01-16-2008 10:38 PM
I'll post the relevant part of the config below. For testing I've made a self signed cert. The VIP address is 10.10.15.84 and the server address is 10.10.12.84. I can connect fine going to the VIP address on http but when I try https nothing comes up. I can see activity doing a show ssl statistics.
!*********************** SSL PROXY LIST ***********************
ssl-proxy-list povssl_proxylist
ssl-server 20
ssl-server 20 rsacert povsslcert
ssl-server 20 rsakey povcert
ssl-server 20 vip address 10.10.15.84
ssl-server 20 cipher rsa-export-with-rc4-40-md5 10.10.15.84 80
active
service POV01
ip address 10.10.12.84
port 80
active
service ssl_pov
type ssl-accel
slot 2
keepalive type none
add ssl-proxy-list povssl_proxylist
active
owner POV
content POV
vip address 10.10.15.84
protocol tcp
port 443
add service ssl_pov
application ssl
active
content POV80
protocol tcp
vip address 10.10.15.84
add service POV01
port 80
active
group POV
add destination service POV01
vip address 10.10.15.84
active
01-17-2008 12:51 AM
get a sniffer trace on the client and capture a 'show tech' before and after the trace on the CSS.
Send me everything at gdufour@ciso.com.
Gilles.
01-17-2008 05:18 AM
I currently don't have any trace applications in this data center I'm working on getting ethereal loaded down there.
Also the CSS11501 does not seem to have the show tech command. That one I didn't expect.
01-17-2008 05:44 AM
the command is : "script play showtech"
01-17-2008 05:45 AM
Can you get a 'show summary' before and after sending an https connection.
That would also give us info on which rules are being hits.
Gilles.
01-17-2008 06:02 AM
I'll have the show tech for you shortly.
For Show Summary POV I have:
Owner Content Rules State Services Service Hits
POV POV Active ssl_pov 1078
POV80 Active POV01 1371
When I hit the site with http I get two hits on POV80, when I hit the site with https I get one hit on POV and one hit on POV80.
01-17-2008 09:52 AM
I'm attaching two traces, one is a trace from the server showing it relevant traffic to a http request going through the load balancer and one with an https request. With the https request it appears that it is not starting with the HTTP request. The server requires the /client and this is never getting there.
01-18-2008 07:29 AM
For anyone watching this was resolved. The issue here was the self signed certificate. It didn't work and didn't give any error in IE. When trying it in Firefox it gave a very clear error. I loaded a Verisign trial cert and everything is working great.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: