Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

facing Problem in SSL Offloading on Cisco ACE 4710.

Hi All,

I am New to ACE..

Our customer is having trouble in SSL Offloading on Cisco ACE 4710.

Also is there any way we can configure etherchannel on 4710 Appliance?

Attached the configuration

===============================

crypto csr-params KOTAK-INTRANET-CSR
  country IN
  state Maharashtra
  organization-unit IT
  common-name www.XYZabc.com
  serial-number 01

access-list ALL line 8 extended permit ip any any

[7m--More-- [m

[K

probe http UAT_siebel-app-kmbenu
  description UAT_siebel-app-kmbenu
  interval 10
  faildetect 5
  passdetect interval 3
  passdetect count 5
  request method get url /kmb_enu/
  expect status 200 200
  connection term forced
  open 1
probe http siebel-app
  description siebel-app
  interval 10
  faildetect 5
  passdetect interval 3
  passdetect count 5
  request method get url /siebel.html
  expect status 200 200
  connection term forced
  open 1
[7m--More-- [m
probe http siebel-app-kmbenu
  description siebel-app-kmbenu
  interval 10
  faildetect 5
  passdetect interval 3
  passdetect count 5
  request method get url /kmb_enu/
  expect status 200 200
  connection term forced
  open 1

rserver host Siebel_App_Server01
  description Siebel_App_Server01--10.X.3.156
  ip address 10.X.3.156
  inservice
rserver host Siebel_App_Server02
  description Siebel_App_Server02--10.X.3.157
  ip address 10.X.3.157
  inservice
rserver host UAT_Siebel_App_Server01
  description UAT_Siebel_App_Server01--10.X.56.143
  ip address 10.X.56.143
inservice


serverfarm host Server_farm_app
  description Siebel App Server farm
  probe siebel-app
  probe siebel-app-kmbenu
  rserver Siebel_App_Server01 80
    inservice
  rserver Siebel_App_Server02 80
    inservice
serverfarm host UAT_Server_farm_app
  description UAT Siebel App Server farm
  probe UAT_siebel-app-kmbenu
  rserver UAT_Siebel_App_Server01 80
    inservice

ssl-proxy service XYZ-INTRANET-SSL
  key XYZ-INTRANET.PEM
  cert XYZ-INTRANET.crt

sticky http-cookie Siebel 2
[7m--More-- [m
  cookie insert browser-expire
  timeout 60
  serverfarm Server_farm_app

class-map match-any App_Server_VIP
  3 match virtual-address 10.x.3.212 tcp eq https
class-map match-any App_Server_VIP1
  2 match virtual-address 10.x.3.212 tcp eq www
class-map match-any UAT_App_Server_VIP
  3 match virtual-address 10.x.3.212 tcp eq https
class-map match-any UAT_App_Server_VIP1
  2 match virtual-address 10.x.3.212 tcp eq www
class-map type management match-any remote_access
  201 match protocol icmp any

policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit

policy-map type loadbalance first-match App_Server_VIP-l7slb
  class class-default
    sticky-serverfarm 2
[7m--More-- [m
policy-map type loadbalance first-match UAT_App_Server_VIP-l7slb
  class class-default
    serverfarm UAT_Server_farm_app

policy-map multi-match UAT
  class UAT_App_Server_VIP
    loadbalance vip inservice
    loadbalance policy UAT_App_Server_VIP-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 3
    ssl-proxy server XYZ-INTRANET-SSL
policy-map multi-match int3
  class App_Server_VIP
    loadbalance vip inservice
    loadbalance policy App_Server_VIP-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 3
    ssl-proxy server XYZ-INTRANET-SSL
  class App_Server_VIP1
    loadbalance vip inservice
    loadbalance policy App_Server_VIP-l7slb
    loadbalance vip icmp-reply active
nat dynamic 1 vlan 3
    ssl-proxy server XYZ-INTRANET-SSL

interface vlan 3
  ip address 10.X.3.213 255.255.255.0
  peer ip address 10.X.3.214 255.255.255.0
  access-group input ALL
  nat-pool 1 10.X.3.212 10.X.3.212 netmask 255.255.255.255 pat
  service-policy input int3
  service-policy input remote_mgmt_allow_policy
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.X.3.252

Regards

Madhu

1 REPLY
Cisco Employee

Re: facing Problem in SSL Offloading on Cisco ACE 4710.


Hi Madhu,

From your config, you have VIP listening on port 443 and port 80. Are port 80 requests working?

You can probably remove ssl-proxy server statement from below config since this class is for port 80 traffic,

policy-map multi-match int3
class App_Server_VIP1
    loadbalance vip inservice
    loadbalance policy App_Server_VIP-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 3
    ssl-proxy server XYZ-INTRANET-SSL   <=====

You can run 'show service-policy int3 details' to check if hit counts are incrementing for HTTPS and HTTP .
Verify key and cert match by running "crypto verify


Best Regards,
Rahul

711
Views
2
Helpful
1
Replies
CreatePlease to create content