Application Delivery (ADX)

Reply
New Contributor
Chartwell
Posts: 2
Registered: ‎04-06-2009

SSL-terminate and CSW not working together

Hi,

Running a config as follows which is intended to offload SSL, then use 'cookie-switching' to persistently keep a client served from the same real server.

Config as follows:

! MATCH SOMETHING (in this case check if we have a serverID cookie set)

csw-rule "MatchServerID" header "cookie" search "ServerID="

! ACT ON THE MATCH (if no cookie, set one, if cookie set, ‘persist’ the connection to the server ID referenced in the cookie)

csw-policy "CookieSwitch"

match "MatchServerID" persist offset 0 length 4 group-or-server-id

default forward 2

default rewrite insert-cookie "ServerID"

! REALSERVER CONFIG

server real R1 10.126.1.1

port 8080

port 8080 server-id 1230

port 8080 group-id  2 2

! VIRTUALSERVER CONFIG

server virtual V1 10.1.2.162

  sym-priority 100

  sym-active

  port ssl

  no port ssl sticky

  port ssl ssl-terminate V1.profile

  port ssl csw-policy "CookieSwitch"

  port ssl csw

  bind default R1 default

  bind ssl R1 8080

This config results in the request not getting fulfilled at all.

If I remove SSL termination ('no port ssl ssl-terminate V1.profile'), keeping everything else the same, I can actually hit:

http://myURL:443/

and get my ServerID cookie written in the response from Tomcat.

If I remove the CSW from port ssl instead ('no port ssl csw'), I likewise can hit:

https://myURL/ and get my pages served properly.

Platform info is as follows:

  SW: Version 11.0.00aTI4 Copyright (c) 1996-2007 Foundry Networks, Inc.

      Compiled on Feb 12 2009 at 20:27:25 labeled as WJR11000a

  HW: Stackable Router, SYSIF version 21, Serial #: Non-exist

==========================================================================

    ServerIron 4G SSL, SYSIF 2 (Mini GBIC)

      Serial #:   <REMOVED>

    0 MB SHM, 1 Application Processors

4096 KB BRAM, JetCore ASIC IGC version 49

  SW: (1)11.0.00aTJ3

32768 KB PRAM and 2M-Bit*1 CAM for IGC  0, version 0449

==========================================================================

  1.0 GHz Power PC processor 750GX (version 7002/0112) 66 MHz bus

  512 KB boot flash memory

16384 KB code flash memory

  512 KB SRAM

  512 MB DRAM

The system uptime is 64 days 21 hours 2 minutes 34 seconds

The system started at 15:42:41 GMT+00 Tue Apr 17 2012

The system : started=cold start

Is this a known issue with this platform/software release?

thanks

konrad

Contributor
Alexander.Illmer
Posts: 70
Registered: ‎03-14-2009

Re: SSL-terminate and CSW not working together

Hi Crhis,

You are using 11.0a as the running software image.

11.0 is only recommended if you are using IPv6. The latest release is 11.0h. You should change to the latest release as there are a couple of caveats regarding CSW and SSL.

If you do not need IPv6 please change to 10.2.02.

Alex

N/A
torsten.ogrissek
Posts: 1
Registered: ‎01-11-2011

Re: SSL-terminate and CSW not working together

Hi Alex,

SSL does not work with activated csw, with installed firmware version 10.2.02.

We have tested with ssl termination and without, the only thing that works

is to disable csw for port ssl - but then i have no client ip insertion and/or cookie.

Are there any new information regarding this issue?

Kind Regards

Torsten

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.