Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

SSL Problems

I have having issues using SSL termination.  When I configure regular http all works fine, but when I switch to SSL termination I see resets in the packet capture (capture run on the client machine).  I ran the crypto verify command to confirm the key and the cert match which they did.

Any ideas ?

Thanks

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

boot system image:c4710ace-mz.A3_2_4.bin

hostname MYLOADBALANCER
interface gigabitEthernet 1/1
  description LB INSIDE
  switchport access vlan 1000
  no shutdown
interface gigabitEthernet 1/2
  switchport access vlan 3126
  no shutdown
interface gigabitEthernet 1/3
  shutdown
interface gigabitEthernet 1/4
  ft-port vlan 100
  no shutdown


crypto csr-params mycompany
  country US
  state NJ
  organization-name myorganization
  organization-unit Information Services
  common-name *.mydomain.org

access-list ALL line 8 extended permit ip any any

parameter-map type ssl mydomain.org
  cipher RSA_WITH_RC4_128_SHA
  cipher RSA_WITH_AES_128_CBC_SHA
  cipher RSA_EXPORT1024_WITH_RC4_56_MD5
  cipher RSA_EXPORT1024_WITH_DES_CBC_SHA
  cipher RSA_EXPORT1024_WITH_RC4_56_SHA

rserver host mywebserver
  ip address 192.168.48.78
  inservice


serverfarm host test_servers
  rserver mywebserver
    inservice

ssl-proxy service mydomain.org
  key mydomain
  cert STAR.mydomain.ORG.crt
  ssl advanced-options mydomain.org

class-map type management match-any remote_access
  201 match protocol xml-https any
  202 match protocol icmp any
  203 match protocol telnet any
  204 match protocol ssh any
  205 match protocol http any
  206 match protocol https any
  207 match protocol snmp any
class-map match-all test.mydomain.org
  2 match virtual-address 1.1.1.3 tcp eq https

policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit

policy-map type loadbalance first-match test.mydomain.org-l7slb
  class class-default
    serverfarm test_servers

policy-map multi-match int1000-n2
  class test.mydomain.org
    loadbalance vip inservice
    loadbalance policy test.mydomain.org-l7slb
    ssl-proxy server mydomain.org

interface vlan 1000
  description inside interface
  ip address 2.2.2.2 255.255.255.0
  peer ip address 2.2.2.3 255.255.255.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  service-policy input int1000-n2
  no shutdown
interface vlan 3126
  description "outside interface"
  ip address 1.1.1.1 255.255.255.0
  peer ip address 1.1.1.2 255.255.255.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  service-policy input int1000-n2
  no shutdown

ft interface vlan 100
  ip address 192.168.5.106 255.255.255.252
  peer ip address 192.168.5.105 255.255.255.252
  no shutdown

ft peer 1
  heartbeat interval 300
  heartbeat count 10
  ft-interface vlan 100
  query-interface vlan 1000
ft group 1
  peer 1
  associate-context Admin
  inservice

ip route 0.0.0.0 0.0.0.0 1.1.1.5

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: SSL Problems

Hi There,

The problem is that you need to specify the clear text port that your backend server is using otherwise the ACE will try to forward the decrypted traffic on port 443.

Try this out:

serverfarm host test_servers

  rserver mywebserver 80

    inservice

Hope this helps.

__ __

Pablo

Cisco TAC

3 REPLIES
Cisco Employee

Re: SSL Problems

Hi There,

The problem is that you need to specify the clear text port that your backend server is using otherwise the ACE will try to forward the decrypted traffic on port 443.

Try this out:

serverfarm host test_servers

  rserver mywebserver 80

    inservice

Hope this helps.

__ __

Pablo

Cisco TAC

Community Member

Re: SSL Problems

Is there a way to set an SSL redirection so that requests sent to https://mydomain.com

get redirected to https://mydomain.com/folder1

Cisco Employee

Re: SSL Problems

Hi,

Sure you need to do L7 LB decision, something like this:

rserver redirect Redirect
webhost-redirection https://mydomain.com/folder1 301
inservice

serverfarm redirect Redirect
rserver Redirect
inservice

class-map type http loadbalance match-any Folder
  2 match http url /folder1

policy-map type loadbalance first-match test.mydomain.org-l7slb

   class Folder

    serverfarm test_servers

   class class-default

    serverfarm Redirect

HTH

__ __

Pablo

Cisco TAC

449
Views
10
Helpful
3
Replies
CreatePlease to create content