Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Redirection question


I want to use an ACE appliance as an ssl proxy with user certificate authentication  .

everything is configured and working fine but I want to know if I could redirect users that dont have a certificate to a certain web page

so that they would know why they cant access internal resources and know how to fix it. ?


Cisco Employee

Re: Redirection question

Scimitar1/Admin(config-parammap-ssl)# authentication-failure redirect ?
  any                         Any authentication failure
  cert-expired                Certificate expired
  cert-has-signature-failure  Certificate failed signature verification
  cert-not-yet-valid          Certificate not yet valid
  cert-other-error            Miscellaneous certificate error
  cert-revoked                Certificate revoked
  crl-has-expired             CRL has expired
  crl-not-available           No CRL available
  no-client-cert              No client certificate presented
  unknown-issuer              Unknown issuer

Configure the command above under your ssl parameter-map.


New Member

Re: Redirection question

thanks man , but I only have 1 option after authentication-failure

and its "ignore" . I dont have all of the options you stated above.

I am using ver A3(2.6)

Cisco Employee

Re: Redirection question

New Member

Re: Redirection question

so I upgraded to that version and sure enough the commands are available


the redirection works excellent !!

I have a question : Is there a way to download crl manually ? I dont want to reconfigure the CRL under the ssl-proxy each time I need to download

a new published CRL .

basically what I am asking is there a way to make the ACE download CRL more frequently and not be dependent on the CA servers publish

Interval ? It seems kind of strange that I have to delete my CRL configuration and paste it back in to "make" the ACE download a new CRL.


I have attached a screenshoot from my configuration in order to ask for a clarification .

In the picture you see that I have 3 certificates (besides the default)

one that I downloaded from the CA server and thats its own certificate

second is an identity certificate that the CA signed for a web site ( (using a CSR with "my-key")

third is another identity cert for (using a CSR with "my-key")

I dont understand why It says "False" under the CA certificate ? the key matches the certificate and evrything works fine.

is it because this is the ACE identity certificate and not an actual CA certificate (self signed or delegated) ?

CreatePlease to create content