Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL Termination in ACE 4710 not working

Hi,

I have configured a new ACE 4710 with only a sinlge context to redirect https traffic to http real servers using SSL Termination. When I do a telnet on port 443 or 80 to the VIP it works fine but when I try to open the URL it prompts me for accepting the certificate then it tries to find and establish connection to the URL but eventually dies out giving a "Page cannot be displayed error". I have done some troubleshooting and found that the connection to the VIP on 443 port is Established but the out connection from the real server to the client remains in the INIT state. I am attaching the configs and all the troubleshooting data I have collected. Pls someone help.

6 REPLIES
Cisco Employee

Re: SSL Termination in ACE 4710 not working

Seems like the server default gateway is not the ACE and the response never get to us.

Try to configure client nat.

Or change the server gateway.

One command to capture is 'show service-policy detail'.

See if the counter " server pkt count" increments.

If not, it will confirm the problem described above.

Gilles.

New Member

Re: SSL Termination in ACE 4710 not working

Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE. I need to configure the Client NAT can you pls suggest how to do it pls. I am confused with many documentations available in the internet. Pls help.

New Member

Re: SSL Termination in ACE 4710 not working

Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE.So as suggested I have configured default route in the servers towards the ACE interface vlan ip address. Still the server packet count is not incrementing. I am posting the updated configuration of the ACE as an attachment. Pls help.

Cisco Employee

Re: SSL Termination in ACE 4710 not working

if the traffic is not getting back to ACE, it won't work.

And the counter does indicate the traffic is not coming back.

You might have a problem on your server.

Get a sniffer trace to see where the packet is going.

Or configure a nat-pool on the server vlan and nat all traffic hitting the vip.

Gilles.

New Member

Re: SSL Termination in ACE 4710 not working

I have configured the server nat as you suggested. Can you pls verify the attached configuration. Still it doesn't work. In the server I have pointed the default route towards the server vlan 10 ip 10.190.11.61 and also I have checked that its pinging from the real servers to the vlan 10 interface ip address.

pls help.

New Member

Re: SSL Termination in ACE 4710 not working

thanks it worked, there was an issue with the back end JBOSS server. SSL termination is working fine.

891
Views
0
Helpful
6
Replies