cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
500
Views
0
Helpful
6
Replies

SSL on IE over windows Vista !!!

hassan_oudeh
Level 1
Level 1

guys please help...

i have 2 servers setting behind CSS 11503 working as load balancing and it has SSL module...

all https requests comming from windows xp IE version 6 or 7 is working fine, but when try from Vista IE it's not working,

is this problem related to CSS ? or it's something else on vista IE ?

thanks in advance

6 Replies 6

Gregory Scarlett
Cisco Employee
Cisco Employee

Probably best to get a capture. I had a case on this a while ago, but we couldn't ever get to the bottom of it and replicate the issue in the lab.

Could you please post the relevant portion of the SSL-Proxy-List, Services and Content Rule?

From the Vista PC, could you please get the output of "ver" from the command line so I can check the version?

We have a Vista PC in the lab, but haven't been able to replicate this issue.

thanks for tour reply,

so what do you suspect in your case or my case ?

this is the ssl proxy list:

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list Proxy_list1

ssl-server 20

ssl-server 20 rsacert CERT_SSL_NEW

ssl-server 20 rsakey css2rsakey

ssl-server 20 cipher rsa-export-with-rc4-40-md5 192.168.10.55 80 weight 5

ssl-server 20 vip address 192.168.10.55

ssl-server 20 urlrewrite 22 xxx.yyy.com

active

Thanks Hassan.

That is a very basic SSL config, with no tweaks at all, so it seems very odd.

The previous case we had on this ended up being a Firewall issue, as captures taken on the CSS itself showed packets leaving the CSS, but not being received by the Client.

I'd suggest raising a TAC case to get to the bottom of it so that it can be tracked better and a bug raised if it does look like the CSS.

Essentially, what needs to be done is a capture taken on the CSS by spanning a port (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/configuration/routing/guide/Intface.html#wp1099686) and on the client simultaneously, and then tracking down the point of failure.

In the previous case, what we found was that the CSS was sending back the SYN/ACK, but it wasn't being received by the Client. From memory it was being dropped somewhere upstream, and we suspected the firewall, but never fully got to the root cause of it.

If you raise a TAC case during the Australian shift (10am - 4pm Sydney Time or 00:00 - 06:00 GMT), I'll be happy to take a look in more detail and try to replicate in the lab again.

Thanks.

as you said "SSL config is very basic" can you please give me like example of the best config that i can configure or tweak for my case ! or document guide ?

and as i understood from what you are saying it might be a Firewall problem as well !

in case of opening case with tac engineer, should i assign the case to CSS team or Firewall team!

Thanks,

Hi Hassan,

There are a number of buffer tweaks and other options you can do with SSL.

The default values are quite good and designed with HTTP traffic in mind, but you can often get better response rates and throughput by tweaking some of this depending on your application.

Have a look at the following URL for a description and some examples:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/configuration/ssl/guide/terminat.html#wp1040098

Regarding a TAC case, open it with the CSS as the product and we can then get captures and determine the best way to go forward.

Hi Guy,

did you open the case? I have the same problem with Vista client and I had a look to the Bugs but nothing special.

my release is: SW Version: 08.20.1.01

Thanks a lot

Ira

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: