topic Re: Problem with SSL module in Application Networking https://community.cisco.com/t5/application-networking/problem-with-ssl-module/m-p/440158#M8073 <HTML><HEAD></HEAD><BODY><P>Looks like the status of your ssl serverfarm is "FAILED".</P><P>So that is the first thing to look for.</P><P></P><P>I would remove the keyword 'local' from the real definition.</P><P>FAILED actually means the CSM does not even have an arp entry for the SSL address.</P><P></P><P>So I would verify connectivity by issuing ping from the CSM to the SSLM.</P><P>You could try to configure the MSFC in vlan 130 as well just to see if you can ping from MSFC to CSM or MSFC to SSLM.</P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Thu, 17 Nov 2005 15:45:57 GMT Gilles Dufour 2005-11-17T15:45:57Z Problem with SSL module https://community.cisco.com/t5/application-networking/problem-with-ssl-module/m-p/440157#M8072 <P>I've got 6509 with SSL, CSM inside. I'm having problem with creating connectin to VIP on 443 port pointing to SSL module. My configuration is based on "Catalyst 6500 Series Switch Content Switching Module with SSL Installation and Configuration" document , Appendix B; B-7; CSM-S Configuration Example (Router Mode, Server NAT). It's seems to be simple but it's not working. Could anybody take a look at these excerpt from config.</P><P></P><P>VLAN to outside is 200; to SSL 150 (admin), 130 traffic; to clients 120.</P><P></P><P>ssl-proxy module 4 allowed-vlan 120,130,150</P><P></P><P> vlan 200 client</P><P> description Traffic from clients.</P><P> ip address X.23.48.5 255.255.255.0 alt X.23.48.6 255.255.255.0</P><P> gateway X.23.48.10</P><P> alias X.23.48.4 255.255.255.0</P><P></P><P> vlan 120 server</P><P> description Server traffic</P><P> ip address 192.168.200.2 255.255.255.0 alt 192.168.200.3 255.255.255.0</P><P> alias 192.168.200.1 255.255.255.0</P><P>!</P><P> vlan 130 server</P><P> description SSL-DC traffic</P><P> ip address 172.16.0.21 255.255.255.0 alt 172.16.0.31 255.255.255.0</P><P> alias 172.16.0.1 255.255.255.0</P><P></P><P> serverfarm SSL-TEST</P><P> nat server</P><P> no nat client</P><P> real 172.16.0.182 local</P><P> inservice</P><P></P><P> serverfarm WWW-TEST</P><P> nat server</P><P> no nat client</P><P> real 192.168.200.110</P><P> inservice</P><P></P><P> vserver SSL-VIP-TEST</P><P> virtual X.23.48.110 tcp https</P><P> serverfarm SSL-TEST</P><P> persistent rebalance</P><P> inservice</P><P></P><P> vserver WWW-VIP-TEST</P><P> virtual X.23.48.110 tcp www</P><P> serverfarm WWW-TEST</P><P> persistent rebalance</P><P> inservice</P><P></P><P>interface Vlan150</P><P> description Polaczenie do SSL akceleratora</P><P> ip address 10.10.10.11 255.255.255.0</P><P>!</P><P>interface Vlan200</P><P> description VLAN do FWSM</P><P> ip address X.23.48.9 255.255.255.0</P><P> standby 1 ip X.23.48.10</P><P></P><P>and on SSL module:</P><P>ssl-proxy service SSL-TEST</P><P> virtual ipaddr 172.16.0.182 protocol tcp port 443 secondary</P><P> server ipaddr X.23.48.110 protocol tcp port 80</P><P> certificate rsa general-purpose trustpoint ssl.allegro.pl</P><P> inservice</P><P>ssl-proxy vlan 150</P><P> ipaddr 10.10.10.2 255.255.255.0</P><P> gateway 10.10.10.11</P><P> admin</P><P>ssl-proxy vlan 130</P><P> ipaddr 172.16.0.2 255.255.255.0</P><P> gateway 172.16.0.1</P><P> route X.23.48.0 255.255.255.0 gateway 172.16.0.1</P><P></P><P>I can connect to real for WWW traffic but can't for SSL traffic.</P><P>192.168.200.110 WWW-TEST 8 OPERATIONAL 0</P><P>172.16.0.182 SSL-TEST 8 FAILED 0</P><P></P><P>any hint? Can't figure it out:(</P><P></P><P>tia</P> Thu, 17 Nov 2005 08:29:01 GMT https://community.cisco.com/t5/application-networking/problem-with-ssl-module/m-p/440157#M8072 marcin.mazurek 2005-11-17T08:29:01Z Re: Problem with SSL module https://community.cisco.com/t5/application-networking/problem-with-ssl-module/m-p/440158#M8073 <HTML><HEAD></HEAD><BODY><P>Looks like the status of your ssl serverfarm is "FAILED".</P><P>So that is the first thing to look for.</P><P></P><P>I would remove the keyword 'local' from the real definition.</P><P>FAILED actually means the CSM does not even have an arp entry for the SSL address.</P><P></P><P>So I would verify connectivity by issuing ping from the CSM to the SSLM.</P><P>You could try to configure the MSFC in vlan 130 as well just to see if you can ping from MSFC to CSM or MSFC to SSLM.</P><P></P><P>Regards,</P><P></P><P>Gilles.</P></BODY></HTML> Thu, 17 Nov 2005 15:45:57 GMT https://community.cisco.com/t5/application-networking/problem-with-ssl-module/m-p/440158#M8073 Gilles Dufour 2005-11-17T15:45:57Z