Where is the web server? Is it internal or is it an external web server?
What does telnet web_server 443 and openssl s_client -connect web_server:443 gives you? Have you tried sniffing the traffic to see what goes wrong? SSL should not be mattered by the firewalls, as long as they work the way you believe they work. Do you run any ssl proxy or http proxy somewhere? Giannis On 25/03/10 21:19, Extra Fu wrote:
Hello everybody, I'm reposting this message as I got no answer on this email in the past few weeks. Maybe someone has insights on what could be wrong. I need help regarding the following situation. I have four OpenBSD firewalls configured to do load-balancing ( in and out) using ip-stealth. I have two CARP interfaces (internal and external) on each firewall. See the configuration below. Load-balancing works perfectly for non-SSL websites but I am unable to connect to secure websites (https). When forcing a connection to go directly through one of the four OpenBSD server or when using only one server, it works nicely so it's not a pf.conf issue. Any insight on what could be wrong on the configuration would be greatly appreciated. Here is my configuration: Internal CARP interfaces FW1 carp0 inet 10.50.1.1 /16 balancing ip-stealth carpnodes 11:0, 12:10, 13:25, 14:50 FW2 carp0 inet 10.50.1.1 /16 balancing ip-stealth carpnodes 11:50, 12:0, 13:10, 14:25 FW3 carp0 inet 10.50.1.1 /16 balancing ip-stealth carpnodes 11:25, 12:50, 13:0, 14:10 FW4 carp0 inet 10.50.1.1 /16 balancing ip-stealth carpnodes 11:10, 12:25, 13:50, 14:0 External CARP interfaces: FW1 carp1 inet 205.50.60.1 /27 balancing ip-stealth carpnodes 21:0, 22:10, 23:25, 24:50 FW2 carp1 inet 205.50.60.1 /27 balancing ip-stealth carpnodes 21:50, 22:0, 23:10, 24:25 FW3 carp1 inet 205.50.60.1 /27 balancing ip-stealth carpnodes 21:25, 22:50, 23:0, 24:10 FW4 carp1 inet 205.50.60.1 /27 balancing ip-stealth carpnodes 21:10, 22:25, 23:50, 24:0
