Only One

0

I have tried again and again to get this solution to work and every time I am stymied by the same issue. 

 

I have create a Virtual Service for port 443. I created content rules for email.domain.com, vpn.domain.com and www.domain.com. I create the SubVS for each domain and added the real servers for each via hostname and every time it resolves it to its IP address. I then apply the proper content rule to the SubVS and then go back to the view/modify section. The VS is always up and at least one of the SubVSs is up but the other two are always down. 

 

Networking wise I have three NICs. Eth0 is on the DMZ, Eth1 is on the Farm, and Eth2 in on the client. I use Eth2 for the management interface

 

5 comments

Avatar
0
Mark Deegan

Hello Joshua,

This could be a simple caching issue in IE. Can you use Chrome to access the page and see if it is still showing as down.

Also can you make sure Subnet originating requests is enabled?

best regards

Mark

Avatar
0
joshua.gibson

Thanks Mark,

 

Chrome was giving me the same issue as well. I seem to have stumbled on a fix or work around. If I set the "Real Server Check Method" to ICMP Ping everything starts working. However if I set it to HTTP Protocol or HTTPS Protocol it breaks.

Avatar
0
Andres Garcia de Alba

Hello Joshua,

If using ICMP makes everything works.....then I'd say it looks like this is a health checking issue....

Are the RS's accepting traffic on port 80 or 443?  This will dictate whether to use HTTP or HTTPS.

Modify the HTTP(s) health check to use HTTP/1.1 and include the hostname of the server.

What do the warning logs show as being the error for the failed health check?

Thanks.

Avatar
0
joshua.gibson

Andres,

 

All the real servers accept communications on port 443 only. However the certificates on the real servers are from a internal CA. I was looking at the possibility of a trust issue. 

Also do you know is it possible to attach multiple certificates to a Virtual Service? Right now I am using a SAN certificate but would like to be able to use different certificate for each SubVS.

 

Thanks,
Joshua

Avatar
0
Andres Garcia de Alba

Hello Joshua,

Check this setting, System Configuration > Miscellaneous Options > Network Options > 'Force Real Server Certificate Checking'

"By default, when re-encrypting traffic the LoadMaster will not check the certificate provided by the Real Server.  This option forces the LoadMaster to verify the certificate on the Real Server"

 

You can assign multiple certificates to the LM.  

From the "SSL Accelerated Services"  

Multiple certificates are supported. Wildcard certificates work regardless of what position they are in. SNI can find certificates by Subject Alternative Name (SAN) when the certificate is not in the first position. SNI will choose the first matching certificate in a list if multiple certificates contain the same name in either the Common Name or SAN name.