Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
536
Views
4
Helpful
2
Replies

CSS11501 SSL offload help..

sam_crooks
Level 1
Level 1

‎12-28-2005 05:18 PM

Hi all,

I have the attached config where basically I want to have 2 VIPs so that for port 80, it just forwards to the servers. For 443, it should offload the SSL and send it cleartext to port 7778 (for VIP 206.83.206.68) and to port 7777 (for VIP 206.83.206.69).

SSL Hand shaking starts between the browser and the SLB and seems to complete OK, but there seems to be nothing going on between the SLB and the server... I suspect my configuration is not right for the SSL offload part...

Can anyone help?

Sam

Labels:
Preview file
4 KB
Preview file
168 KB
0 Helpful
2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

‎12-29-2005 12:24 AM

Sam,

from your config, it looks like you use a source group to do client nat.

This group applies to your HTTP content rules.

However, you have no group for the SSL rules.

If a group is a required for HTTP traffic to guarantee that the server response comes back to the CSS, I believe a group should be necessary for SSL traffic as well.

Now, the tricky part is that you go directly from the SSL module to the server.

We usually send the decrypted traffic to another vip on the CSS and from that vip the CSS loadbalances the traffic to the server.

Client nat is usually then applied on the decrypted content rule.

So, I would suggest to apply a config as described above. You could for example replace the line :

ssl-server 30 cipher rsa-with-3des-ede-cbc-sha 206.83.206.69 7777

with

ssl-server 30 cipher rsa-with-3des-ede-cbc-sha 206.83.206.100 7777

Let me know if this works and thanks in advance for rating this answer.

Gilles.

sam_crooks
Level 1
Level 1
In response to Gilles Dufour

‎12-29-2005 04:12 PM

Gilles,

Your answer did not solve the issue but pointed me in the right direction.

In addition to changing to a VIP on the ssl-server cipher entries, tt looks like to me that there needed to be a content rule for the 7777 and 7778 ports (not there in my original config), so it didn't know what to do with traffic back to the SLB on those ports.

I'm posting the working config for future searches if someone happens to google or search and find this.

Gilles, thanks for your help.

Sam

Preview file
4 KB
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card