Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ap-kal-ssl script keepalive problem with cert warning

When I configure a keepalive type as the ap-kal-ssl script, the keepalive fails. I found that the servers being monitored are prompting with a certificate warning (see attachment) informing me that the name on the cert does not match the name of the site. Hence, the CSS is monitoring the servers using the IP addresses rather than the domain name registered with the cert.

Does anyone know how to configure the ap-kal-ssl script to accept the cert warning message so the keepalive will follow through to the web server?

Here's my config:

service SERVERA

ip address 10.10.10.26

keepalive port 443

keepalive frequency 10

keepalive type script ap-kal-ssl "10.10.10.26 /css443.txt myuser:mypass"

active

service SERVERB

ip address 10.10.10.27

keepalive port 444

keepalive frequency 10

keepalive type script ap-kal-ssl "10.10.10.27 /css444.txt myuser:mypass"

active

Kind regards,

Chad

2 REPLIES
Cisco Employee

Re: ap-kal-ssl script keepalive problem with cert warning

Chad,

the script really does not care about the certificate.

It basically sends a hello packet and check for specific bytes in the server response

! Wait for a handshake message (0x16), paired with the version

! of SSL (0x03 0x00)

socket waitfor ${SOCKET} "160300" 2000 raw

! Wait for the specific server hello (0x02)

socket waitfor ${SOCKET} "02" 2000 raw

! Wait for the version again (as it appears twice: 0x03 0x00)

socket waitfor ${SOCKET} "0300" 2000 raw

So, sniff the traffic between css and server and verify what are the first bytes sent by the server response.

You can then edit the script and put your own bytes.

[or send us the sniff and will send you the new scrip t lines - if possible]

Gilles.

New Member

Re: ap-kal-ssl script keepalive problem with cert warning

Thanks for your help Gilles!

I'm still working on the trace but once I have it, I'll re-write the script with per your suggestions and see how that goes.

-Chad

197
Views
0
Helpful
2
Replies
CreatePlease to create content