Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
656
Views
10
Helpful
3
Replies

SSL Problems

Go to solution
networker99
Level 1
Level 1

‎06-14-2010 10:27 AM

I have having issues using SSL termination.  When I configure regular http all works fine, but when I switch to SSL termination I see resets in the packet capture (capture run on the client machine).  I ran the crypto verify command to confirm the key and the cert match which they did.

Any ideas ?

Thanks

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

boot system image:c4710ace-mz.A3_2_4.bin

hostname MYLOADBALANCER
interface gigabitEthernet 1/1
  description LB INSIDE
  switchport access vlan 1000
  no shutdown
interface gigabitEthernet 1/2
  switchport access vlan 3126
  no shutdown
interface gigabitEthernet 1/3
  shutdown
interface gigabitEthernet 1/4
  ft-port vlan 100
  no shutdown


crypto csr-params mycompany
  country US
  state NJ
  organization-name myorganization
  organization-unit Information Services
  common-name *.mydomain.org

access-list ALL line 8 extended permit ip any any

parameter-map type ssl mydomain.org
  cipher RSA_WITH_RC4_128_SHA
  cipher RSA_WITH_AES_128_CBC_SHA
  cipher RSA_EXPORT1024_WITH_RC4_56_MD5
  cipher RSA_EXPORT1024_WITH_DES_CBC_SHA
  cipher RSA_EXPORT1024_WITH_RC4_56_SHA

rserver host mywebserver
  ip address 192.168.48.78
  inservice


serverfarm host test_servers
  rserver mywebserver
    inservice

ssl-proxy service mydomain.org
  key mydomain
  cert STAR.mydomain.ORG.crt
  ssl advanced-options mydomain.org

class-map type management match-any remote_access
  201 match protocol xml-https any
  202 match protocol icmp any
  203 match protocol telnet any
  204 match protocol ssh any
  205 match protocol http any
  206 match protocol https any
  207 match protocol snmp any
class-map match-all test.mydomain.org
  2 match virtual-address 1.1.1.3 tcp eq https

policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit

policy-map type loadbalance first-match test.mydomain.org-l7slb
  class class-default
    serverfarm test_servers

policy-map multi-match int1000-n2
  class test.mydomain.org
    loadbalance vip inservice
    loadbalance policy test.mydomain.org-l7slb
    ssl-proxy server mydomain.org

interface vlan 1000
  description inside interface
  ip address 2.2.2.2 255.255.255.0
  peer ip address 2.2.2.3 255.255.255.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  service-policy input int1000-n2
  no shutdown
interface vlan 3126
  description "outside interface"
  ip address 1.1.1.1 255.255.255.0
  peer ip address 1.1.1.2 255.255.255.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  service-policy input int1000-n2
  no shutdown

ft interface vlan 100
  ip address 192.168.5.106 255.255.255.252
  peer ip address 192.168.5.105 255.255.255.252
  no shutdown

ft peer 1
  heartbeat interval 300
  heartbeat count 10
  ft-interface vlan 100
  query-interface vlan 1000
ft group 1
  peer 1
  associate-context Admin
  inservice

ip route 0.0.0.0 0.0.0.0 1.1.1.5

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎06-14-2010 10:47 AM

Hi There,

The problem is that you need to specify the clear text port that your backend server is using otherwise the ACE will try to forward the decrypted traffic on port 443.

Try this out:

serverfarm host test_servers

  rserver mywebserver 80

    inservice

Hope this helps.

__ __

Pablo

Cisco TAC

View solution in original post

3 Replies 3

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎06-14-2010 10:47 AM

Hi There,

The problem is that you need to specify the clear text port that your backend server is using otherwise the ACE will try to forward the decrypted traffic on port 443.

Try this out:

serverfarm host test_servers

  rserver mywebserver 80

    inservice

Hope this helps.

__ __

Pablo

Cisco TAC

Go to solution
networker99
Level 1
Level 1
In response to Pablo

‎06-14-2010 01:05 PM

Is there a way to set an SSL redirection so that requests sent to https://mydomain.com

get redirected to https://mydomain.com/folder1

0 Helpful

Go to solution
Pablo
Cisco Employee
Cisco Employee
In response to networker99

‎06-14-2010 01:46 PM

Hi,

Sure you need to do L7 LB decision, something like this:

rserver redirect Redirect
webhost-redirection https://mydomain.com/folder1 301
inservice

serverfarm redirect Redirect
rserver Redirect
inservice

class-map type http loadbalance match-any Folder
  2 match http url /folder1

policy-map type loadbalance first-match test.mydomain.org-l7slb

   class Folder

    serverfarm test_servers

   class class-default

    serverfarm Redirect

HTH

__ __

Pablo

Cisco TAC

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents