Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE LB not issuing cert for ssl termination when using FQDN but ok if IP address used

Hi please help

I seem to be experiencing a strange issue with regards to SSL termination on the ACE.

When I hit the VIP address using the IP address I get a certificate issued to my browser as expected. Please see e.g 1 below

I have changed the real IP address and domain name for security.

e.g 1 https://10.10.10.10:8442 = ok I get a cert issued from the ACE

I delete all my certs from the browser and test again.

However if I use the FQDN of the VIP I don’t get a cert issued the ACE drops the packet. Please see e.g 2 below

e.g 2  https://test-test.test.co.uk:8442 no cert issued and the drop count on ACE increases.

This issue is not related to DNS as I get the same results if use the host file on my laptop.

Thanks.

Rick.

1 REPLY
Cisco Employee

Re: ACE LB not issuing cert for ssl termination when using FQDN

I think you are missing something in the description. Ace is going to issue certificate

just based on ip and port you hit (if it is assigned as vip)

Ace has no clue what you are using as fqdn since it never gets fqdn, the only presence of f

qdn is in host header of http request which comes way after ssl n

egotiation. Suggest getting a packet capture at the ace to confirm.

245
Views
0
Helpful
1
Replies