06-14-2010 10:27 AM
I have having issues using SSL termination. When I configure regular http all works fine, but when I switch to SSL termination I see resets in the packet capture (capture run on the client machine). I ran the crypto verify command to confirm the key and the cert match which they did.
Any ideas ?
Thanks
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
boot system image:c4710ace-mz.A3_2_4.bin
hostname MYLOADBALANCER
interface gigabitEthernet 1/1
description LB INSIDE
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport access vlan 3126
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
ft-port vlan 100
no shutdown
crypto csr-params mycompany
country US
state NJ
organization-name myorganization
organization-unit Information Services
common-name *.mydomain.org
access-list ALL line 8 extended permit ip any any
parameter-map type ssl mydomain.org
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_EXPORT1024_WITH_RC4_56_MD5
cipher RSA_EXPORT1024_WITH_DES_CBC_SHA
cipher RSA_EXPORT1024_WITH_RC4_56_SHA
rserver host mywebserver
ip address 192.168.48.78
inservice
serverfarm host test_servers
rserver mywebserver
inservice
ssl-proxy service mydomain.org
key mydomain
cert STAR.mydomain.ORG.crt
ssl advanced-options mydomain.org
class-map type management match-any remote_access
201 match protocol xml-https any
202 match protocol icmp any
203 match protocol telnet any
204 match protocol ssh any
205 match protocol http any
206 match protocol https any
207 match protocol snmp any
class-map match-all test.mydomain.org
2 match virtual-address 1.1.1.3 tcp eq https
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match test.mydomain.org-l7slb
class class-default
serverfarm test_servers
policy-map multi-match int1000-n2
class test.mydomain.org
loadbalance vip inservice
loadbalance policy test.mydomain.org-l7slb
ssl-proxy server mydomain.org
interface vlan 1000
description inside interface
ip address 2.2.2.2 255.255.255.0
peer ip address 2.2.2.3 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input int1000-n2
no shutdown
interface vlan 3126
description "outside interface"
ip address 1.1.1.1 255.255.255.0
peer ip address 1.1.1.2 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input int1000-n2
no shutdown
ft interface vlan 100
ip address 192.168.5.106 255.255.255.252
peer ip address 192.168.5.105 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 100
query-interface vlan 1000
ft group 1
peer 1
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 1.1.1.5
Solved! Go to Solution.
06-14-2010 10:47 AM
Hi There,
The problem is that you need to specify the clear text port that your backend server is using otherwise the ACE will try to forward the decrypted traffic on port 443.
Try this out:
serverfarm host test_servers
rserver mywebserver 80
inservice
Hope this helps.
__ __
Pablo
Cisco TAC
06-14-2010 10:47 AM
Hi There,
The problem is that you need to specify the clear text port that your backend server is using otherwise the ACE will try to forward the decrypted traffic on port 443.
Try this out:
serverfarm host test_servers
rserver mywebserver 80
inservice
Hope this helps.
__ __
Pablo
Cisco TAC
06-14-2010 01:05 PM
Is there a way to set an SSL redirection so that requests sent to https://mydomain.com
get redirected to https://mydomain.com/folder1
06-14-2010 01:46 PM
Hi,
Sure you need to do L7 LB decision, something like this:
rserver redirect Redirect
webhost-redirection https://mydomain.com/folder1 301
inservice
serverfarm redirect Redirect
rserver Redirect
inservice
class-map type http loadbalance match-any Folder
2 match http url /folder1
policy-map type loadbalance first-match test.mydomain.org-l7slb
class Folder
serverfarm test_servers
class class-default
serverfarm Redirect
HTH
__ __
Pablo
Cisco TAC
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: