https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277250#M26604 <HTML><HEAD></HEAD><BODY><P>Thanks Cathy - I need to modify the VIP ACL to accept 443 and I need to add 443 to the rservers as well correct ? Thanks again.</P></BODY></HTML> Mon, 10 Aug 2009 12:44:09 GMT coldeneqt 2009-08-10T12:44:09Z https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277248#M26602 <P>Hi - Can the ACE pass SSL requests to a VIP and the real servers without the need to configure the ACE for SSL termination and initiation to teh backend servers ? Thank you.</P><P> </P><P></P><P></P> Mon, 10 Aug 2009 00:10:54 GMT https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277248#M26602 coldeneqt 2009-08-10T00:10:54Z https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277249#M26603 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes - you only need to terminate/reinitiate if you need to inspect or modify the underlying information in the SSL encapsulation. If you define the VIP to take SSL then it will be treated like any other TCP traffic.</P><P></P><P>HTH</P><P></P><P>Cathy</P></BODY></HTML> Mon, 10 Aug 2009 05:56:18 GMT https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277249#M26603 ciscocsoc 2009-08-10T05:56:18Z https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277250#M26604 <HTML><HEAD></HEAD><BODY><P>Thanks Cathy - I need to modify the VIP ACL to accept 443 and I need to add 443 to the rservers as well correct ? Thanks again.</P></BODY></HTML> Mon, 10 Aug 2009 12:44:09 GMT https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277250#M26604 coldeneqt 2009-08-10T12:44:09Z https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277251#M26605 <HTML><HEAD></HEAD><BODY><P>Thanks Cathy - I added the following config but I still can not connect via https:</P><P></P><P>class-map match-all VIP</P><P> 2 match virtual-address 10.1.1.1 tcp</P><P>eq https</P><P></P><P>serverfarm host SF</P><P> failaction purge</P><P> probe 443_PROBE</P><P> rserver SPWEBPRD1 443</P><P> inservice</P><P> rserver SPWEBPRD2 443</P><P> inservice</P><P></P><P></P></BODY></HTML> Mon, 10 Aug 2009 13:07:26 GMT https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277251#M26605 coldeneqt 2009-08-10T13:07:26Z https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277252#M26606 <HTML><HEAD></HEAD><BODY><P>make sure there is no more generic class-map listed before this one in your multimatch policy.</P><P></P><P>Make the policy is on the correct interface.</P><P></P><P>Make sure serverfarm shows rservers alive.</P><P></P><P>Get a 'show service-policy detail' and check if you have any hit on the appropriate class-map.</P><P></P><P>Gilles.</P></BODY></HTML> Mon, 10 Aug 2009 13:14:03 GMT https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277252#M26606 Gilles Dufour 2009-08-10T13:14:03Z https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277253#M26607 <HTML><HEAD></HEAD><BODY><P>Thank you - I got it to work by removing port 443 from the rservers in server farm config mode.</P><P></P><P>Also - Since all the traffic is sourced from the same ip address, will http cookie insert work in the https environment ? Thanks again.</P></BODY></HTML> Mon, 10 Aug 2009 14:34:37 GMT https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277253#M26607 coldeneqt 2009-08-10T14:34:37Z https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277254#M26608 <HTML><HEAD></HEAD><BODY><P> I did not think that you needed to specify the ports in the reserver of the server-farm, if you have already specified the same port in the class-map.</P><P></P><P> In my case; I have traffic coming in the class-map in port 80 and I would have to redirect it to port 8109. I would than add port 8109 in the reservers in the server-farm.</P><P></P><P> If things are working for you, then my argument is a mute one.</P><P></P><P>John...</P></BODY></HTML> Mon, 10 Aug 2009 16:56:18 GMT https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277254#M26608 jteixido 2009-08-10T16:56:18Z https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277255#M26609 <HTML><HEAD></HEAD><BODY><P>That sounds about right. I appreciate it. </P></BODY></HTML> Mon, 10 Aug 2009 17:05:50 GMT https://community.cisco.com/t5/application-networking/ace-and-ssl-termination/m-p/1277255#M26609 coldeneqt 2009-08-10T17:05:50Z