cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
0
Helpful
1
Replies

Problem with SSL module

marcin.mazurek
Level 1
Level 1

I've got 6509 with SSL, CSM inside. I'm having problem with creating connectin to VIP on 443 port pointing to SSL module. My configuration is based on "Catalyst 6500 Series Switch Content Switching Module with SSL Installation and Configuration" document , Appendix B; B-7; CSM-S Configuration Example (Router Mode, Server NAT). It's seems to be simple but it's not working. Could anybody take a look at these excerpt from config.

VLAN to outside is 200; to SSL 150 (admin), 130 traffic; to clients 120.

ssl-proxy module 4 allowed-vlan 120,130,150

vlan 200 client

description Traffic from clients.

ip address X.23.48.5 255.255.255.0 alt X.23.48.6 255.255.255.0

gateway X.23.48.10

alias X.23.48.4 255.255.255.0

vlan 120 server

description Server traffic

ip address 192.168.200.2 255.255.255.0 alt 192.168.200.3 255.255.255.0

alias 192.168.200.1 255.255.255.0

!

vlan 130 server

description SSL-DC traffic

ip address 172.16.0.21 255.255.255.0 alt 172.16.0.31 255.255.255.0

alias 172.16.0.1 255.255.255.0

serverfarm SSL-TEST

nat server

no nat client

real 172.16.0.182 local

inservice

serverfarm WWW-TEST

nat server

no nat client

real 192.168.200.110

inservice

vserver SSL-VIP-TEST

virtual X.23.48.110 tcp https

serverfarm SSL-TEST

persistent rebalance

inservice

vserver WWW-VIP-TEST

virtual X.23.48.110 tcp www

serverfarm WWW-TEST

persistent rebalance

inservice

interface Vlan150

description Polaczenie do SSL akceleratora

ip address 10.10.10.11 255.255.255.0

!

interface Vlan200

description VLAN do FWSM

ip address X.23.48.9 255.255.255.0

standby 1 ip X.23.48.10

and on SSL module:

ssl-proxy service SSL-TEST

virtual ipaddr 172.16.0.182 protocol tcp port 443 secondary

server ipaddr X.23.48.110 protocol tcp port 80

certificate rsa general-purpose trustpoint ssl.allegro.pl

inservice

ssl-proxy vlan 150

ipaddr 10.10.10.2 255.255.255.0

gateway 10.10.10.11

admin

ssl-proxy vlan 130

ipaddr 172.16.0.2 255.255.255.0

gateway 172.16.0.1

route X.23.48.0 255.255.255.0 gateway 172.16.0.1

I can connect to real for WWW traffic but can't for SSL traffic.

192.168.200.110 WWW-TEST 8 OPERATIONAL 0

172.16.0.182 SSL-TEST 8 FAILED 0

any hint? Can't figure it out:(

tia

1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

Looks like the status of your ssl serverfarm is "FAILED".

So that is the first thing to look for.

I would remove the keyword 'local' from the real definition.

FAILED actually means the CSM does not even have an arp entry for the SSL address.

So I would verify connectivity by issuing ping from the CSM to the SSLM.

You could try to configure the MSFC in vlan 130 as well just to see if you can ping from MSFC to CSM or MSFC to SSLM.

Regards,

Gilles.

Review Cisco Networking for a $25 gift card