Cisco Application :: CSS11500 SSL Handling For Multiple URL
May 29, 2012
I know that it's possible on the CSS to handle multiple incoming HTTP requests that terminate on the same IP address and port and balance them to various servers based on the url. For instance, I can set up URL at the same 192.168.35.12 address in DNS, and set up two different content rules:
content cats
vip address 192.168.35.12
port 80
url "//www.cats.com/*"
add server cats1
add server cats2
active
content dogs
vip 192.168.35.12
port 80
url "//www.dogs.com/*"
add server dogs1
add server dogs2
active.
Easy and straightforward.
But what if I want to add SSL handling for URl. I'm not sure how to create the ssl-proxy-list where one content rule (ip address/port) combination needs to pass through the ssl module and get matched with the proper ssl certificate.
Can this be done? Can one associate multiple certs and keys with a single ssl-server entry and a single ssl accelerator service? Or do I have to create multiple ssl-proxy-lists for cats and dogs and build multiple ssl services each referring to a unique ssl-proxy-list, and then use the url parameter in the https content rule to determine which ssl service (and therefore which key/cert pair) gets the traffic?
View 1 Replies
ADVERTISEMENT
Jul 19, 2011
Why do my connection not clear when my service goes to a down state. The only way I can get the connections to clear is by bouncing my content rule. CSS11503 version 08.20.4.05s - SSL all the way to the server --- I also have flow permanent port3 443 configured, but I don't understand why the other two servers go to zero while server01 never goes to zero. If I remove the flow permanent port3 all the counters go to zero, but I would think if the servers goes down then the connections should go to zero regardless of the flow permanent port configuration. [code]
View 3 Replies
View Related
Sep 11, 2012
I'm seeing the following error on one of our real server. Is there a way to find out who is spamming?
10.x.x.x(VIP) - - "POST /slmruntime/service HTTP/1.0" 404 1214
View 1 Replies
View Related
Jun 13, 2011
I am not able to find information of how to configure a balance in CSS11500 depending of the IP source. I want to do the next:
Site A : 192.168.1.0/24
Site B : 192.168.2.0/24
Both sites access to the same VIP: http://vip_balnace_IP but depending of the source the should be balanced to diferentes servers.
Site A -> VIP_balance -> server1
Site A -> VIP_balance -> server2
how to do that?
View 2 Replies
View Related
May 22, 2012
We have a Terminal Server through which everyone access their outlook. To avoid any impact on its performance, we have disabled the IE in it. Everyone access the terminal server using the Remote desktop.For the above mentioned setup, is there any way to make the weblinks in the remote machine to get open in the main machine? Main Machine or the Local Machine runs with Windows 7 OS.
View 3 Replies
View Related
Jun 6, 2011
How to change host name in CSS11500 Series. I cannot find any documentation for that matter.Is there any impact in the system to change the host name?
View 3 Replies
View Related
Jul 1, 2012
This is a newbie question regarding CSS11500 series loadbalancers as I trying to get up to speed with managing them as part of my job. I noticed that there are a couple of CSS "clustered together" since I see they are managed using a single ip address.
My question is around how to establish a session to each individual device in this cluster, if at all possible? If is not possible, how do manage the secondary device in this cluster to perform tasks such as copying new software to it, backing it up, etc.?
View 1 Replies
View Related
Oct 4, 2011
I currently have a content group as follows;
content My_Group
add service blade1
add service blade2
add service blade3
vip address 1.2.3.4
advanced-balance arrowpoint-cookie
[code]...
So I have 3 blades which are proxy servers and user go first to an MS ISA server then the VIP of the CSS and then the rules processes them give them a blade and chuck them out onto the Internet.
I want to leave the above rule, but remove one blade create an additional content group with that blade and have it process requests for a particular site so, I would create the following
content My_Group2
add service blade3
vip address 1.2.3.4
advanced-balance arrowpoint-cookie
[code]...
So my question is can I do that having the same VIP's etc so if a request comes in and it matches www.thewebsite.com that the second content rule matches it 'better' and therefore processes it or would it still be caught by the "/*" content group. I don't want to create more VIPS as I have a real ache getting firewall rules done.
View 9 Replies
View Related
May 28, 2012
Currently migrating from a CSS to a new ACE for all our inbound ssl connections.
On the CSS, I could define multiple backend services, different tcp ports and 1 IP.
ex.
service TEST_HTTP22
protocol tcp
[code]....
But now I have to define each backend web server as an RSERVER and it doesnt allow me to configure 2 rservers with same IP.
View 11 Replies
View Related
Apr 12, 2013
My current modem, the Arris DG860, when in router mode, handles uTorrents set to 1500 max connections fine, same with my FIOS Actiontec router at my work. However, I just bought a DLink DIR655 router (which I thought I researched properly to be great with torrents) and it crashes even with max connections set to 300 in my client.
Tempted to return the thing and get a better router, any great wireless router that has awesome range and can handle lots of torrenting?
View 7 Replies
View Related
May 24, 2010
I've noticed, that ACS 5.1 is writing .gpg archives for backups. I'm about to upgrade an evaluation system and the Installation and Upgrade Guide tells me to do a full backup and restore in order to upgrade an eval to a production system. [URL] (second note in section "Evaluating ACS 5.1)
Question: can the production system sucessfully decrypt the backup? According to my personal gpg it is CAST5 encrypted with one passphrase. Is this passphrase constant for all ACS 5.x?
View 1 Replies
View Related
Mar 6, 2012
We're testing the reference system shown in the figure below. System Description Four 2960 switches are used for transport;Equipment 1 and Equipment 2 exchange packets for synchronization;To reach synchronization Equipment 1 and 2 must exchange data with a very low jitter. 2960 Configuration details Four our test puprose, we're using 100Mbit/s ports (22 and 23) as trunk.In order to obtain minimum jitter We performed these configurations:We Enabled QoS;We Marked Synchronization packets with CoS 7 and DSCP 63;We marked other kind of traffic inserted in different ports) with CoS 0;We set "trust DSCP" on trunk ports;On the trunk ports we mapped traffic with CoS 7/DSCP 63 (and only this) on output queue 1;We enabled the expedite queue (priority-queue out). QuestionWith these settings we aim at forcing our synchronization packtes to precede other kind of traffic and go from Equipment 1 to Equipment 2 with minimum jitter.Unfortunately we experienced high jitter when both synchronization packets and other traffic are sent through the systems.
View 9 Replies
View Related
Jan 30, 2012
Our Exchange 2010 hub servers run multiple services/ports: smtp, www, pop3,135, 143, https, 993, 995, 6001,6002,6003,60200,60201,8400, and 8402 what is the best way of balancing these servers so that if only one of the services failed on a server, it would switch only the failed service to remaining servers. At present I only use an smtp probe, so as log as that sevrice is running the server is marked good.
View 3 Replies
View Related
Nov 16, 2011
I'm living in a house with 6 people on 2 floors, and the router isn't handling all the traffic well. I have an extra router that might be able to serve as an wireless access point, but from what I've been told that wouldn't solve anything if the problem was that the first router doesn't have the capacity for that much traffic. It's a 50+ dollar wireless N router though and fairly new (forgot the model number)
View 5 Replies
View Related
Oct 31, 2012
I have an SSL VPN set up on my ASA 5520 with a self signed cert. When I run the AnyConnect install on my desktop machine I have click through a few windows to accept the certificate. When I connect through the mobile client on Android, the connection goes right through without a prompt to import/choose/download a certificate. I'm able to connect but I'm wondering if the phone has actually recieved a certificate. I'm in the 'Advanced Connection Editor' screen and the certificate setting says "Automatic".
View 2 Replies
View Related
Jul 23, 2012
I put multiple rservers in multiple server farms?
So for example rserver1 and rserver2 are put in serverfarm production1 and are in use with particular sticky and load balancing settings.
Can I then create serverfarm test_production and put both rserver1 and rserver2 in it? Then play around with the sticky and load balancing settings as a test without affecting the production serverfarm.
View 1 Replies
View Related
Oct 8, 2012
Is a 3750 sw capable of handling full routing tables and what can you recommend in a small mutihomed BGP router or switch capable of handling full routing tables?
View 2 Replies
View Related
Dec 3, 2012
Everytime I make a config change to one of the contexts on our ACE20, I get this message: Config Application in Progress. This command is queued to the system
If I run show download info, I get:
context : context1
Interface Download-status
--------------------------------------------------------------
187 In Progress
199 Pending
Regex download optimization status : Couldn't get status[TNRPC Timed out]
It eventually seems to complete, but it takes a very, very long time. We are running Version A2(3.5) [build 3.0(0)A2(3.5)].
View 2 Replies
View Related
Oct 21, 2012
how i can configure a second ssid for guest access in our environment. this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time. My AP config is attached below.
Do i need to redesign the whole network to have a native vlan other nthan the data vlan? Does the access point need to be aware of the voice vlan? Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
View 1 Replies
View Related
Sep 18, 2012
My question is if I can configure 3 ssid, for 3 different VLAN and add the DHCP address from a WAP4410N AP, when you upgrade to the latest version of IOS I can have this functionality?
View 2 Replies
View Related
Mar 27, 2013
Report run via Individual Web server URL’sThe report takes less than 20 minutes (average 15 minutes) to fetch and return the data. This is observed 9 out of 10 times.Report run via ACE Load Balanced URLThe report keeps on running for more than 20 minutes and never completes. The front end keeps showing report is running.The data in general when tested directly by running queries against the database (bypassing the platform) completes in 15-18 minutesThe network connectivity for each and every ports involved (Loadbalancer/Servers) have been throulgly checked.
View 6 Replies
View Related
Mar 9, 2010
Is it possible to have multiple dhcp pools for multiple VLANs? The switch is a 6509 and/or 4506 catalyst. I don't want to use server-based products.
View 5 Replies
View Related
May 13, 2013
I am trying to build a new network from scratch, I have the WLC 5508 w/ Aironet 3600e APs connected to my Netgear Smart Switches and a Linksys RV082 router that I'm using as my DHCP server with several VLANs for several stuff on my Switches.
I have 2 questions:
1. Can I have 5 Interfaces configured on 5 different VLANs, each SSID on each a different Port:
Port 1: Controller management only=> 192.168.x.x /24
Port 2: SSID 1: WiFi Internal=> 172.16.x.x/12 (Radius Auth with no sharing)
Port 3: SSID 2: WiFi Internal w/ sharing=> 192.168.x.x/24 (Radius Auth with sharing)
Port 4 :SSID 3: WiFi Guest=> 10.0.x.x/8 (Web Auth)
Port 5: SSID 4: WiFi IT=> 192.168.x.x/24 ( Radius or certificate Auth with access to the controller management interface)
2. How can I use the Controller as the DHCP server for all the WiFi traffic, and how should that be configured to work with my other DHCP server?
View 3 Replies
View Related
May 28, 2013
i`m facing a problem configuring the mentioned access point to act as stand alone access point with multiple SSID assigned to differnet VLANs the problem is that
1) i`m not able to broadcast the both SSIDs in the same time from the Access point
2) i need to make the radius server to manage the SSID access for the wireless clients (trying to find a way in which the aceess point sends a log for the radius server containing the VLAN id /IP address of the the SSID) you may find the below info about the IOS ver. & the configuration?
i`m running IOS /c1100-k9w7-mx.123-8.JEE/c1100-k9w7-mx.123-8.JEE?
View 2 Replies
View Related
Apr 3, 2012
I am taking an introduction class to CCNA and we are focusing on the Application Layer,and I'm having some difficulty in understanding what is an Application Layer Service. Is the Application Layer Service the same as Application Layer Software?
View 3 Replies
View Related
Aug 26, 2012
Is it possible to assign a single ssid to multiple interface groups by assigning the ssid to multiple AP groups?
I have buildings geographically dispersed that are configured with multiple vlans in interface groups so that I can maintain an addressing scheme of dhcp assigned addresses per building. Each building is also further grouped as AP groups. I'd like to know if by assigning the same wlan ssid to each of the AP groups, will I maintain addressing integrity for each building? I'm thinking it will work.
Do the buildings have to be outside AP range of each other to avoid problems?
5508 controller
7.2.110.0 code
6 buildings
6 interface groups
1 ssid
View 4 Replies
View Related
Jan 23, 2012
Is it possible to upgrade ACE 4710 from A3 to A4? What does this actualy means by A3, A4 & A5.
I want to upgrade ACE from A3 to A4 becase I want to enable switch-mode on ACE. Current S/W version is A3 2.0 which is not supporting this command. While reffering the command refernce guide saw that this command is supported in A2 & A4 version from 2.0 itself but for A3 in 2.7 (which is the latest) also this is not supporting this feature.
View 4 Replies
View Related
Apr 11, 2013
I have an issue with LMS not terminating SSH sessions on the Cisco ACE?
Cisco LMS 3.2
Cisco ACE A2(3.3)
View 1 Replies
View Related
Apr 5, 2012
I have two GSS. One in side A and one in side B. This in side A is primary and make management function, this in side B is secondary. Site A and B are DC work in active-active.
I have version 3.1.2 and I have to upgrade to 4.1 becouse 4.1 work with DNSSec. This is true?
I read that first I have to upgrade primary. But what with secondary? How it work? When I will be upgrade primary it will be not impact to synchronization with secondary?
View 3 Replies
View Related
Apr 8, 2013
We've got an application that broke after upgrading our ACEs from A5(2.1) to A5(2.2); the problem lies in how the ACE handles URLs with embedded backslash characters in them - e.g.: URL
Prior to the upgrade the ACE would forward these to the back-end servers; after the upgrade the ACE resets the client connection.
(We're doing SSL offload on the ACE; the back-end connection is HTTP over port 80, only the client-side traffic is over SSL.)
Some browsers will convert these to percent-encoded form - i.e. URL
and things work for these; but other browsers won't do this. So I'd like to set up a rewrite rule in the ACE that will replace any (or at least the first) '' with the string '%5C'. Just how to do this isn't clear from the command ref, and the config guide is a tad shy on similar examples.
View 1 Replies
View Related
Aug 1, 2011
Is the XFF [URL] on the Cisco CSS 11503? If not, is it on the roadmap for a future code release?
View 1 Replies
View Related
Nov 28, 2011
I would like to allow yahoo chat application to a particular user in my office thru Cisco ASA, can i have configuration for this The list of IP addresses and port number which is Yahoo Chat is using.
View 2 Replies
View Related
Sep 15, 2012
As per CISCO QoS document URL, IOS from 12.2(13)T support drop command in policy map. But our CISCO ASR 1013 having IOS of Version 15.2(1)S1 doesn't have drop syntax.How can we drop specific application using QoS in ASR 1013 of IOS version 15.2 and higher?,Can I allow few users for a particular application (like P2P) and drop other users based on users source IP?
View 2 Replies
View Related
