Re: CS11152 SSL Not working [7:36505]
I came up with the follwoing solution in case anyone else runs into this problem. Instead of icmp it does a connect to port 443 on webserver and sends an RST after it verifies the socket is open. Not the perfect solution but it can detect when the web service fails. Its been tested and works well. service svc-w1.test-secure ip address 10.10.10.41 port 443 keepalive method get keepalive type tcp keepalive port 443 active service svc-w21.test-secure ip address 10.10.10.42 port 443 keepalive method get keepalive type tcp keepalive port 443 active content cnt-www.cobrand-secure protocol tcp port 443 balance aca url /* service svc-w1.test-secure service svc-w2.test-secure vip address 172.16.243.40 application ssl active sam sneed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello group, I am trying to get a CS11152 (old arrowpoint) to load balance SSL conections to 2 servers but it is not working. SSL works on the servers and if I change my DNS so traffic does not got to the CS11252 VIP address but simply routes through it to the servers the public can get an SSL conncetion to my server. (please note i am using public IP addresses for on the servers NIC and as a VIP.). Whe I do a show services summary it tell me the service is down: svc-w1.test-secure Down 0 1 2550 svc-w2.test-secure Down 0 1 2550 Can anyone see what i'm dong wrong? Here is the services/content configs: service svc-w1.test-secure ip address 10.10.10.41 port 443 keepalive type http keepalive method get keepalive uri /http-ping.html active service svc-w2.test-secure ip address 10.10.10.42 port 443 keepalive type http keepalive method get keepalive uri /http-ping.html active content cnt-www.test-secure protocol tcp port 443 balance aca url /* add service svc-w1.test-secure add service svc-w2.test-secure vip address 172.16.243.40 active Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36720t=36505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CS11152 SSL Not working [7:36505]
Could this have something to do with your keepalive setting? Have you tried using a standard ping keepalive to see if that helps? I wasn't aware that you could use the http keepalive on port 443 with this box. John sam sneed 2/26/02 9:23:04 AM Hello group, I am trying to get a CS11152 (old arrowpoint) to load balance SSL conections to 2 servers but it is not working. SSL works on the servers and if I change my DNS so traffic does not got to the CS11252 VIP address but simply routes through it to the servers the public can get an SSL conncetion to my server. (please note i am using public IP addresses for on the servers NIC and as a VIP.). Whe I do a show services summary it tell me the service is down: svc-w1.test-secure Down 0 1 2550 svc-w2.test-secure Down 0 1 2550 Can anyone see what i'm dong wrong? Here is the services/content configs: service svc-w1.test-secure ip address 10.10.10.41 port 443 keepalive type http keepalive method get keepalive uri /http-ping.html active service svc-w2.test-secure ip address 10.10.10.42 port 443 keepalive type http keepalive method get keepalive uri /http-ping.html active content cnt-www.test-secure protocol tcp port 443 balance aca url /* add service svc-w1.test-secure add service svc-w2.test-secure vip address 172.16.243.40 active Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36509t=36505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CS11152 SSL Not working [7:36505]
I was thinking the same thing but I did not try that. My problem with that is if the HTTP service fails and SSL down with it the ping will still show the server as availbale and forward requests to it. You think there is some way I could specify the keepalive with a port # instead of type http? John Neiberger wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Could this have something to do with your keepalive setting? Have you tried using a standard ping keepalive to see if that helps? I wasn't aware that you could use the http keepalive on port 443 with this box. John sam sneed 2/26/02 9:23:04 AM Hello group, I am trying to get a CS11152 (old arrowpoint) to load balance SSL conections to 2 servers but it is not working. SSL works on the servers and if I change my DNS so traffic does not got to the CS11252 VIP address but simply routes through it to the servers the public can get an SSL conncetion to my server. (please note i am using public IP addresses for on the servers NIC and as a VIP.). Whe I do a show services summary it tell me the service is down: svc-w1.test-secure Down 0 1 2550 svc-w2.test-secure Down 0 1 2550 Can anyone see what i'm dong wrong? Here is the services/content configs: service svc-w1.test-secure ip address 10.10.10.41 port 443 keepalive type http keepalive method get keepalive uri /http-ping.html active service svc-w2.test-secure ip address 10.10.10.42 port 443 keepalive type http keepalive method get keepalive uri /http-ping.html active content cnt-www.test-secure protocol tcp port 443 balance aca url /* add service svc-w1.test-secure add service svc-w2.test-secure vip address 172.16.243.40 active Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36511t=36505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CS11152 SSL Not working [7:36505]
We have the same issue here, but since our physical web servers run both a secure and unsecure site, we simply use ping for the secure service and an http get for the unsecure service. If we see the unsecure site go down, we know users won't be able to get to the secure site either. If it were possible we could get away with turning off keepalives on the secure site since it's kind of pointless. I believe it's possible to setup scripted keepalives where the CSS actually logs into your secure site but that's way to much work. :-) John sam sneed 2/26/02 9:58:54 AM I was thinking the same thing but I did not try that. My problem with that is if the HTTP service fails and SSL down with it the ping will still show the server as availbale and forward requests to it. You think there is some way I could specify the keepalive with a port # instead of type http? John Neiberger wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Could this have something to do with your keepalive setting? Have you tried using a standard ping keepalive to see if that helps? I wasn't aware that you could use the http keepalive on port 443 with this box. John sam sneed 2/26/02 9:23:04 AM Hello group, I am trying to get a CS11152 (old arrowpoint) to load balance SSL conections to 2 servers but it is not working. SSL works on the servers and if I change my DNS so traffic does not got to the CS11252 VIP address but simply routes through it to the servers the public can get an SSL conncetion to my server. (please note i am using public IP addresses for on the servers NIC and as a VIP.). Whe I do a show services summary it tell me the service is down: svc-w1.test-secure Down 0 1 255 0 svc-w2.test-secure Down 0 1 255 0 Can anyone see what i'm dong wrong? Here is the services/content configs: service svc-w1.test-secure ip address 10.10.10.41 port 443 keepalive type http keepalive method get keepalive uri /http-ping.html active service svc-w2.test-secure ip address 10.10.10.42 port 443 keepalive type http keepalive method get keepalive uri /http-ping.html active content cnt-www.test-secure protocol tcp port 443 balance aca url /* add service svc-w1.test-secure add service svc-w2.test-secure vip address 172.16.243.40 active Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36514t=36505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CS11152 SSL Not working [7:36505]
I see what your saying but we have a couple dedicated servers for secure transcations.theres gotta be an easier way to do this without writitng the scripts. I'm gonna stay on it till I find and I'll post the config once i get working, hopefully by the end of the day. Thanks for the input. John Neiberger wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... We have the same issue here, but since our physical web servers run both a secure and unsecure site, we simply use ping for the secure service and an http get for the unsecure service. If we see the unsecure site go down, we know users won't be able to get to the secure site either. If it were possible we could get away with turning off keepalives on the secure site since it's kind of pointless. I believe it's possible to setup scripted keepalives where the CSS actually logs into your secure site but that's way to much work. :-) John sam sneed 2/26/02 9:58:54 AM I was thinking the same thing but I did not try that. My problem with that is if the HTTP service fails and SSL down with it the ping will still show the server as availbale and forward requests to it. You think there is some way I could specify the keepalive with a port # instead of type http? John Neiberger wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Could this have something to do with your keepalive setting? Have you tried using a standard ping keepalive to see if that helps? I wasn't aware that you could use the http keepalive on port 443 with this box. John sam sneed 2/26/02 9:23:04 AM Hello group, I am trying to get a CS11152 (old arrowpoint) to load balance SSL conections to 2 servers but it is not working. SSL works on the servers and if I change my DNS so traffic does not got to the CS11252 VIP address but simply routes through it to the servers the public can get an SSL conncetion to my server. (please note i am using public IP addresses for on the servers NIC and as a VIP.). Whe I do a show services summary it tell me the service is down: svc-w1.test-secure Down 0 1 255 0 svc-w2.test-secure Down 0 1 255 0 Can anyone see what i'm dong wrong? Here is the services/content configs: service svc-w1.test-secure ip address 10.10.10.41 port 443 keepalive type http keepalive method get keepalive uri /http-ping.html active service svc-w2.test-secure ip address 10.10.10.42 port 443 keepalive type http keepalive method get keepalive uri /http-ping.html active content cnt-www.test-secure protocol tcp port 443 balance aca url /* add service svc-w1.test-secure add service svc-w2.test-secure vip address 172.16.243.40 active Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36519t=36505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]