Jump to content
Welcome to our new Citrix community!

Content Switched LB to an SSL only Site

Robert Kuehne

Recommended Posts



Im Having an server with an SSL only Tomcat for wich i want ton build an load balace/Content Switching setup. I tried the following, but  it seams to stuck in a loading loop.


Server01  - 172.aa.bb.191 - IP - The Webseite

Service01_ssl  https on 443 for  Server01

LBServer01 -  Non Adressable - lb_Server01_ssl with Service Binding Service01_ssl


Content Switching

172.aa.bb.188 - SSL Content Switching Server - Default LB Server is LBServer01

No Policy defined

Wildcard SSL Cert and ca cert bind.


This Setup doesnt work. I Think i have an ssl Problem. I'm using the same wildcard ssl Cert on cs server as on the Webserver. 


best regards



Link to comment
Share on other sites

To summarize the config (from the CLI):

show ns runningconfig | grep <csvserver name> -i

show ns runningconfig | grep <lb vserver name> -i

You can then mask any VIPS/IPS or genericize entity names as needed.


The whole purpose of content switching is to sort traffic of interest to appropriate lb vserver destination.

You say you  have no policies bound; so if there is not criteria to identify traffic of interest and not policy-based destination AND no default destination, then the CS vserver will only respond with a 503/service unavailable error as the traffic has no destination.


Each cs policy then identifies criteria for traffic of interest and then the appropriate destination (usually lb vserver, but other vservers can also be used).


Remember: 1) cs vservers must have a policy bound OR a default destination set or all traffic fails.  2) SSL feature must be enabled.


If you continue to have issues , create an addressable lb vserver and test the lb part first prior to the cs vserver part.


So a basic example would be:

# LB SSL example

add service svc_server1 <ip1> ssl 443

bind service svc_server1 -monitorName ping

add lb vserver lb_vsrv_app1 SSL # if non-addressable

bind lb vserver lb_vsrv_app1 svc_server1

bind ssl vserver lb_vsrv_app1 -certkey <certkeyname>


##For a tomcat webserver, you might want to change the default monitor from tcp_default to ping, as continuous syn/syn-ack checks without an actual request will sometimes cause a tomcat/apache engine to stop responding unless its config has been changed to not treat that as invalid. So changing to ping monitors on any bound services can avoid some potential issues.



# CS SSL Example

add cs vserver cs_vsrv_demo SSL <VIP1> 443

bind ssl vserver cs_vsrv_demo -certkey <certkeyname>


bind cs vserver cs_vsrv_demo -policyName cs_vsrv_pol1   -priority 10

bind cs vserver cs_vsrv_demo -policyName cs_vsrv_pol2  -priority 20

bind cs vserver cs_vsrv_demo -lbvserver <Lb vserver default>  # default destination without a policy

# depending on how the cs policies are constructed will determine whether the policy is created with an action or a policy only and the dstination is set at time of binding (which is why seeing your config is important.



1) Your SSL OFFLOAD feature is ENABLED along with LB and CS; if feature is not enabled you can't do SSL

2) Be sure certs are properly bound to CS and LB vservers.



Link to comment
Share on other sites

Non-addressable should work; but its a lot harder to troubleshoot; making it addressable should allow you to confirm traffic flow at all points and then you can switch to non addressable if needed. If the one works but the other doesn't, it possibly means links are references the lb resource and trying to bypass CS which can be confirmed with a trace. Then rewrite or URL transform policies might be needed if you don't want an addressable lb vserver at all.  (But glad this is working for you.)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...