Re: One arm Configuration Mode SSl not working.

ravi.saini · ‎11-09-2004

HI,

I have aconfiguration to a single web server. The css is set up in one arm configuration mode, with a source group pointing to the backend web server on port 80.

Normal HTTP works great. However HTTPS only gets as far as showing the digital certificate- then comes back with page not found.

Does the ssl service need to be added to a source group?

Can anyone advise?

Cheers

seilsz · ‎11-10-2004

A couple of questions:

* Are you doing SSL termination on the CSS?

* Is the connection from your CSS to the backend server SSL encrypted?

* Can you post the relevant parts of your configuration?

~Zach

ravi.saini · ‎11-11-2004

Hi

Thanks for the reply .

Here is the config . I have edited bits out but I think you will be able to see what \I am trying to achive.

!************************* INTERFACE *************************

interface e1

description uplink

phy 100Mbits-FD

!************************** CIRCUIT **************************

circuit VLAN1

ip address 10.10.2.2 255.255.255.0

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list DOG

ssl-server 20

ssl-server 20 rsakey keyfile

ssl-server 20 rsacert cert

ssl-server 20 cipher rsa-with-rc4-128-md5 10.10.2.14 80

ssl-server 20 urlrewrite 21 *

ssl-server 20 vip address 10.10.2.14

active

!************************** SERVICE **************************

service dog_test

keepalive type http

ip address 10.10.2.4

port 80

protocol tcp

active

service ssl_dog

add ssl-proxy-list DOG

slot 2

type ssl-accel

keepalive type none

active

!***************************OWNER ***************************

owner animal

content dog_Test

add service dog_test

no persistent

protocol tcp

port 80

url "/*"

vip address 10.10.2.14

active

content dog_secure_prod

add service ssl_dog

application ssl

advanced-balance ssl

protocol tcp

port 443

vip address 10.10 2.14

active

!*************************** GROUP ***************************

group dog

vip address 10.10.2.14

add destination service dog_test

active

ravi.saini · ‎11-11-2004

Zach,

Ssl terminates on the css . Clear text to backend. I have posted config.

Thanks

ravi.saini · ‎11-14-2004

Has anyone done a similar configuration tat they can give me details of. I would appreciate this.

ravi.saini · ‎11-14-2004

Has anyone done a similar configuration that they can give me details of. I would appreciate this.

seilsz · ‎11-14-2004

Your initial thought was correct - you need to add the SSL module (ssl_dog) to the source group (dog).

~Zach

ravi.saini · ‎11-17-2004

Hi

I am still experiencing the same symptoms even after adding the ssl service to the group.

Any help would be appreciated

Thanks

Gilles Dufour · ‎11-18-2004

Ravi,

'sho serv summary'

is the server alive ?

'sho summary'

do you see any hit on the cleartext content rule ?

Finally, a sniffer trace on the server would be good to see what is going on.

Regards,

Gilles.

ravi.saini · ‎11-18-2004

Gilles,

Thanks,

When I add the ssl service to the source group. I do not get a prompt for the certificate eventually the page returning as not found.

The show serv summ shows

ssl service is alive conn = 1, weight = 1, load = 2

with no diference shown in the clear serve stats.

The show summary shows a service hit for the ssl service and nothing else.

-------------------------------

When the ssl service is removed from the source group, I get a prompt for the certificate, then a page not found.

Here the show serv summ:-

Clear service is alive conn =1 weight ave load and state transitions remain the same.

For the ssl service this too is alive conn = 1 , with weight, av load and state transitions remaining the same.

The show summary shows

1 service hit on the ssl service ( a

at this point a certificate is displayed) When the certificate is accepted there is another service hit on the ssl service, along with a service hit on the clear service. ( Again page not found is returned)

The clear service works with the source group. Withe the ssl service it seems as though the flows are not coming back via the css.

Hence the use of source groups, but the ssl service does nor display the certificate when added to the source group.

The ssl service is not associated to a vip address but to a ssl-proxy-list.

It is felt that something is wrong here.

Should the ssl service be added to the source group.

Do you have any sample configs for this or could you advise of a config. ( I have a paste of my config in one of the answers).

Thanks for having a look . I await your reply.

Ravi

Gilles Dufour · ‎11-18-2004

Ravi,

there is no need to add the ssl service to the group.

I have the same config in my lab and it works fine.

Do you get the 'page not found' after the browser timeout or immediately after accepting the certificates ?

Did you capture a sniffer trace on the server as requested ?

This will tell us exactly what is going on.

Go to www.ethereal.com for a free sniffer tool.

Gilles.

ravi.saini · ‎11-18-2004

Gilles,

The page not found is returned after the browser timeout.

The server is in a remote secure Data Centre and I require change controls in order to attend site. ( uuuuhhhh). I will work on this. In the meantime any more suggestions are most welcome.

Would it be possible if you could email me your config so I can compare?