SSL Certs on Standby ACE module

Answered Question
Nov 4th, 2008

hi,

I have imported the SSL keys/Certs to standby ACE module and the FT group status is now showing HOT_STANDBY instead of COLD.

However, I don't see key and cert under ssl-proxy service definition as well as the reference to ssl-proxy server in the policy map configuration on the redundant module. Is this normal ?

Would the above definitions be seen after successful failover ?

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 8 years 1 month ago

the ssl-proxy config on the standby could not be applied because of missing files.

If for some reason, the standby became active, it would do a synch to the other device which would result in both ACE having the wrong config.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Tue, 11/04/2008 - 23:51

No. You should see the correct config before failover.

Make sure to run the latest version and if the problem persist open a service request with the TAC.

G.

new_networker Wed, 11/05/2008 - 01:54

It is resolved. For some reason, the SSL related configurations got wiped off from the active module and I had to redo it.

Would you know of any reason for this behaviour. Scary...

Correct Answer
Gilles Dufour Wed, 11/05/2008 - 02:44

the ssl-proxy config on the standby could not be applied because of missing files.

If for some reason, the standby became active, it would do a synch to the other device which would result in both ACE having the wrong config.

Gilles.

new_networker Fri, 11/14/2008 - 01:14

Yup. That was the reason. The failover occurred before configuration was fully synchronized.

chris.pomeroy Sat, 11/15/2008 - 09:55

If you don't have the certs on both modules, they won't sync.

Also if you see that the ft group is in cold_standby,

You can do the following to get them to sync back up.

ft group 2

no inservice

inservice

This does not cause any issues. I have had to do it serveral time.

Actions

This Discussion