Modifying an "ssl-proxy-list" without disturbing the active sessions.

Answered Question
Sep 24th, 2007
User Badges:


I would like to know if it is possible to have two SSL modules installed in a CSS11503 with each one having it's own "ssl-proxy-list" ("ssl-proxy-list list1" and "ssl-proxy-list list2"), but the two lists (list1 and list2) are exactly the same.

I will explain my idea:

In normal situation the two "ssl-proxy-list" are active and the user's encrypted sessions are load balanced between the two SSL modules. But when we need to make a change to the "ssl-proxy-list", like changing a server's certificate, I would like to be able to suspend one service (type ssl-accel with the "ssl-proxy-list List1" attached to it for example) and wait for all active sessions to terminate before suspending the "ssl-proxy-list list1" for applying the changes.

Once the first "ssl-proxy-list" is updated I would make it active again and apply the same changes to the second "ssl-proxy-list".

Doing this this way I would like to be able to upgrade the servers's certificate during the working houres without disturbing the connected users...

Do you think this way of doing would be possible, or do you have an other solution to modify a "ssl-proxy-list" without disturbing the active running sessions ?

Thank you for your answer,

Best regards

Correct Answer by Gilles Dufour about 9 years 6 months ago

sounds like a good solution to me.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (2 ratings)
Correct Answer
Gilles Dufour Tue, 09/25/2007 - 08:48
User Badges:
  • Cisco Employee,

sounds like a good solution to me.


sachinga.hcl Sat, 10/04/2008 - 12:09
User Badges:
  • Silver, 250 points or more

Hi Francois,

An SSL proxy list may belong to multiple SSL services (one SSL proxy list per service), and an SSL service may belong to multiple content rules. You can apply the services to content rules that allow the CSS to direct SSL requests for content.

The CSS supports one active SSL service for each SSL module in the CSS, one SSL service per slot. You can configure more than one SSL service for a slot but only a single SSL service can be active at a time.

No modifications to an SSL proxy list are permitted on an active list. Suspend the list prior to making changes, and then reactivate the SSL proxy list once the changes are complete. Once you have modified the SSL proxy list, suspend the SSL service, reactivate the SSL proxy list, and then reactivate the SSL service.

You can use maximum 4 different certificates at a time.

Use the suspend command to suspend an active SSL proxy list.

To suspend an active SSL proxy list, enter:

(config-ssl-proxy-list[ssl_list1])# suspend

use the url below for your reference:

Kind regards,

Sachin Garg

Senior Specialist Security

HCL Comnet Ltd.

A-10, Sector 3, Noida- 201301


Mob: +91-9911757733

Email: [email protected]


This Discussion