cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
878
Views
0
Helpful
14
Replies

Beginning with CSM and SSL daughter card.

andrea.meconi
Level 2
Level 2

Hello everyone.

I'm using a CSM with SSL daughter card on a native 6513. The module is configured in bridge mode and works fine with a Google appliances farm.

For testing purpose, I want to introduce the SSL proxy. After the initial setup, I configure a new vlan for CSM-SSL communications.

I have defined a ssl-proxy service and the virtual servers: all are UP and OPERATIONAL .

ssl-core11#sh ssl-proxy service

Proxy Service Name Admin Operation

status status

SSL-GOOGLE-FARM up up

ssl-core11#

When I try to connect from the client I can see the connection.

sw-core11#sh mod csm 2 conns vserver GOOGLE-HTTPS

prot vlan source destination state

----------------------------------------------------------------------

In TCP 500 192.168.150.254:20808 192.168.150.83:443 ESTAB

Out TCP 4095 10.4.60.100:443 10.4.60.50:8204 ESTAB

sw-core11#

But IE cannot display the page.

Please help, I believe on some NAT issue!

Thanks.

14 Replies 14

Gilles Dufour
Cisco Employee
Cisco Employee

do you see a connection to the clear text vip after the SSL session ?

Could you get a sniffer trace to see if the ssl handshake complete and if a connection is open with the backend server.

Gilles.

Thanks Gilles.

No, I don't see a connection to the clear vip. I believe I'm not able to sniffer!

Gilles,

many thanks for your help.

Sniffing from a web browser I can see only the SYN packets, but all work fine for the HTTP request.

The firewall uses a PAT (192.168.150.254) for all Intranet clients.

sw-core11#sh mod csm 2 conns vse GOOGLE-HTTPS

prot vlan source destination state

----------------------------------------------------------------------

In TCP 500 192.168.150.254:50366 192.168.150.83:443 ESTAB

Out TCP 4095 10.4.60.100:443 10.4.60.50:8214 ESTAB

sw-core11#

Any ideas?

Thanks.

Andrea

You see only the syn packets when opening the port 443 connection ?

Is that correct ?

It means the SSL daughter card is either not receiving the syn or responding to it in the wrong direction.

Could you check on the daughter card

ssl-proxy#show ssl-proxy stats

Before and after a connection attempt.

See which counters increment.

G.

Hi Gilles and many thanks for your help.

Yes Gilles!

I see the SYN packet from my browser. The packet reaches CSM on vlan 500 with source IP 192.168.150.254.

sw-core11#sh mod csm 2 conns vse GOOGLE-HTTPS

prot vlan source destination state

----------------------------------------------------------------------

In TCP 500 192.168.150.254:50366 192.168.150.83:443 ESTAB

Out TCP 4095 10.4.60.100:443 10.4.60.50:8214 ESTAB

sw-core11#

CSM sends out on vlan 4095! Why not 298? May be source and destination IP addresses should be swapped!?

Attached you can find the statistics.

SSL card is not receiving.

Andrea.

Some notes from configuration guide...

If you execute command show module csm x conn, the output shows an entry for VLAN 4095. You can

ignore this VLAN, which the system creates for communication between the CSM and the SSL daughter

card.

...

The SSL software supports only the normal-range VLANs (2 through 1005). You must limit the SSL

daughter card configuration to the normal-range VLANs. Note that VLAN 4095 is automatically created

for system communication between the CSM and the SSL daughter card. You can ignore this VLAN.

do you have a vlan 298 on the csm ?

Can you ping 10.4.60.4 from the csm ? from the gateway ?

Can you ping the gateway from the daughter card ?

The daughter card does not show any ssl connection attempts. But it shows drop due to vlan id.

G.

Hi Gilles.

Yes, there is a vlan 298 on CSM.

vlan 298 server

description SSL-DC-COMM

ip address 10.4.60.1 255.255.255.0 alt 10.4.60.2 255.255.255.0

alias 10.4.60.3 255.255.255.0

I can ping from CSM...

sw-core11#ping module contentSwitchingModule 2 10.4.60.4

IP address Reachable

--------------------------

10.4.60.4 Yes

sw-core11#

and, from SSL DC, I can ping the gateway (CSM alias IP address)

ssl-core11#ping 10.4.60.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.4.60.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

ssl-core11#

I'm using the vlan 298 for private communications between CSM and SSL card.

A.

I'm upgrading my post about a simple SSL proxy configuration, ending with a vlan id mismatch.

After one attempt...

ssl-core11#show ssl-proxy stats

TCP Statistics:

Conns initiated : 0 Conns accepted : 0

Conns established : 0 Conns dropped : 0

Conns Allocated : 0 Conns Deallocated : 0

Conns closed : 0 SYN timeouts : 0

Idle timeouts : 0 Total pkts sent : 0

Data packets sent : 0 Data bytes sent : 0

Total Pkts rcvd : 0 Pkts rcvd in seq : 0

Bytes rcvd in seq : 0

SSL Statistics:

conns attempted : 0 conns completed : 0

full handshakes : 0 resumed handshakes : 0

active conns : 0 active sessions : 0

renegs attempted : 0 conns in reneg : 0

handshake failures : 0 data failures : 0

fatal alerts rcvd : 0 fatal alerts sent : 0

no-cipher alerts : 0 ver mismatch alerts : 0

no-compress alerts : 0 bad macs received : 0

pad errors : 0 session fails : 0

Invalid Queue Event.

FDU Statistics:

IP Frag Drops : 0 IP Version Drops : 0

IP Addr Discards : 0 Serv_Id Drops : 14

Conn Id Drops : 0 Bound Conn Drops : 0

Vlan Id Drops : 90 TCP Checksum Drops : 0

Hash Full Drops : 0 Hash Alloc Fails : 0

Flow Creates : 0 Flow Deletes : 0

Conn Id allocs : 0 Conn Id deallocs : 0

Tagged Pkts Drops : 0 Non-Tagg Pkts Drops : 0

Add ipcs : 14 Delete ipcs : 0

Disable ipcs : 13 Enable ipcs : 0

Unsolicited ipcs : 289489 Duplicate Add ipcs : 3

IOS Broadcast Pkts : 117124167 IOS Unicast Pkts : 9305747

IOS Multicast Pkts : 240761 IOS Total Pkts : 126670675

IOS Congest Drops : 0 SYN Discards : 0

TCP 5-tuple reuse : 0

ssl-core11#

Many thanks for your help.

Regards.

Andrea

Any ideas?

Thanks.

Andrea

Any ideas?

Thanks.

Andrea

Andrea,

You should probably open a case.

G.

Good idea!

Thanks.

Andrea

Review Cisco Networking for a $25 gift card