Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
0
Helpful
3
Replies

SSL Accel Backend server traffic disappears

soumya.sarkar
Level 1
Level 1

‎07-13-2007 05:17 AM

We have the following config setup using two interfaces:

Client(.10.33) -- VLAN10 -- CSS -- VLAN10 -- Servers (.10.31, .10.32)

We have source-nating set up for the Client.

We are trying to set up content routing on an SSL flow, and hence need to use both front-end and back-end SSL for the flow.

I understand that the service IP and port must correspond to the server ip and port for the backend-server defined in the ssl-proxy list.

What should the VIP and Port of the backend-server be for this kind of backend-server? Can it be the same IP address as the server-IP and a different port number?

Does it have to match the HTTP port number for the backend content rule?

Also, does the backend-server need to be activated, or does the activation of the ssl-proxy-list do the job?

e.g.:

ssl-proxy-list ssllist1

ssl-server 252

ssl-server 252 vip address 192.168.10.252

ssl-server 252 port 443

ssl-server 252 cipher rsa-with-3des-ede-cbc-sha 192.168.10.252 8080

ssl-server 252 rsacert myrsacert1

ssl-server 252 rsakey myrsakey1

backend-server 31

backend-server 31 ip address 192.168.10.31

backend-server 31 port 17112

backend-server 31 server-ip 192.168.10.31

backend-server 31 server-port 7112

backend-server 31 cipher rsa-with-3des-ede-cbc-sha

backend-server 31 rsacert myrsacert1

backend-server 31 rsakey myrsakey1

backend-server 32

backend-server 32 ip address 192.168.10.31

backend-server 32 port 17122

backend-server 32 server-ip 192.168.10.31

backend-server 32 server-port 7122

backend-server 32 cipher rsa-with-3des-ede-cbc-sha

backend-server 32 rsacert myrsacert1

backend-server 32 rsakey myrsakey1

active

service sslulb3svr0

type ssl-accel

slot 6

keepalive type none

add ssl-proxy-list ssllist1

active

service ssluportal1-1

type ssl-accel-backend

keepalive type ssl

keepalive frequency 60

keepalive retryperiod 255

add ssl-proxy-list ssllist1

ip address 192.168.10.31

port 7112

active

The traffic is being blocked. Please tell us if we have the ssl config set up correctly.

Labels:
0 Helpful
3 Replies 3

diro
Level 1
Level 1

‎07-13-2007 11:44 AM

the mistake is in your service

service ssluportal1-1

type ssl-accel-backend

keepalive type ssl

keepalive frequency 60

keepalive retryperiod 255

add ssl-proxy-list ssllist1

ip address 192.168.10.31

port 7112 --------------------> should be port 17122 (the port not the server port)

active

look at:

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a0080220dab.shtml

0 Helpful

soumya.sarkar
Level 1
Level 1
In response to diro

‎07-14-2007 10:32 AM

Thanks diro.

I corrected the port numbers, but now my connection gets reset immediately by the CSS after SSL establishment with the front end VIP and a 'change cipher request'. My client is IE.

Is there an issue with my cipher spec on the CSS ?

0 Helpful

soumya.sarkar
Level 1
Level 1
In response to soumya.sarkar

‎07-29-2007 03:04 PM

I got this resolved and the issue was in the actual backend servers. Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents