Backend SSL Configuration

Answered Question
Mar 7th, 2007

I am having some issues configuring backend SSL stuff on CSS11500. I found the following doc on the Cisco website, and tried to substitute my servers and addresses in, but am getting some errors.

Couple of questions about the config:

where the backend-server commands start, why are ports 81 and 8003 referenced? I am wanting to use 443. Same with the service backendX commands...they reference port 8003. The server farm behind the CSS is only listening on 443. I tried to substitute 443 in for 8003, and then the CSS gives me an error "%% Backend-server ip/server address and port values must form unique tuples."

After searching for the meaning of this error, I am still confused.

thanks in advance!

Also, I have the front end SSL working, and the CSS is providing the cert. As soon as I accept the cert, the browser session hangs.

The template/guide I am using is at :

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 9 years 7 months ago

Your config looks ok. You need to run sniffer on both backend server and client.

We need to know whether CSS is initiating conn to backend server or not.If it is then what happens to return traffic.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Syed Iftekhar Ahmed Wed, 03/07/2007 - 10:53

The flow in the example is as follows

1. Client hits Content rule "front" on port 443 (1010.66.86.28:443 )"

2. CSS chooses "service ssl_front" for this rquest.

3. Service ssl_front uses SSL module to decrypt the request

4. request is decrypted and destination ip is changed to "" & dest port is changed to "81"

5. Return traffic from SSL module hits CSS again on

6. This traffic hits content rule "back" which selects either of 3 services (backend1,backend2,backend3)

7. These three services initiate a ssl session to backend ssl servers listening on port 8003.

In the guide port 81 is used as a place holder for decrypted traffic from SSL module and port 8003 is the ssl port of backend servers.

When You are usnig SSL backend, netwrok tuple between

'backend-server <> ip address'

'backend-server <> port'

'backend-server <> server-ip'

'backend-server <> server-port'

must be unique. Error you are facing suggests that you are not maintaining uniqeness among them.

Syed Iftekhar Ahmed

yycsandman007 Wed, 03/07/2007 - 11:38

Thanks....that definitely can my backend servers NOT use port 443 to receive client requests? Is that what I need to have changed to make this work? If the backend servers are set to listen only on 8003 will that solve my issue? I understand the port 81 issue now.

thanks again!

Syed Iftekhar Ahmed Wed, 03/07/2007 - 12:04

You can definitely have backend SSL servers running on port 443

the details of network tuple I mentioned is as follows

'backend-server <> ip address'

is the Virtual address for the backend server, It should correspond to service address

'backend-server <> port'

is the virtual port of Backend server (default 80). Virtual port directs clear text data

from SSL Module to CSS.

'backend-server <> server-ip'

is the real IP address of the Backend SSL server.

'backend-server <> server-port'

is the SSL port on which Backend SSL server is listening.

If you do not enter this command it will be set automatically to 443.

Syed iftekhar Ahmed

yycsandman007 Thu, 03/08/2007 - 08:26

This is starting to make more sense, but I am still having issues. I changed the config to where I thought it would work, but still won't. I have attached the output from the device for "play script showtech"

any assistance you are able to provide would be greatly appreciated!

Thanks again for your help. I think I'm almost there!

yycsandman007 Thu, 03/08/2007 - 13:07

arrrrgh!! In the example, for backend-server 20 , the ip address and server ip address are the same though....

please advise


Syed Iftekhar Ahmed Thu, 03/08/2007 - 14:28

My bad..

Since we are spoofing the server on port 81 we can use same IPs.

Are you still getting the error you mentioned earlier?

yycsandman007 Thu, 03/08/2007 - 14:35

nope...not the tuple error any just doesnt work....when I point my browser to the outside vip address (.13), the css intercepts the request and terminates the session. I know this because when I get the cert warning, if I look at the cert, it is the one on the CSS. After that point, the browser just pukes and doesn't make it to the back end servers. If I https directly to the real ip of the backend server, or the vip (.8) it works fine and the server is providing the cert. It is something specifically to do with the backend servers. Can't reach them thru the front end vip (.13)

Any thoughts or comments? you still have the config right? I posted it in one of the previous messages.

Dazed and Confused

thanks again for the help. these discussion groups are very helpful.


Correct Answer
Syed Iftekhar Ahmed Thu, 03/08/2007 - 15:36

Your config looks ok. You need to run sniffer on both backend server and client.

We need to know whether CSS is initiating conn to backend server or not.If it is then what happens to return traffic.

yycsandman007 Fri, 03/09/2007 - 08:27

I got it!!!! I ran ethereal on the server and captured traffic. I noticed that there were a ton of https resets, as well as certificate errors. I changed the following lines in the config and it works perfect now.

backend-server 10 cipher rsa-export-with-rc4-40-mds

backend-server 20 cipher rsa-export-with-rc4-40-mds


backend-server 10 cipher rsa-with-rc4-128-mds

backend-server 20 cipher rsa-with-rc4-128-mds

I also had to add advanced-balance sticky-srcip for the app to work properly

Thanks very much for your assistance!



This Discussion