ACE LB not issuing cert for ssl termination when using FQDN but ok if IP address used

Unanswered Question
Aug 21st, 2010
User Badges:

Hi please help

I seem to be experiencing a strange issue with regards to SSL termination on the ACE.

When I hit the VIP address using the IP address I get a certificate issued to my browser as expected. Please see e.g 1 below

I have changed the real IP address and domain name for security.

e.g 1 https://10.10.10.10:8442 = ok I get a cert issued from the ACE

I delete all my certs from the browser and test again.

However if I use the FQDN of the VIP I don’t get a cert issued the ACE drops the packet. Please see e.g 2 below

e.g 2  https://test-test.test.co.uk:8442 no cert issued and the drop count on ACE increases.

This issue is not related to DNS as I get the same results if use the host file on my laptop.

Thanks.

Rick.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
litrenta Mon, 08/23/2010 - 05:08
User Badges:
  • Cisco Employee,

I think you are missing something in the description. Ace is going to issue certificate

just based on ip and port you hit (if it is assigned as vip)

Ace has no clue what you are using as fqdn since it never gets fqdn, the only presence of f

qdn is in host header of http request which comes way after ssl n

egotiation. Suggest getting a packet capture at the ace to confirm.

Actions

This Discussion