I have a strange issue that is bugging the hell out of me.
We have around 5 or 6 sites that use the SSL feature of our CSS11501 that work flawlessly. The web servers the CSS forwards to are all directly connected on a subnet hanging off the CSS. I have been asked to setup a new site where by SSL termination occurs on the internet DMZ CSS but then forwards to another CSS (in clear text)that resides in our middleware DMZ (i.e: not a directly connected network). This CSS then load balances to 2 web servers. Internally going direct to the middleware DMZ CSS it works fine.
I have all the service and content rules setup as any other of our sites except the service points to the down stream CSS rather than a directly attached web server. What I am seeing is that a user makes the initial SSL connection to the VIP address and is served up the certificate but then the user then tries to make a direct HTTP connection to the CSS defined as the service address. This is a private address so will never get there.
See the config below. I just re-arranged your clear-back service and the ssl-proxy-list as well. What I did was I used the command urlrewrite to allow the https to http transition to be a smooth one at the 2nd CSS and used an arbitrary 10.10.10.10 ip address as VIP for the back-end service when the ssl traffic gets decrypted into clear http.
Thanks for your help. I am now seeing the traffic flow through the fw to the internal CSS. The certificate is being displayed instantaneously on the users PC but a blank page is being returned. Even if I change the mware-css to be one of the actual web servers thus removing the internal CSS a blank page is still displayed. If I access the internal CSS direct it works as expected so I am sure the config internally is OK. I'm getting there but it is just not 100% yet.
I pressume you use single interface for the incoming and outgoing traffic between 1st FW and that Internet facing CSS. If yes, on this CSS, you need to allow Source-NAT-ing in addition to the default destination-NAT-ing.
Try adding this config below to the one that I already suggested.
vip address 184.108.40.206
add destination service mware-css
Don't forget to:
1/ configure the mware FW to allow packets with source ip 220.127.116.11.
2/ add static route on the Internet-facing-CSS to reach the mware CSS server side circuit's ip subnet.
3/ the mware CSS should have the default gateway configured on it pointing mware firewall.
Does the config above achieve both source and destination natting? I suspect not. I have confirmed that the mware css receives traffic from the internet css and it can respond to it. for some strange reason users are still displayed a blank page. A TCPDUMP on my firewall shows communication between the internet CSS and the mware CSS one the internet CSS's actual interface IP but the mware CSS communicates on it's VIP address. is this expected behaviour? I would have thought it would be on the internet CSS VIP address??
The config I gave last actually should alter the default behaviour which is dest NAT-ing. Our need at this stage is to have the packets only being Source NAT-ed. My apologies if I sounded wrong earlier.
Reg. the communication between the Internet CSS and the mware CSS, Int.CSS should use its VIP on the Source Group 18.104.22.168 and the mWare CSS should use its VIP under the CR. If there is any deviation if you find just post here the mware CSS config as well.
Try doing an ftp or telnet apart from pinging from each other CSS, and make sure it works and this will tell whether the L3 is connectivity is up or not. Remember when you do the FTP/Telnet the actual circuit ip address would be used and not VIPs as I mentioned above. You might want to open FW gates before that.
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
With Vignesh R. P.Welcome to the Cisco Support Community Ask the Expert
conversation.This is an opportunity to learn and ask questions of Cisco
expert Vignesh R. P. about the Cisco® Nexus 7000 Series Switches and
support for the Cisco NX-OS Software platf...