Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco CSS 11501 SSL Termination configuration


I am having issue with SSL termination config on the Cisco CSS11501.

With my config below, when I hit the Virtual IP of the CSS, httpS://,

I get a prompt for a SSL Certificate warning but since I know its a

fake SSL, I say OK (I use IE 7) and proceed to the site. Then I see a

login page (httpS://....../ and as soon as I login with my

credentials, I get re-directed to URL instead of

keeping httpS://.....

My intent is to have an httpS:// session maintained throughout with

CSS accepting the incoming encrypted message, does the authentication,

decrypts the message to HTTP and forwards the client request to Web dispatcher on port 8182.

Once the results are back from Web dispatch, CSS should re-encrypt it and

send the results back to the same client via HTTPS.

Can someone please help me to achieve this? My current config as as

follows: -

Thanks a million :)



CSS11501# show running-config

!Generated on 08/23/2007 16:45:45

!Active version: sg0730005


!*************************** GLOBAL ***************************

cdp run

no restrict web-mgmt


app session

ssl associate rsakey rsakey rsakey

ssl associate cert rsacert rsacert.pem

ssl associate cert ec0 rsacert.pem

ssl associate cert ec0-test ec0.cer

ip route 1

ip route 1

!************************* INTERFACE *************************

interface e8

bridge vlan 2

!************************** CIRCUIT **************************

circuit VLAN1

ip address

circuit VLAN2

ip address

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list test

ssl-server 13

ssl-server 13 vip address

ssl-server 13 rsakey rsakey

ssl-server 13 cipher rsa-with-rc4-128-md5 8182

ssl-server 13 rsacert ec0-test


!************************** SERVICE **************************

service server-ec0

ip address

port 8182

protocol tcp

no prepend-http

domain ""


service ssl_module1

type ssl-accel

slot 2

add ssl-proxy-list test

keepalive type none

port 443


!*************************** OWNER ***************************

owner ssl

content http-ec0

vip address

add service server-ec0

advanced-balance cookies

port 8182

protocol tcp

url "/*"


content ssl-ec0

vip address

add service ssl_module1

application ssl

port 443

protocol tcp

redirect ""

advanced-balance ssl


!*************************** GROUP ***************************

group ssl_module_proxy

vip address

add destination service server-ec0



New Member

Hi! It is a quite old topic



It is a quite old topic but I have just bought such a device from ebay for my personal lab and I have found out that the 11501 (without S model) is not performing SSL termination.

I am thinking that this is why you are getting that behavior.

Sad Cisco limits the termination of SSL for this SMB device.

Anyway - if you got a workaround please let me know, because I am keen to get that SSL termination without spending more money on a 11503.






Cisco Employee

Hi Silviu,Have a look at the

Hi Silviu,

Have a look at the links below please:

You should have CSS11501S for SSL. CSS 11501 didn't have SSL.



New Member

Hi!Thank you very much for


Thank you very much for your reply.

I know about the S model - as per my post - but unfortunately I have realized after making the purchase.

Can you please help me with the following issue: my unit is not able to boot from FTP, even if I follow up the CISCO official documentation for that version (I issue all the commands as in the manual). More than that, if I setup the Primary Boot Configuration and then I want to check it up there is nothing in that field. The Secondary Boot Configuration keeps its settings and after the Primary failure it will try the Network Booting but with Failed status - returning me to the OffDM.

I mention that I am using the OffDM because the unit I bought has no Flash Card.

Also I am not sure how can I have a "network mounted filesystem" and in the meantime to use the FTP protocol;  setting up a NFS server wont provide me with Windows style absolute path like k:/.... as per CISCO official guide. Is that a plain-ftp generically called as Network File System??? "First, create these subdirectories on the FTP server, then copy the files from the boot image to the subdirectories"

Is this linked with the fact that I am using a Linux box for my FTP Server? Can you please help me to understand what the following line from CISCO official guide means "A network boot is not supported on UNIX workstations"


Thank you!


CreatePlease to create content