Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

HTTPS to HTTP exchange not working


I would like to permit the client to exchange HTTPS with CSS and CSS send HTTP traffic to the real server.

But when i type one https url in my navigator anything appear on the navigator of the client.

Can you help me please ?


Cisco Employee

Re: HTTPS to HTTP exchange not working

does it work if you use http ?

Can you get a 'show summary' before and after opening a new connection.

Also get a 'show ssl statistics'.



New Member

Re: HTTPS to HTTP exchange not working

Thanks for your reaction.

It doesn't work fine with http. I attach you the output of sh flows command in the CSS.

The sh summary increments some values.

I see incrementation of values on sh ssl statitics however when i type whhich is the address of vip i valided the certificate but i have one blank page. My web server have one web page to send.

Best regards

Cisco Employee

Re: HTTPS to HTTP exchange not working

what do you mean by it does not work fine with http?

If http does not work, there is no chance that ssl will.

Since you have one-armed scenario, are you sure your servers default gateway is the CSS ?

What you can try is enable client nat to see if that makes it work - this would prove this is a server routing table issue.

So, try:

group clientnat

vip address

add destination service




New Member

Re: HTTPS to HTTP exchange not working

The purpose of my scenario is to make ssl between client and CSS and http between Css and servers.

When i type (vip address) i have anything in my navigator, but when i type, the navigator ask me to validate certificate (normally) and after i don't have the web page of my web server. (this is my problem)

I will try the commands you send me and i will notify the evolution of my test.

Thanks once more.


New Member

Re: HTTPS to HTTP exchange not working

I add in CSS the group clientnat and i put the default gateway of my web server the address of VRRP. The works and works but i don't have trace on sh flows commands to validate my configuration.

Another issue is that i don't what that when i enter the system display the web page i just what it when i type

How to tell the system to make only HTTPS between me and CSS and HTTP betwen CSS and Wen Server ? And How to show my staff that is correctly configure ?

I join you my conf of my CSS.

Thanks in advance.


Cisco Employee

Re: HTTPS to HTTP exchange not working

what you can do is change the cleartext port to be something else like 81.

Create a new content rule for port 81 - make sure the service port is configured to be 80 so that the CSS translate back from 81 to 80.

Then for the port 80 content rule, configure a redirect service that will redirect traffic from http to https.

There are some examples on how to do this in this forum and also on our website.


Re: HTTPS to HTTP exchange not working

Hi, It looks like you are using the CSS in what is referred to as "one-armed" mode - the users and the servers are all out of the same interface of the CSS.

Gilles' question about working on HTTP is important - you may not have an SSL issue at all. My first step in setting up SSL is to get the load balancing working correctly on http before I even think about SSL.

This is not as elegant as using the CSS as a router between the users and the servers but can be made to work.

The awkward bit is the return traffic.

I will assume routers between users and the CSS/severs to explain what may be hapenning.

A packet comes in via the router, s=user,d=VIP. That hits the CSS, which does its bit, and forwards it to the server s=user, d=server. The server will receive that - normall this first one will be a tcp SYN, so if OK the server responds with a SYNACK - s=server,d=user. The server will pass that to its default gateway, which will probably be the router, so the user gets a SYNACK from an address it has not sent a syn to.

Three ways to sort this. One is to create another subnet behind the CSS and put the servers there.

Second is to create a source-group on the CSS to set NAT up so that the packet that gets sent to the server has a source address associated with the CSS so that return traffic goes via the CSS.

The third is to aim the server's default gateway at the CSS address.