Jump to content
Welcome to our new Citrix community!

LB configuration having problems presenting new site.


Recommended Posts

We recently added a new load balanced site to an existing LB VIP and I’m getting an ERR_CONNECTION_RESET. Other sites attached to this LB VIP are working fine, this problem is isolated to the new site. In my packet captures, I'm seeing a TCP RST being sent in the pcap to the backend server from the SNIP which was the first thing I found odd. Looking at the capture further the backend server sends the server certificate instead of the cert for the site requested. Going to the other sites this load balanced VIP serves, the backend server returns the correct site certificate in the pcap. For some additional information, the load balancer config is using SNI for the certificates with a primary wildcard cert for the main certificate as I’ve done on all other configs like this and they're working. I’ve gone as far as to separate one backend server on a new LB VIP config to isolate the traffic out even further with identical results.

 

Editing the hosts file on my local host to force the site to go directly to the backend server returns the correct site cert in the capture and the page loads successfully. There’s considerable debate right now as to where the issue is located that's causing the ERR_CONNECTION_RESET. The server team is stating that the load balancer is not properly presenting the 4th level DNS name(site.domain.example.com) to the backend server which is why the server cert is being returned instead of the site cert. That really doesn't make a lot of sense to me since we have other LB configurations that use 4th level DNS names perfectly fine without issue. Unfortunately, going the SSL_BRIDGE route is out of the question as we recently invested a lot of time getting this configuration migrated to straight SSL.

 

I’m hoping that someone might be able to shed some light on this one for us.

 

Best Regards,

John

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...