your assumption is incorrect.
    Nowadays, there is no device in the worl [cisco and non-cisco] that can do SSL ststeful failover.
    In other words, upon failure, all SSL users will have to restart their connection.
    Gilles.

  • CSS SSL L5 balancing

    Hello
    I have four servers that I want to load balance based on a URL both HTTP and HTTPS. Two are tomcat and two are IIS and I would like to use something like /jsp/* and /aspx/*. I can get the http L5 rules setup just fine but when I try and use port 443 with a layer 5 content rule I get nothing. The show flows command shows the external ip, the vip but 0.0.0.0 for the NAT IP. Is it possible to do what I'm trying to do?
    my config is
    service iis1
    ip address 10.0.0.1
    active
    service iis2
    ip address 10.0.0.2
    active
    service tomcat1
    ip address 10.0.0.3
    active
    service tomcat2
    ip address 10.0.0.4
    active
    owner test
    content iis
    vip address 10.1.1.1
    url "/aspx/*"
    advanced-balance arrowpoint-cookie
    add service iis1
    add service iis2
    protocol tcp
    port 80
    active
    content iis_ssl
    vip address 10.1.1.1
    url "/aspx/*"
    advanced-balance ssl
    application ssl
    add service iis1
    add service iis2
    protocol tcp
    port 443
    active
    Thanks in advance
    Justin

    Thanks for the response Giles. I've been working on doing that and I think I have it working but the problem now is that we have some apps that look to make sure the conversation is secure and redirect if not. With the SSL module, it doesn't look like the servers will ever see whether or not the user is connecting via HTTPS. Is there any way around that?

  • HTTPS Keepalive with the CSM & SSL Module

    Has anyone had any success getting a secured web page for a keepalive using the CSM with and SSL module. If so can post an example?
    Thank you,
    Dave

    Hi David,
    Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
    http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
    2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
    http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
    Sachin garg

  • CSS 11503 SSL Module: .pfx file export to sftp

    Hello
    I wanted to know of there was a way to export the .pfx files off of the SSL Module to an SFTP server.....preferably in bulk not one at a time.  I want a central storage location for these files in the event that the CSS or the SSL module crashes.
    Thanks

    Hi Jay,
    Sure you can export the .pfx files out of the CSS but you need to do this one by one, there is no way you can get them out all at once.
    To export the files you first need to define your SFTP server IP address, username and passwd:
    CSS(config)# ftp-record SFTP_Server 10.10.10.1 username "password"
    Once you have the file name you need to enter this command:
    CSS# copy ssl sftp SFTP_Server export Certificate.pfx PKCS12 "passphrase" "password"
    : This is the password used to protect the file when it was created.
    : This is a local significant password on the CSS used when the file was
                imported into the box.
    * If you don't know these passwds you can't export the files out of the CSS.
    HTH
    Pablo

  • Disabling SSL 3.0 closure alerts in CSM with SSL module?

    Hi: I have a CSM with a SSL module. How do I disable the CSM from sending SSL closure alerts to the client?
    Also is there a way to increase the amount of time the CSM waits before it send the SSL closure alert. Looks like the default is 14 seconds.
    Thanks
    Ravi

    found my answer: ssl-server 20 unclean-shutdown

  • How to Filter Initial Client HTTP Headers on a CSS11506 SSL module

    Is there any way to filter the initial client headers on a css11506 ssl module ?? (software version 8.1)
    This is one of the default options on the "old" SCA11000 appliances.

    Douglas, with an SSL module, the CSS can decrypt HTTPS traffic and see the cleartext HTTP traffic.
    We can then apply any rules to the header.
    I think in this case, the question refered to some data injected in the http header by the CSS and filter what data from the client certificate should be dropped or inserted.
    We currently do not have this option on the CSS.
    Gilles.

  • Using SSL Module to Encrypt HTTP post to external Server

    I would like to know if it's possible for a CSM with its SSL module to receive an HTTP POST from our internal web servers, encrypt that POST w/ SSL, and finally to forward the newly created SSL transmission to a remote external SSL server? If it is possible, is this good practice or is it better to let the web server do the encryption?

    this is possible.
    It is good practice if you do not want to overload your server with the heavy task of encryption/decryption.
    If your server is very powerfull and far from being used to its maximum capacity, you can do it on the server.
    Another advantage of using an SSL module is that the CSM will see your request in clear text and can therefore perform so *smart* loadbalancing before it gets encrypted by the SSL module.
    [ie: cookie stickyness, url hashing, ...]
    Regards,
    Gilles.

  • CSS without SSL Module needing sticky sessions

    Hello All,
    If anyone can help with this sticky situation I'd appreciate it.
    I have a customer with a CSS11501. He does not have an SSL module installed.
    He has 2 blade servers, when he adds a web site, which is accessible over SSL, the CSS load balances client requests causing lost sessions, mostly lost pop-ups, it does not want stick to the same server.
    I've configured the following:-
    service web1
    protocol tcp
    port 443
    keepalive type tcp
    ip address 192.168.200.50
    string web1
    active
    service web2
    rotocol tcp
    port 443
    eepalive type tcp
    ip address 192.168.200.51
    string web2
    active
    content SSL_Web
    add service web1
    add service web2
    rotocol tcp
    port 443
    vip address 1.2.3.4
    application ssl
    advanced-balance sticky-srcip-dstport
    active
    group web_Farm
      add service web1
      add service web2
      vip address 1.2.3.4
      active
    I was attempting to get the client to stick to the server but unfortunately, this didn't work, the CSS seems to continue to send requests to both servers and they are getting scripting errors.
    Once the customer turns off the second blade, all is ok.
    I did try adding the string value to the service and configuring 'advanced-balance arrowpoint-cookie' in the content but the clients were unable to reach any web sites.
    Best Regards Tony

    Tony,
    The config looks fine other than the "application SSL" under the content rule, and right now you are probing the servers with a tcp probe on port 80. If you want the probe to be on port 443 you should add the command "keepalive port 443" to both of the services. The CSS will default to port 80 for a tcp probe.
    Regards
    Jim

Maybe you are looking for