07-13-2007 05:17 AM
We have the following config setup using two interfaces:
Client(.10.33) -- VLAN10 -- CSS -- VLAN10 -- Servers (.10.31, .10.32)
We have source-nating set up for the Client.
We are trying to set up content routing on an SSL flow, and hence need to use both front-end and back-end SSL for the flow.
I understand that the service IP and port must correspond to the server ip and port for the backend-server defined in the ssl-proxy list.
What should the VIP and Port of the backend-server be for this kind of backend-server? Can it be the same IP address as the server-IP and a different port number?
Does it have to match the HTTP port number for the backend content rule?
Also, does the backend-server need to be activated, or does the activation of the ssl-proxy-list do the job?
e.g.:
ssl-proxy-list ssllist1
ssl-server 252
ssl-server 252 vip address 192.168.10.252
ssl-server 252 port 443
ssl-server 252 cipher rsa-with-3des-ede-cbc-sha 192.168.10.252 8080
ssl-server 252 rsacert myrsacert1
ssl-server 252 rsakey myrsakey1
backend-server 31
backend-server 31 ip address 192.168.10.31
backend-server 31 port 17112
backend-server 31 server-ip 192.168.10.31
backend-server 31 server-port 7112
backend-server 31 cipher rsa-with-3des-ede-cbc-sha
backend-server 31 rsacert myrsacert1
backend-server 31 rsakey myrsakey1
backend-server 32
backend-server 32 ip address 192.168.10.31
backend-server 32 port 17122
backend-server 32 server-ip 192.168.10.31
backend-server 32 server-port 7122
backend-server 32 cipher rsa-with-3des-ede-cbc-sha
backend-server 32 rsacert myrsacert1
backend-server 32 rsakey myrsakey1
active
service sslulb3svr0
type ssl-accel
slot 6
keepalive type none
add ssl-proxy-list ssllist1
active
service ssluportal1-1
type ssl-accel-backend
keepalive type ssl
keepalive frequency 60
keepalive retryperiod 255
add ssl-proxy-list ssllist1
ip address 192.168.10.31
port 7112
active
The traffic is being blocked. Please tell us if we have the ssl config set up correctly.
07-13-2007 11:44 AM
the mistake is in your service
service ssluportal1-1
type ssl-accel-backend
keepalive type ssl
keepalive frequency 60
keepalive retryperiod 255
add ssl-proxy-list ssllist1
ip address 192.168.10.31
port 7112 --------------------> should be port 17122 (the port not the server port)
active
look at:
07-14-2007 10:32 AM
Thanks diro.
I corrected the port numbers, but now my connection gets reset immediately by the CSS after SSL establishment with the front end VIP and a 'change cipher request'. My client is IE.
Is there an issue with my cipher spec on the CSS ?
07-29-2007 03:04 PM
I got this resolved and the issue was in the actual backend servers. Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: