Thanks both of you for your replay. Jon, I planned exactly the same configuration like you. Last week I configured the csm and the dc in this way but got a strange result (my confs as attachments - IP changed to 1.1):

A client starts with a connect to the vserver INTER_443 with port 443. I get back the question for the correct certificate from the dc which I allow. After the confirm of the certificate the connections change from https to http and all other traffic goes via normal http traffic. Now is the question after the confirmation of the certificate why does the traffic fall back to http and not using https. Any ideas for this issue???

Jon, may I have another question: Did you ever tried to connect from one real server at the server vlan to a vserver. Should this work? I saw at other posts that this should work!? My customer has at his webservers a java app running which will connect to one of the vservers and we get no result. But I will post this in another message.

Thanks for any help or ideas to check, Thomas.

Hi

Your config differs from mine in a couple of ways.

1) On mine the serverfarm IP address for the SSL service matches the VIP used on the DC under the ssl-proxy service config. Yours differs - you have 1.1.147.133 on your serverfarm and 172.28.147.133 under your ssl-proxy service.

2) On mine the server IP address under the ssl-proxy service matches my http vserver WEB01. On your you have used a different vserver, SSL_CLEARTEXT from your standard http vserver INTER_80.

Not sure whether these were intended ?

Yes we did try connecting from a real server back to a vserver. We even went one further and had the same server recontact itself on a different VIP. It didn't work well for us but yes it should work, especially the simpler solution of a real talking to a vserver which points to different servers.

In the end we switched to one-arm mode, although that is often not recommened, as we had quite a few interconnections going through the CSM-S which didn't need to be load-balanced.

HTH

Hi, thanks for your quick answer.

Maybe I'm reading something wrong but I can't see the difference between our configs!?

Ooooo, during the reading I see my mistake. In my attachment is the failure - I didn't changed the 172.28.147.133 to 1.1.147.133 ;o) Sorry for the confusion. Think the 172.28 as 1.1 and I have the same conf like you. So that should not the problem :o(

For point 2 of your message you're right. I used another vserver "SSL_CLEARTEXT" to be more flexible and more secure (finally I plan that just the DC can connect to this vserver). This vserver is pointing to the same real servers and should work like the other vserver for http. Maybe I give a try to use the same webserver but I assume this is not the problem!? And this configuration works for you fine? Great for you - it seems that I've not this luck ;o)

Thomas

I can't see it making much difference either to be honest.

If i get a chance i'll try and put the config back onto our test environment and see what happens.

Are you sure that the application itself is not passing back URL's that point to the http vserver address ?

Jon

Jon, yep that is exactly what I'm thinking too.

I have to check with the customer. Will let you know if I find it out. Many thanks for your time,

Thomas.

Thomas,

if the server uses HTTP redirect because the location of the HTTP objects has been moved, then you need to translate this redirect from HTTP to HTTPS with the SSL module.

This is done with a url-rewrite function.

There are a few examples on how to do this @

http://www.cisco.com/en/US/products/hw/switches/ps708/module_installation_and_configuration_guides_chapter09186a0080441258.html#wp1247453

Gilles.

Hi Gilles/Everybody,

had a problem with the SSL access via telnet as shown on the Documentation. I have created a VLAN (SVI) on the MSFC, and Created the same VLAN (server VLAN) on the CSM Module and equally on the SSL_DC all on the same subnet, with my gateway as the ip address on the MSFC, got the normal Default route on the SSL_DC automatically generated pointing to the gateway.

But from the MSFC i am able to ping the ip address on the CSM, but not able to ping the ip on the SSL_DC, have all the configs on the vty lines on the SSL_DC that are required for normal telnet but all in vain. find the configs below.

created the VLAN

on the MSFC of 6513

vlan 801

name SSL-DC_administrative

interface vlan 801

ip address 10.6.78.1 255.255.255.240

no shut

module ContentSwitchingModule 5

vlan 801 server

ip address 10.6.78.3 255.255.255.240

ssl-proxy vlan 801

ipaddr 10.6.78.5 255.255.255.240

gateway 10.6.78.1

admin

line vty 0 4

password cisco

login

privi l 15

loggin sync

enable password cisco.

the gateway command is for traffic hitting ssl-vip.

For management traffic [telnet,ping] you need to configure an ip route. Just like for ios.

So, try to add an 'ip route 0.0.0.0 0.0.0.0 10.6.78.1' on the SSL-DC and see if it works.

Gilles.

Gilles,

thank you for your response, the SSL-DC by itself added the "route" command ro the configuration. i.e. route 0.0.0.0 0.0.0.0 10.6.78.1

or did you mean i should add "ip route" just as in the IOS ?

all i need is telne/ping access to the SSL-DC.

TIA

hash

You need to add the following on your SSL DC.

ip route 0.0.0.0 0.0.0.0 10.6.78.1

HTH

Jon

thank you Jon,

Will try that and get back to you. thought there was no need sine the SSL DC adds the "route 0.0.0.0 0.0.0.0 10.6.78.1" by itself. as shown on this link

http://www.cisco.com/en/US/products/hw/switches/ps708/module_installation_and_configuration_guides_chapter09186a00804638c2.html#wp1043233

Thanks you for your help.

Hash

route and 'ip route' are different.

There is 2 routing table on this box.

The one for managmenet traffic like telnet/ping requires the 'ip route' command

Gilles.