cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1303
Views
0
Helpful
6
Replies

SSL Termination in ACE 4710 not working

connect
Level 1
Level 1

Hi,

I have configured a new ACE 4710 with only a sinlge context to redirect https traffic to http real servers using SSL Termination. When I do a telnet on port 443 or 80 to the VIP it works fine but when I try to open the URL it prompts me for accepting the certificate then it tries to find and establish connection to the URL but eventually dies out giving a "Page cannot be displayed error". I have done some troubleshooting and found that the connection to the VIP on 443 port is Established but the out connection from the real server to the client remains in the INIT state. I am attaching the configs and all the troubleshooting data I have collected. Pls someone help.

6 Replies 6

Gilles Dufour
Cisco Employee
Cisco Employee

Seems like the server default gateway is not the ACE and the response never get to us.

Try to configure client nat.

Or change the server gateway.

One command to capture is 'show service-policy detail'.

See if the counter " server pkt count" increments.

If not, it will confirm the problem described above.

Gilles.

Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE. I need to configure the Client NAT can you pls suggest how to do it pls. I am confused with many documentations available in the internet. Pls help.

Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE.So as suggested I have configured default route in the servers towards the ACE interface vlan ip address. Still the server packet count is not incrementing. I am posting the updated configuration of the ACE as an attachment. Pls help.

if the traffic is not getting back to ACE, it won't work.

And the counter does indicate the traffic is not coming back.

You might have a problem on your server.

Get a sniffer trace to see where the packet is going.

Or configure a nat-pool on the server vlan and nat all traffic hitting the vip.

Gilles.

I have configured the server nat as you suggested. Can you pls verify the attached configuration. Still it doesn't work. In the server I have pointed the default route towards the server vlan 10 ip 10.190.11.61 and also I have checked that its pinging from the real servers to the vlan 10 interface ip address.

pls help.

thanks it worked, there was an issue with the back end JBOSS server. SSL termination is working fine.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: