Looking for help with a sticky setting on a CSS Content Switch.
I have 3 web servers which connect to a SQL2K application that clients connect to via the CSS using SSL. The CSS has a ssl module which decrypts the traffic and sends http to the web servers. The issue is if I have more than one web server running, the sessions don't appear to stick to the server and sql session. I don't think I can set an advanced balance cookie rule as the cookie would get stripped out when the http gets converted back to https and sent to the client. The web servers are running http so I don't think using application ssl and advanced balance ssl would work in the rule either as no ssl is coming off the backside of the css to the web servers. I currently have a balance aca rule running which spreads the load across the web servers very well but, clients can't seem to stay stuck to the original sessions. I'm also not sure if everything is in the right place in the config. I am posting my current config below. Any insight would be greatly appreciated.
CSS11503# sh run !Generated on 07/19/2005 17:01:08 !Active version: sg0730106
configure
!*************************** GLOBAL *************************** logging commands enable logging buffer 4096
ssl associate cert myrsacert circert.pem ssl associate rsakey myrsakey1 cirrsakey.pem
ip route 0.0.0.0 0.0.0.0 222.222.222.1 1
!************************* INTERFACE ************************* interface 1/1 description "Outside"
interface 1/2 description "Inside" bridge vlan 10
!************************** CIRCUIT ************************** circuit VLAN1 description "Outside"
ip address 222.222.222.254 255.255.255.0
circuit VLAN10 description "Inside"
ip address 10.20.1.254 255.255.255.0
!*********************** SSL PROXY LIST *********************** ssl-proxy-list ssl_list1 ssl-server 20 ssl-server 20 vip address 222.222.222.15 ssl-server 20 rsacert myrsacert ssl-server 20 rsakey myrsakey1 ssl-server 20 cipher rsa-with-rc4-128-sha 222.222.222.15 80 ssl-server 20 urlrewrite 1 the-222-app.com active
!************************** SERVICE ************************** service FTP1 ip address 10.20.1.1 port 20 protocol tcp active
service FTP2 port 21 protocol tcp ip address 10.20.1.5 active
service SQL1 ip address 10.20.1.10 port 1433 protocol tcp active
service Web1 ip address 10.20.1.1 port 80 active
service Web2 ip address 10.20.1.2 port 80
service Web3 ip address 10.20.1.3 port 80
service Web4 ip address 10.20.1.4
service ssl_serv1 add ssl-proxy-list ssl_list1 type ssl-accel slot 2 keepalive type none active
service win2k_http ip address 10.20.1.1 port 80 active
!*************************** OWNER *************************** owner L5_Owner
content L3_Rule add service Web1 add service Web2 add service Web3 add service Web4 vip address 222.222.222.15 balance aca active
content L5_Rule add service Web1 add service Web2 add service Web3 add service Web4 vip address 222.222.222.15 balance aca protocol tcp port 80 url "/*" active
owner cirims
content FTP1_Rule add service FTP1 protocol tcp vip address 222.222.222.15 port 20 active
content FTP2_Rule add service FTP2 protocol tcp vip address 222.222.222.15 port 21 application ftp-control active
content L3_Rule add service Web1 add service Web2 add service Web3 add service Web4 vip address 222.222.222.15 balance aca active
content L4_Rule add service Web1 add service Web2 add service Web3 add service Web4 vip address 222.222.222.15 balance aca protocol tcp port 80 url "/*" active
content SQL_Rule add service SQL1 vip address 222.222.222.15 protocol tcp port 1433 active
content decrypted_www protocol tcp port 80 add service win2k_http active
content ssl_rule2 vip address 222.222.222.15 protocol tcp port 443 application ssl advanced-balance ssl add service ssl_serv1 active
owner ssl_owner
content decrypted_www protocol tcp vip address 222.222.222.15 port 80 add service win2k_http active
content ssl_rule1 vip address 222.222.222.15 protocol tcp port 443 add service ssl_serv1 application ssl advanced-balance ssl active
!*************************** GROUP *************************** group GRP_ClientFTP_NAT vip address 10.20.1.201 active
group GRP_FTP vip address 222.222.222.15 add service FTP2 active
group ssl_module_proxy add destination service Web1 add destination service Web2 add destination service Web3 add destination service Web4 vip address 10.20.1.200 add destination service SQL1 active
!**************************** ACL **************************** acl 1 clause 10 deny tcp any destination any eq 80 clause 99 permit tcp any destination any apply circuit-(VLAN1)
acl 10 clause 99 permit tcp any destination any apply circuit-(VLAN10)
Thanks for any advice you can offer..
Mark B.
snipped-for-privacy@hotmail.com