×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Problem with SSL module

Unanswered Question
Nov 17th, 2005
User Badges:

I've got 6509 with SSL, CSM inside. I'm having problem with creating connectin to VIP on 443 port pointing to SSL module. My configuration is based on "Catalyst 6500 Series Switch Content Switching Module with SSL Installation and Configuration" document , Appendix B; B-7; CSM-S Configuration Example (Router Mode, Server NAT). It's seems to be simple but it's not working. Could anybody take a look at these excerpt from config.


VLAN to outside is 200; to SSL 150 (admin), 130 traffic; to clients 120.


ssl-proxy module 4 allowed-vlan 120,130,150


vlan 200 client

description Traffic from clients.

ip address X.23.48.5 255.255.255.0 alt X.23.48.6 255.255.255.0

gateway X.23.48.10

alias X.23.48.4 255.255.255.0


vlan 120 server

description Server traffic

ip address 192.168.200.2 255.255.255.0 alt 192.168.200.3 255.255.255.0

alias 192.168.200.1 255.255.255.0

!

vlan 130 server

description SSL-DC traffic

ip address 172.16.0.21 255.255.255.0 alt 172.16.0.31 255.255.255.0

alias 172.16.0.1 255.255.255.0


serverfarm SSL-TEST

nat server

no nat client

real 172.16.0.182 local

inservice


serverfarm WWW-TEST

nat server

no nat client

real 192.168.200.110

inservice


vserver SSL-VIP-TEST

virtual X.23.48.110 tcp https

serverfarm SSL-TEST

persistent rebalance

inservice


vserver WWW-VIP-TEST

virtual X.23.48.110 tcp www

serverfarm WWW-TEST

persistent rebalance

inservice


interface Vlan150

description Polaczenie do SSL akceleratora

ip address 10.10.10.11 255.255.255.0

!

interface Vlan200

description VLAN do FWSM

ip address X.23.48.9 255.255.255.0

standby 1 ip X.23.48.10


and on SSL module:

ssl-proxy service SSL-TEST

virtual ipaddr 172.16.0.182 protocol tcp port 443 secondary

server ipaddr X.23.48.110 protocol tcp port 80

certificate rsa general-purpose trustpoint ssl.allegro.pl

inservice

ssl-proxy vlan 150

ipaddr 10.10.10.2 255.255.255.0

gateway 10.10.10.11

admin

ssl-proxy vlan 130

ipaddr 172.16.0.2 255.255.255.0

gateway 172.16.0.1

route X.23.48.0 255.255.255.0 gateway 172.16.0.1


I can connect to real for WWW traffic but can't for SSL traffic.

192.168.200.110 WWW-TEST 8 OPERATIONAL 0

172.16.0.182 SSL-TEST 8 FAILED 0


any hint? Can't figure it out:(


tia

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Thu, 11/17/2005 - 07:45
User Badges:
  • Cisco Employee,

Looks like the status of your ssl serverfarm is "FAILED".

So that is the first thing to look for.


I would remove the keyword 'local' from the real definition.

FAILED actually means the CSM does not even have an arp entry for the SSL address.


So I would verify connectivity by issuing ping from the CSM to the SSLM.

You could try to configure the MSFC in vlan 130 as well just to see if you can ping from MSFC to CSM or MSFC to SSLM.


Regards,


Gilles.

Actions

This Discussion