11-17-2005 12:29 AM
I've got 6509 with SSL, CSM inside. I'm having problem with creating connectin to VIP on 443 port pointing to SSL module. My configuration is based on "Catalyst 6500 Series Switch Content Switching Module with SSL Installation and Configuration" document , Appendix B; B-7; CSM-S Configuration Example (Router Mode, Server NAT). It's seems to be simple but it's not working. Could anybody take a look at these excerpt from config.
VLAN to outside is 200; to SSL 150 (admin), 130 traffic; to clients 120.
ssl-proxy module 4 allowed-vlan 120,130,150
vlan 200 client
description Traffic from clients.
ip address X.23.48.5 255.255.255.0 alt X.23.48.6 255.255.255.0
gateway X.23.48.10
alias X.23.48.4 255.255.255.0
vlan 120 server
description Server traffic
ip address 192.168.200.2 255.255.255.0 alt 192.168.200.3 255.255.255.0
alias 192.168.200.1 255.255.255.0
!
vlan 130 server
description SSL-DC traffic
ip address 172.16.0.21 255.255.255.0 alt 172.16.0.31 255.255.255.0
alias 172.16.0.1 255.255.255.0
serverfarm SSL-TEST
nat server
no nat client
real 172.16.0.182 local
inservice
serverfarm WWW-TEST
nat server
no nat client
real 192.168.200.110
inservice
vserver SSL-VIP-TEST
virtual X.23.48.110 tcp https
serverfarm SSL-TEST
persistent rebalance
inservice
vserver WWW-VIP-TEST
virtual X.23.48.110 tcp www
serverfarm WWW-TEST
persistent rebalance
inservice
interface Vlan150
description Polaczenie do SSL akceleratora
ip address 10.10.10.11 255.255.255.0
!
interface Vlan200
description VLAN do FWSM
ip address X.23.48.9 255.255.255.0
standby 1 ip X.23.48.10
and on SSL module:
ssl-proxy service SSL-TEST
virtual ipaddr 172.16.0.182 protocol tcp port 443 secondary
server ipaddr X.23.48.110 protocol tcp port 80
certificate rsa general-purpose trustpoint ssl.allegro.pl
inservice
ssl-proxy vlan 150
ipaddr 10.10.10.2 255.255.255.0
gateway 10.10.10.11
admin
ssl-proxy vlan 130
ipaddr 172.16.0.2 255.255.255.0
gateway 172.16.0.1
route X.23.48.0 255.255.255.0 gateway 172.16.0.1
I can connect to real for WWW traffic but can't for SSL traffic.
192.168.200.110 WWW-TEST 8 OPERATIONAL 0
172.16.0.182 SSL-TEST 8 FAILED 0
any hint? Can't figure it out:(
tia
11-17-2005 07:45 AM
Looks like the status of your ssl serverfarm is "FAILED".
So that is the first thing to look for.
I would remove the keyword 'local' from the real definition.
FAILED actually means the CSM does not even have an arp entry for the SSL address.
So I would verify connectivity by issuing ping from the CSM to the SSLM.
You could try to configure the MSFC in vlan 130 as well just to see if you can ping from MSFC to CSM or MSFC to SSLM.
Regards,
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide