Beginning with CSM and SSL daughter card.

Unanswered Question

Hello everyone.

I'm using a CSM with SSL daughter card on a native 6513. The module is configured in bridge mode and works fine with a Google appliances farm.

For testing purpose, I want to introduce the SSL proxy. After the initial setup, I configure a new vlan for CSM-SSL communications.

I have defined a ssl-proxy service and the virtual servers: all are UP and OPERATIONAL .

ssl-core11#sh ssl-proxy service

Proxy Service Name Admin Operation

status status



When I try to connect from the client I can see the connection.

sw-core11#sh mod csm 2 conns vserver GOOGLE-HTTPS

prot vlan source destination state



Out TCP 4095 ESTAB


But IE cannot display the page.

Please help, I believe on some NAT issue!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Mon, 08/03/2009 - 01:18
User Badges:
  • Cisco Employee,

do you see a connection to the clear text vip after the SSL session ?

Could you get a sniffer trace to see if the ssl handshake complete and if a connection is open with the backend server.



many thanks for your help.

Sniffing from a web browser I can see only the SYN packets, but all work fine for the HTTP request.

The firewall uses a PAT ( for all Intranet clients.

sw-core11#sh mod csm 2 conns vse GOOGLE-HTTPS

prot vlan source destination state



Out TCP 4095 ESTAB


Gilles Dufour Tue, 08/04/2009 - 05:04
User Badges:
  • Cisco Employee,

You see only the syn packets when opening the port 443 connection ?

Is that correct ?

It means the SSL daughter card is either not receiving the syn or responding to it in the wrong direction.

Could you check on the daughter card

ssl-proxy#show ssl-proxy stats

Before and after a connection attempt.

See which counters increment.


Hi Gilles and many thanks for your help.

Yes Gilles!

I see the SYN packet from my browser. The packet reaches CSM on vlan 500 with source IP

sw-core11#sh mod csm 2 conns vse GOOGLE-HTTPS

prot vlan source destination state



Out TCP 4095 ESTAB


CSM sends out on vlan 4095! Why not 298? May be source and destination IP addresses should be swapped!?

Attached you can find the statistics.

SSL card is not receiving.



Some notes from configuration guide...

If you execute command show module csm x conn, the output shows an entry for VLAN 4095. You can

ignore this VLAN, which the system creates for communication between the CSM and the SSL daughter



The SSL software supports only the normal-range VLANs (2 through 1005). You must limit the SSL

daughter card configuration to the normal-range VLANs. Note that VLAN 4095 is automatically created

for system communication between the CSM and the SSL daughter card. You can ignore this VLAN.

Gilles Dufour Thu, 08/06/2009 - 01:16
User Badges:
  • Cisco Employee,

do you have a vlan 298 on the csm ?

Can you ping from the csm ? from the gateway ?

Can you ping the gateway from the daughter card ?

The daughter card does not show any ssl connection attempts. But it shows drop due to vlan id.


Hi Gilles.

Yes, there is a vlan 298 on CSM.

vlan 298 server

description SSL-DC-COMM

ip address alt


I can ping from CSM...

sw-core11#ping module contentSwitchingModule 2

IP address Reachable

-------------------------- Yes


and, from SSL DC, I can ping the gateway (CSM alias IP address)


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms


I'm using the vlan 298 for private communications between CSM and SSL card.


I'm upgrading my post about a simple SSL proxy configuration, ending with a vlan id mismatch.

After one attempt...

ssl-core11#show ssl-proxy stats

TCP Statistics:

Conns initiated : 0 Conns accepted : 0

Conns established : 0 Conns dropped : 0

Conns Allocated : 0 Conns Deallocated : 0

Conns closed : 0 SYN timeouts : 0

Idle timeouts : 0 Total pkts sent : 0

Data packets sent : 0 Data bytes sent : 0

Total Pkts rcvd : 0 Pkts rcvd in seq : 0

Bytes rcvd in seq : 0

SSL Statistics:

conns attempted : 0 conns completed : 0

full handshakes : 0 resumed handshakes : 0

active conns : 0 active sessions : 0

renegs attempted : 0 conns in reneg : 0

handshake failures : 0 data failures : 0

fatal alerts rcvd : 0 fatal alerts sent : 0

no-cipher alerts : 0 ver mismatch alerts : 0

no-compress alerts : 0 bad macs received : 0

pad errors : 0 session fails : 0

Invalid Queue Event.

FDU Statistics:

IP Frag Drops : 0 IP Version Drops : 0

IP Addr Discards : 0 Serv_Id Drops : 14

Conn Id Drops : 0 Bound Conn Drops : 0

Vlan Id Drops : 90 TCP Checksum Drops : 0

Hash Full Drops : 0 Hash Alloc Fails : 0

Flow Creates : 0 Flow Deletes : 0

Conn Id allocs : 0 Conn Id deallocs : 0

Tagged Pkts Drops : 0 Non-Tagg Pkts Drops : 0

Add ipcs : 14 Delete ipcs : 0

Disable ipcs : 13 Enable ipcs : 0

Unsolicited ipcs : 289489 Duplicate Add ipcs : 3

IOS Broadcast Pkts : 117124167 IOS Unicast Pkts : 9305747

IOS Multicast Pkts : 240761 IOS Total Pkts : 126670675

IOS Congest Drops : 0 SYN Discards : 0

TCP 5-tuple reuse : 0


Many thanks for your help.




This Discussion