Cisco 11503 - CSS Content Services Switch Configuration Manual page 136

Configuring a Content Rule for SSL Termination
When you activate a content rule with a configured SSL service, the CSS verifies
that there is a VIP address and port match. If a match is not found, the CSS logs
the following error message and does not activate the content rule.
Not all content VIP:Port combinations are configured in an
ssl-proxy-list for sslAccel type of service
Verify the configured VIP addresses used in the content rule and SSL proxy list,
and modify as necessary.
When a CSS uses two or more SSL modules, Cisco Systems recommends that you
use stickiness based on SSL version 3 session ID for a Layer 5 content rule. For
a virtual SSL server rule, specify the following:
•
•
The Layer 5 SSL sticky content rule ensures SSL session ID reuse to eliminate the
rehandshake process (which speeds up the SSL negotiation process) and to
increase overall performance.
Note If the 32K sticky table becomes full (which means that 32K simultaneous users
are on the site) the table wraps and the first users in the table become "unstuck."
This may be due to a combination of number of flows and the duration of the
sticky period, which can quickly use up the available space in the sticky table.
This problem can typically occur in a CSS that contains multiple SSL modules.
An SCM with 288M memory module can support a 128K sticky table.
If you specify the sticky-inact-timeout command for a Layer 5 content rule using
Note
SSL sticky, the SSL sessions continue even if the sticky table is full. However, the
CSS does not maintain stickiness on the new sessions.
Cisco Content Services Switch SSL Configuration Guide
4-54
Enable the content rule to be sticky based on SSL using the
advanced-balance ssl command.
Specify the SSL application type using the application ssl command.
Chapter 4 Configuring SSL Termination
OL-5655-01