09-04-2009 03:54 PM
Hi,
I have configured a new ACE 4710 with only a sinlge context to redirect https traffic to http real servers using SSL Termination. When I do a telnet on port 443 or 80 to the VIP it works fine but when I try to open the URL it prompts me for accepting the certificate then it tries to find and establish connection to the URL but eventually dies out giving a "Page cannot be displayed error". I have done some troubleshooting and found that the connection to the VIP on 443 port is Established but the out connection from the real server to the client remains in the INIT state. I am attaching the configs and all the troubleshooting data I have collected. Pls someone help.
09-05-2009 05:39 AM
Seems like the server default gateway is not the ACE and the response never get to us.
Try to configure client nat.
Or change the server gateway.
One command to capture is 'show service-policy detail'.
See if the counter " server pkt count" increments.
If not, it will confirm the problem described above.
Gilles.
09-08-2009 06:06 AM
Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE. I need to configure the Client NAT can you pls suggest how to do it pls. I am confused with many documentations available in the internet. Pls help.
09-08-2009 01:21 PM
Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE.So as suggested I have configured default route in the servers towards the ACE interface vlan ip address. Still the server packet count is not incrementing. I am posting the updated configuration of the ACE as an attachment. Pls help.
09-09-2009 05:09 AM
if the traffic is not getting back to ACE, it won't work.
And the counter does indicate the traffic is not coming back.
You might have a problem on your server.
Get a sniffer trace to see where the packet is going.
Or configure a nat-pool on the server vlan and nat all traffic hitting the vip.
Gilles.
09-09-2009 08:35 AM
I have configured the server nat as you suggested. Can you pls verify the attached configuration. Still it doesn't work. In the server I have pointed the default route towards the server vlan 10 ip 10.190.11.61 and also I have checked that its pinging from the real servers to the vlan 10 interface ip address.
pls help.
09-10-2009 12:00 PM
thanks it worked, there was an issue with the back end JBOSS server. SSL termination is working fine.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: