Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
433
Views
0
Helpful
2
Replies

ACE SSL Termination and Layer 7

Go to solution
jspannagel
Level 1
Level 1

‎05-14-2007 06:40 AM

I have several CSS infrastructures and recently received an ACE for testing. I am working through converting the configurations to the ACE and have some issues. The simplest explanation of what I am trying to do is this:

https://xxx.yyy.zzz/abc* -> realserver 10.10.10.10 port 81

https://xxx.yyy.zzz/def* -> realserver 10.10.10.10 port 82

https://xxx.yyy.zzz/ghi* -> realserver 10.10.10.10 port 83

https://xxx.yyy.zzz/jkl* -> realserver 10.10.10.20 port 81

https://xxx.yyy.zzz/mno* -> realserver 10.10.10.20 port 82

etc.

I am able to do it without SSL termination (using port xxx.yyy.zzz on port 80). I have also tried creating a separate realserver/serverfarm for SSL termination and sending to another IP on the ACE for the Layer 7 piece without success. Is there some technique or configuration options I am missing to get this working? Is if even possible within one context? Any advise would be greatly appreciated.

Thanks,

John Spannagel

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎05-15-2007 05:15 AM

before going for L7 with ssl, could you try to configure a simply SSL policy-map and see if that works.

Normally, if you have everything working for http, all you have to do is create a new class-map for the HTTPS traffic, then configure the same policy as for http and simply add the ssl proxy-server

ie:

policy-map multi-match SLB1

class VIP-122-80

loadbalance vip inservice

loadbalance policy SF_Linux1_80

loadbalance vip icmp-reply

class VIP-122-443

loadbalance vip inservice

loadbalance policy SF_linux1_80

loadbalance vip icmp-reply

ssl-proxy server CSS11503-2

Gilles.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎05-15-2007 05:15 AM

before going for L7 with ssl, could you try to configure a simply SSL policy-map and see if that works.

Normally, if you have everything working for http, all you have to do is create a new class-map for the HTTPS traffic, then configure the same policy as for http and simply add the ssl proxy-server

ie:

policy-map multi-match SLB1

class VIP-122-80

loadbalance vip inservice

loadbalance policy SF_Linux1_80

loadbalance vip icmp-reply

class VIP-122-443

loadbalance vip inservice

loadbalance policy SF_linux1_80

loadbalance vip icmp-reply

ssl-proxy server CSS11503-2

Gilles.

0 Helpful

Go to solution
jspannagel
Level 1
Level 1
In response to Gilles Dufour

‎05-15-2007 10:55 AM

After some more thorough testing, it does work as expected. I did what you suggested but has some minor issues, however turning on "persistence-rebalance" resolved all my issues.

Thanks a lot for your time.

John Spannagel

0 Helpful
Customers Also Viewed These Support Documents