Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

CSS11501 SSL offload help..

Hi all,

I have the attached config where basically I want to have 2 VIPs so that for port 80, it just forwards to the servers. For 443, it should offload the SSL and send it cleartext to port 7778 (for VIP 206.83.206.68) and to port 7777 (for VIP 206.83.206.69).

SSL Hand shaking starts between the browser and the SLB and seems to complete OK, but there seems to be nothing going on between the SLB and the server... I suspect my configuration is not right for the SSL offload part...

Can anyone help?

Sam

2 REPLIES
Cisco Employee

Re: CSS11501 SSL offload help..

Sam,

from your config, it looks like you use a source group to do client nat.

This group applies to your HTTP content rules.

However, you have no group for the SSL rules.

If a group is a required for HTTP traffic to guarantee that the server response comes back to the CSS, I believe a group should be necessary for SSL traffic as well.

Now, the tricky part is that you go directly from the SSL module to the server.

We usually send the decrypted traffic to another vip on the CSS and from that vip the CSS loadbalances the traffic to the server.

Client nat is usually then applied on the decrypted content rule.

So, I would suggest to apply a config as described above. You could for example replace the line :

ssl-server 30 cipher rsa-with-3des-ede-cbc-sha 206.83.206.69 7777

with

ssl-server 30 cipher rsa-with-3des-ede-cbc-sha 206.83.206.100 7777

Let me know if this works and thanks in advance for rating this answer.

Gilles.

Community Member

Re: CSS11501 SSL offload help..

Gilles,

Your answer did not solve the issue but pointed me in the right direction.

In addition to changing to a VIP on the ssl-server cipher entries, tt looks like to me that there needed to be a content rule for the 7777 and 7778 ports (not there in my original config), so it didn't know what to do with traffic back to the SLB on those ports.

I'm posting the working config for future searches if someone happens to google or search and find this.

Gilles, thanks for your help.

Sam

231
Views
4
Helpful
2
Replies
CreatePlease to create content