HTTPS to HTTP exchange not working

Unanswered Question
Sep 10th, 2007
User Badges:


I would like to permit the client to exchange HTTPS with CSS and CSS send HTTP traffic to the real server.

But when i type one https url in my navigator anything appear on the navigator of the client.

Can you help me please ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Tue, 09/11/2007 - 01:31
User Badges:
  • Cisco Employee,

does it work if you use http ?

Can you get a 'show summary' before and after opening a new connection.

Also get a 'show ssl statistics'.



tuzenat Tue, 09/11/2007 - 07:19
User Badges:

Thanks for your reaction.

It doesn't work fine with http. I attach you the output of sh flows command in the CSS.

The sh summary increments some values.

I see incrementation of values on sh ssl statitics however when i type whhich is the address of vip i valided the certificate but i have one blank page. My web server have one web page to send.

Best regards

Gilles Dufour Tue, 09/11/2007 - 07:37
User Badges:
  • Cisco Employee,

what do you mean by it does not work fine with http?

If http does not work, there is no chance that ssl will.

Since you have one-armed scenario, are you sure your servers default gateway is the CSS ?

What you can try is enable client nat to see if that makes it work - this would prove this is a server routing table issue.

So, try:

group clientnat

vip address

add destination service




tuzenat Tue, 09/11/2007 - 08:31
User Badges:

The purpose of my scenario is to make ssl between client and CSS and http between Css and servers.

When i type (vip address) i have anything in my navigator, but when i type, the navigator ask me to validate certificate (normally) and after i don't have the web page of my web server. (this is my problem)

I will try the commands you send me and i will notify the evolution of my test.

Thanks once more.


tuzenat Wed, 09/12/2007 - 00:01
User Badges:

I add in CSS the group clientnat and i put the default gateway of my web server the address of VRRP. The works and works but i don't have trace on sh flows commands to validate my configuration.

Another issue is that i don't what that when i enter the system display the web page i just what it when i type

How to tell the system to make only HTTPS between me and CSS and HTTP betwen CSS and Wen Server ? And How to show my staff that is correctly configure ?

I join you my conf of my CSS.

Thanks in advance.


Gilles Dufour Wed, 09/12/2007 - 00:38
User Badges:
  • Cisco Employee,

what you can do is change the cleartext port to be something else like 81.

Create a new content rule for port 81 - make sure the service port is configured to be 80 so that the CSS translate back from 81 to 80.

Then for the port 80 content rule, configure a redirect service that will redirect traffic from http to https.

There are some examples on how to do this in this forum and also on our website.


paul.matthews Thu, 09/13/2007 - 00:19
User Badges:
  • Silver, 250 points or more

Hi, It looks like you are using the CSS in what is referred to as "one-armed" mode - the users and the servers are all out of the same interface of the CSS.

Gilles' question about working on HTTP is important - you may not have an SSL issue at all. My first step in setting up SSL is to get the load balancing working correctly on http before I even think about SSL.

This is not as elegant as using the CSS as a router between the users and the servers but can be made to work.

The awkward bit is the return traffic.

I will assume routers between users and the CSS/severs to explain what may be hapenning.

A packet comes in via the router, s=user,d=VIP. That hits the CSS, which does its bit, and forwards it to the server s=user, d=server. The server will receive that - normall this first one will be a tcp SYN, so if OK the server responds with a SYNACK - s=server,d=user. The server will pass that to its default gateway, which will probably be the router, so the user gets a SYNACK from an address it has not sent a syn to.

Three ways to sort this. One is to create another subnet behind the CSS and put the servers there.

Second is to create a source-group on the CSS to set NAT up so that the packet that gets sent to the server has a source address associated with the CSS so that return traffic goes via the CSS.

The third is to aim the server's default gateway at the CSS address.



This Discussion