HTTPS ans SSL with CSS (No SSL Module)
Hi,
My customers have two server and need to load balance.
These servers initiate SSL.
and VIP address is :
https://erpappl.erp.mis.blabla.tgc:8005
My CSS has no ssl module. An dconfiguration is:
service venice
ip address 10.200.104.32
protocol tcp
port 8005
keepalive type tcp
keepalive port 8005
redundant-index 120
active
service calgary
ip address 10.200.104.33
protocol tcp
port 8005
keepalive type tcp
keepalive port 8005
redundant-index 121
active
owner ERPAPPL
content erpapp_test
add service venice
add service calgary
redundant-index 60
vip address 10.200.104.28
protocol tcp
port 8005
url "/*"
arrowpoint-cookie expiration 00:00:03:00
advanced-balance arrowpoint-cookie
application ssl
active
After this configuration I cannot reach the URL shown above.
Can you help me?
if this is encrypted traffic [HTTPS] the CSS can't see the content of the packet.
So the CSS can't see the url [-> so the command url "/*" is incorrtect and should be removed] and the CSS can't see cookies [so the arrowpoint-cookie command is wrong and should be removed].
If we sell an SSL module, there is a reason :-)
The only sticky option you can use are :
- sticky based on srcip
- sticky on sslid
The first option [srcip] has a problem with mega proxy [many users being nated with the same ip] and the 2nd option has the problem that it only works with SSLV2 and that some browsers do not use the sslid.
Gilles.
Similar Messages
-
Client Http Connection Problems With CSS
Hi,
We have a pair of CSS 11050s configured in a redundant pair. We have a content service defined on both CSS's. They are configured for Layer 5 balancing, with Sticky timout configured at Layer 4 for the respective service (I don't know if this is correct).
When doing a show service summary on both CSS boxes - the content servers are seen as alive. There do not appear to be any problems. However when clients try to connect to the content, there is often a very noticeable delay in connection.
First attempt, the http request does not reach the web server and is not displayed in the log during this delay. On first access to the login URL, no page was returned for 50 secs, no entry in the web server logs, and the browser displayed page cannot be displayed after 50 seconds. On a 2nd attempt, the same happened (again 50 secs before timeout). On the 3rd attempt, after 25 seconds the request appeared in the Apache log, and the page was displayed on the browser. I can now access all areas of the HTML based application without further delays, and subsequent logins are not subject to the same delay.
It is almost as if the CSS's need to cache information - but so far I have not managed to find any explanation for this.
Any help would be most gratefully received.Hello Rus!
I have recently experince the same issue serveral times. My fix was to reload the CSS. Not sure why this happens but it seems that all is well! Also check your "sticky-inact-timeout XX" setting in your content rule. Cisco recommed 60 min for connections to timeout. -
CSS with single SSL module.. balance option needed?
Hi all,
Quick question. If you have a CSS 11503 with one SSL offload module installed.. is there any point in using the "application ssl" and "advanced-balance ssl" options in the content rule? I can't find any info that tells me for sure but I'm guessing that these options can be used to balance between multiple ssl modules and provide stickiness to the modules etc.. but doesn't have any effect on the traffic distribution and stickiness to the backend server services?
For example if I have a L5 content rule like the one below and only one SSL module, should i remove the "application ssl" and "advanced-balance ssl" options and just use the port 80 content rule which the ssl proxy lists offloads traffic too and apply the "advanced-balance sticky-srcip-dstport" and "balance leastconn" there ?
content DEVCOM_TCP443_L5
vip address x.x.x.x
application ssl
advanced-balance ssl
protocol tcp
port 443
url "//dev.subdomain.domain.com/*"
add service ssl_module1
active
I have read various forum postings and i read the CSS SSL config guide but the examples all seem to differ in their implementation.
Many thanks
ScottYou're correct.
There is no need to specify the application type as ssl and the advanced-balance method when using a single ssl module.
Gilles. -
HTTPS Keepalive with the CSM & SSL Module
Has anyone had any success getting a secured web page for a keepalive using the CSM with and SSL module. If so can post an example?
Thank you,
DaveHi David,
Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
Sachin garg -
HTTPS balance without a SSL Module
I have read thru the forum and found a couple threads talking about this issue but didnt find a solution to my problem.
I have 2 CSS11503s without SSL modules. I now have a need to balance a KVMoIP system that uses ssl on the servers(currently only 5 concurrent users). My balance is simply for ease of use for my customers so they dont have to know the url for the primary and secondary servers. Here is what I have right now:
interface 1/1
bridge vlan 241
description "to users"
interface 1/2
description "to servers"
bridge vlan 700
circuit VLAN700
ip address 172.20.241.181 255.255.255.192
ip virtual-router 100 priority 1
ip redundant-interface 100 172.20.241.183
ip critical-service 100 css-up-down
ip critical-reporter 100 css-sc1
circuit VLAN241
ip address 172.20.241.71 255.255.255.192
ip virtual-router 1 priority 1
ip redundant-interface 1 172.20.241.73
ip redundant-vip 1 172.20.241.100
ip critical-service 1 css-up-down
ip critical-reporter 1 css-sc1
service obsidian
ip address 172.20.241.172
keepalive port 80
keepalive type tcp
active
owner avocent
content kvm (Does not work)
vip address 172.20.241.100
protocol tcp
port 443
add service obsidian
content kvm_80 (This works)
protocol tcp
port 80
add service obsidian
vip address 172.20.241.100
active
The http to the server works fine but the https get "The page can not be displayed" when you go to https://172.20.241.100
Thanks for any insight into this issue.Hi Gill,
thats what i?ve found:
config-owner-content) application
To specify the application type associated with the content rule, use the application command. The application type enables the CSS to correctly interpret the data stream matching the content rule and parse them. Otherwise, the data stream packets are rejected. Use the no form of this command to reset the application type to its default setting of HTTP.
application type
no application
Syntax Description
type
Application type. Enter one of the following:
?bypass - Bypasses the matching of the content rule and send the request directly to the origin server
?http (default) - Processes HTTP data streams
?ftp-control - Processes FTP data streams
?sip - Processes Session Initiation Protocol (SIP) data streams
?ssl - Processes Secure Sockets Layer (SSL) protocol data streams -
How to Filter Initial Client HTTP Headers on a CSS11506 SSL module
Is there any way to filter the initial client headers on a css11506 ssl module ?? (software version 8.1)
This is one of the default options on the "old" SCA11000 appliances.Douglas, with an SSL module, the CSS can decrypt HTTPS traffic and see the cleartext HTTP traffic.
We can then apply any rules to the header.
I think in this case, the question refered to some data injected in the http header by the CSS and filter what data from the client certificate should be dropped or inserted.
We currently do not have this option on the CSS.
Gilles. -
Using SSL Module to Encrypt HTTP post to external Server
I would like to know if it's possible for a CSM with its SSL module to receive an HTTP POST from our internal web servers, encrypt that POST w/ SSL, and finally to forward the newly created SSL transmission to a remote external SSL server? If it is possible, is this good practice or is it better to let the web server do the encryption?
this is possible.
It is good practice if you do not want to overload your server with the heavy task of encryption/decryption.
If your server is very powerfull and far from being used to its maximum capacity, you can do it on the server.
Another advantage of using an SSL module is that the CSM will see your request in clear text and can therefore perform so *smart* loadbalancing before it gets encrypted by the SSL module.
[ie: cookie stickyness, url hashing, ...]
Regards,
Gilles. -
Load Balancing with a CSM & SSL Module
I'm trying to understand the best way to balance traffic to two servers when decrypting and re-encrypting with the CSM and an SSL module. I take the SSL traffic hitting the first CSM VIP and forward to the SSL module for decryption. Send the decrypted traffic back to another VIP on the CSM. Send the traffic to the client proxy VIP on the SSL which encrypts the traffic and forwards to the CSM VIP. That final VIP passes the traffic to the serverfarm containing the actual servers. How do I make sure the traffic is balanced between the final VIP and my servers. It seems that sticking on SSL session ID is the only way to go at that point which made decryption pointless. I feel like I'm missing something basic here.
Thanks..Hi David,
Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
Sachin garg -
CSS without SSL Module needing sticky sessions
Hello All,
If anyone can help with this sticky situation I'd appreciate it.
I have a customer with a CSS11501. He does not have an SSL module installed.
He has 2 blade servers, when he adds a web site, which is accessible over SSL, the CSS load balances client requests causing lost sessions, mostly lost pop-ups, it does not want stick to the same server.
I've configured the following:-
service web1
protocol tcp
port 443
keepalive type tcp
ip address 192.168.200.50
string web1
active
service web2
rotocol tcp
port 443
eepalive type tcp
ip address 192.168.200.51
string web2
active
content SSL_Web
add service web1
add service web2
rotocol tcp
port 443
vip address 1.2.3.4
application ssl
advanced-balance sticky-srcip-dstport
active
group web_Farm
add service web1
add service web2
vip address 1.2.3.4
active
I was attempting to get the client to stick to the server but unfortunately, this didn't work, the CSS seems to continue to send requests to both servers and they are getting scripting errors.
Once the customer turns off the second blade, all is ok.
I did try adding the string value to the service and configuring 'advanced-balance arrowpoint-cookie' in the content but the clients were unable to reach any web sites.
Best Regards TonyTony,
The config looks fine other than the "application SSL" under the content rule, and right now you are probing the servers with a tcp probe on port 80. If you want the probe to be on port 443 you should add the command "keepalive port 443" to both of the services. The CSS will default to port 80 for a tcp probe.
Regards
Jim -
CSS 115xx and SSL module.
Good day, I have a general question on the SSL module. Currently we have a pair of CSS's handeling our external site web sites. We are starting to run out of external IP addresses, If we installed the SSL module and terminated the Certificates on the CSS would we be able to read the ssl header and utilize 1 ip for multiple ssl sites?
thx
-RichCheck the URL: Overview of CSS SSL:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/ssl/guide/overview.html
Examples of CSS SSL Configurations:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html -
CSS - 11506 - Adding New SSL Services on Single SSL Modules
Hi,
We are having one pair of CCS 11506 currently SSL services are running on slot4 with single SSL module.Now we are planning to add one more SSL application with different certificates & keys on different VIP.
Can we use the same slot4 for new application & using different certicates & keys on same SSL modules.Your reponse is appriecatedHi Sean,
Thanks for replying back just want few clarifcations in configuration part.
1. If new vlan is given for new application then how to point routes to the new vlan as default routes to exisitng vlan is already present.
2. I've prepare sample config template with details steps & let us know will it work & if changes is required kindly let us know.
1.# ftp-record ssl_record 192.168.19.21 johndoe "abc123"
/home/johndoe
2.# copy ssl sftp ssl_record import rsacert.pem PEM "passwd123"
Connecting
Completed successfully
3.# copy ssl sftp ssl_record import rsakey.pem PEM "passwd123"
Connecting
Completed successfully
4.Enter configuration mode.
# config
(config) #
4. To use RSA public key exchange and authentication:
a. Associate the imported RSA certificate with a file.
(config) # ssl associate cert myrsacert1 rsacert.pem
b. Associate the imported RSA key pair with a file.
(config) # ssl associate rsakey myrsakey1 rsakey.pem
5. Compare the public key in the associated certificate with the public key
stored with the associated private key and verify that they are identical.
(config) # ssl verify myrsacert1 myrsakey1
Certificate mycert1 matches key mykey1
ssl associate rsakey NEWKEY newkey.pem
ssl associate cert NEWCERT newcert.pem
!************************* INTERFACE *************************
interface 3/3
description "****WEB SIDE****"
bridge vlan _ID_X.X.X.X
bridge port-fast enable
interface 3/4
bridge vlan_ID_Y.Y.Y.Y
bridge port-fast enable
description "****PIX SIDE****"
!************************** CIRCUIT **************************
circuit VLAN_ID_X
ip address A.A.A.A B.B.B.0
ip virtual-router 2 priority 101 preempt
ip redundant-interface 3 C.C.C.C
ip critical-service 3 chk-con-pix_Y.Y.Y.Y
ip critical-service 3 chk-con-web_X.X.X.X
circuit VLAN_ID_Y
ip address D.D.D.D E.E.E.0
ip virtual-router 4 priority 101 preempt
ip redundant-vip 4 F.F.F.F
ip critical-service 4 chk-con-pix_Y.Y.Y.Y
ip critical-service 4 chk-con-web_X.X.X.X
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list NEW
ssl-server 20
ssl-server 20 vip address F.F.F.F
ssl-server 20 cipher rsa-with-rc4-128-sha F.F.F.F 81
ssl-server 20 cipher rsa-with-rc4-128-md5 F.F.F.F 81
ssl-server 20 rsacert NEWCERT
ssl-server 20 rsakey NEWKEY
active
!************************** SERVICE **************************
service FRONT_SSL
type ssl-accel
slot 4
keepalive type none
add ssl-proxy-list NEW
active
service WEBSERVER-03
ip address G.G.G.G
redundant-index 3
protocol tcp
port 80
active
service WEBSERVER-04
ip address H.H.H.H
redundant-index 4
protocol tcp
port 80
active
service chk-con-pix_Y.Y.Y.Y
keepalive type script ap-kal-pinglist "N.N.N.N"
ip address J.J.J.J
keepalive frequency 2
keepalive maxfailure 2
keepalive retryperiod 2
active
service chk-con-web_X
ip address K.K.K.K
keepalive type script ap-kal-pinglist "P.P.P.P"
keepalive frequency 2
keepalive maxfailure 2
keepalive retryperiod 2
active
!*************************** OWNER ***************************
owner NEW
content BACKNEW_HTTP
vip address F.F.F.F
add service WEBSERVER-03
add service WEBSERVER-04
protocol tcp
port 81
url "/*"
redundant-index 5
no persistent
active
content FRONTENDNEW_SSL
vip address F.F.F.F
protocol tcp
port 443
application ssl
add service FRONT_SSL
active
content NEW
url "//www.ABC.com/*"
vip address F.F.F.F
protocol tcp
port 80
redundant-index 4
redirect "https://ABC.com"
active
your reply on this would be highly appericated. -
Disabling SSL 3.0 closure alerts in CSM with SSL module?
Hi: I have a CSM with a SSL module. How do I disable the CSM from sending SSL closure alerts to the client?
Also is there a way to increase the amount of time the CSM waits before it send the SSL closure alert. Looks like the default is 14 seconds.
Thanks
Ravifound my answer: ssl-server 20 unclean-shutdown
-
Backend Encryption with SSL module & Self Signed Cert
I am trying to configure backend encryption using the SSL module to communicate with a server using a self signed certificate. I configured Authenticate verify none. I have not copied any cert info from the server. Do I need to? The SSL module is complaining about an invalid cert. My config is basic.
service test-service-cf8-be client
virtual ipaddr 10.6.1.20 protocol tcp port 80
server ipaddr 10.6.1.22 protocol tcp port 443
log-auth-failures
authenticate verify none
inservice
Thanks,
DaveYes it was up and a debug showed an invalid cert message when the service was hit. The answer turned out to be that you still need to import the root CA from the server so that the SSL mod has something to verify the cert against.
Thanks.. -
CSS 11503 SSL Module: .pfx file export to sftp
Hello
I wanted to know of there was a way to export the .pfx files off of the SSL Module to an SFTP server.....preferably in bulk not one at a time. I want a central storage location for these files in the event that the CSS or the SSL module crashes.
ThanksHi Jay,
Sure you can export the .pfx files out of the CSS but you need to do this one by one, there is no way you can get them out all at once.
To export the files you first need to define your SFTP server IP address, username and passwd:
CSS(config)# ftp-record SFTP_Server 10.10.10.1 username "password"
Once you have the file name you need to enter this command:
CSS# copy ssl sftp SFTP_Server export Certificate.pfx PKCS12 "passphrase" "password"
: This is the password used to protect the file when it was created.
: This is a local significant password on the CSS used when the file was
imported into the box.
* If you don't know these passwds you can't export the files out of the CSS.
HTH
Pablo -
CSS 11150 and SSL module function
Hi, Pro:
There is any way I could find what ssl module could be used on CSS11150?
Thanks,there is none.
The css111xx and css110xx are not modular so you can't add or remove anything from it.
You will need a CSS115xx.
Regards,
Gilles.
Maybe you are looking for
-
For some reason my iPhone 4 won't take incoming calls and everytime someone phones me it goes straight to voicemail what's gone wrong??
-
Camera lock screen iPhone 5S not working properly after upgrade to iOS 8.1.3
Actually, i upgrade my iPhone to 8.1.3. What i am trying achieve is, when my iPhone is locked i just need to access my camera without login. When i open camera when my iPhone is locked, camera displays for 2 seconds and then my screen will be black.
-
How do i combine more than 12 pages onto 1 pdf file?
I need to combine more than 12 pages onto one pdf, How do I do that?
-
Problems publishing in Edge.
When I want to publish and I go to file>publish the word publish stays grayed out. How can I activate this? Thanks.
-
Hello together, I try to load COPA hierarchies using the "How to" paper. What I don't understand is: do I have to create manual hierarchies using transaction KES3? Or should I create an abap program to fill tables like TKCHH and so on.. where data fo