Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

SSL Stateful fail-over...some new development

I know this has been talked about much on this forum. But this is bit different this time.

We know historically an SSL session can not be statefully failed-over to a CSS or to any device for that matter.

Technically not completely true as there was an unhealthy way of doing this, just by duplicating the rsa/cert pair of one CSS to any number of devices as you like, but it was bit of unethical plus few security related issues that might arise in future like what if a duplicated cert is compromised at one place.

However, Verisign has now(?) started issuing SSL certs meant for multi installations, meaning you can actually/legally duplicate the same rsa key & cert pair across to a failover CSS with in a site. This move has open the doors wherein you can statefullly faiolver an SSL sessions.

I am wondering what Cisco's version on this technical possibility.



Re: SSL Stateful fail-over...some new development

To copy SSL certs and key export the certs and keys off then import them to the second CSS.This can be done by the commands copy ssl ftp your-ftp-record export yourcert.pem ?password? and copy ssl ftp your-ftp-record import yourcert.pem ?password?.

Cisco Employee

Re: SSL Stateful fail-over...some new development

you're understanding is slightly wrong.

You CAN currently replicate cert/key to the standby CSS. This is legal. This not a security issue.

This has to be done manually so.

From an external user point of view, the 2 CSS form a single unit anyway. This is why it is ok to use the same cert on both.

However, that does not mean that failover is stateful. It just guarantees that upon failover, the new active CSS can accept NEW SSL connections. But the active connections will be dropped because the CSS does not have mechanism to continue an encrypted session in the middle.

This is because an SSL session start by negotiating a shared key and other parameters that the standby is not aware of.

So, your new verisign cert does not apply to this case.



Re: SSL Stateful fail-over...some new development


Thanks. Understood that it wouldn't be a stateful failover, however will the user notice any session drop-out/hanging because browsers has the capability to renegotiate a new SSL session 'seamlessly'.


Cisco Employee

Re: SSL Stateful fail-over...some new development

I believe the user will see that there was an issue. His connection will seem to hang or the browser will display an error message if it receives a RESET from the new active CSS.


CreatePlease to create content