SSL Termination in ACE 4710 not working

Unanswered Question


I have configured a new ACE 4710 with only a sinlge context to redirect https traffic to http real servers using SSL Termination. When I do a telnet on port 443 or 80 to the VIP it works fine but when I try to open the URL it prompts me for accepting the certificate then it tries to find and establish connection to the URL but eventually dies out giving a "Page cannot be displayed error". I have done some troubleshooting and found that the connection to the VIP on 443 port is Established but the out connection from the real server to the client remains in the INIT state. I am attaching the configs and all the troubleshooting data I have collected. Pls someone help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Sat, 09/05/2009 - 05:39
User Badges:
  • Cisco Employee,

Seems like the server default gateway is not the ACE and the response never get to us.

Try to configure client nat.

Or change the server gateway.

One command to capture is 'show service-policy detail'.

See if the counter " server pkt count" increments.

If not, it will confirm the problem described above.


Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE.So as suggested I have configured default route in the servers towards the ACE interface vlan ip address. Still the server packet count is not incrementing. I am posting the updated configuration of the ACE as an attachment. Pls help.

Gilles Dufour Wed, 09/09/2009 - 05:09
User Badges:
  • Cisco Employee,

if the traffic is not getting back to ACE, it won't work.

And the counter does indicate the traffic is not coming back.

You might have a problem on your server.

Get a sniffer trace to see where the packet is going.

Or configure a nat-pool on the server vlan and nat all traffic hitting the vip.


I have configured the server nat as you suggested. Can you pls verify the attached configuration. Still it doesn't work. In the server I have pointed the default route towards the server vlan 10 ip and also I have checked that its pinging from the real servers to the vlan 10 interface ip address.

pls help.


This Discussion