Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
1
Replies

SSL Accel not working on 11501

ns
Level 1
Level 1

‎03-05-2004 01:52 AM

Hi,

I have a problem with a CSS11501 with the SSL module installed. The SSL module doesn't accept the traffic on port 443 and it goes directly to the server. The server has a certificate installed and that's how I know that it doesn't work. I access the server on port 80 and 443 without any problem. I've seen a similar post on this issue without a solution and the questions were:

Does the browser support the certificates? I'm using IE 6.0 SP1, I honestly don't know if it's supported but I've enabled all RSA ciphers.

Are there any hits on the stats. None, the only counter that changes is the HASH on the Crypto counter.

Any help is appreciated.

Thanks, Niels

The config is the following:

ssl associate rsakey key1 cert1

ssl associate cert cert1 cert1.pem

!************************** CIRCUIT **************************

circuit VLAN1

ip address 10.60.2.2 255.255.255.0

circuit VLAN2

ip address 10.60.0.80 255.255.255.192

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list Servidores_SSL

ssl-server 1

ssl-server 1 rsakey key1

ssl-server 1 rsacert cert1

ssl-server 1 vip address 10.60.2.1

ssl-server 1 cipher rsa-export1024-with-rc4-56-sha 10.60.0.67 80

ssl-server 1 cipher rsa-export1024-with-des-cbc-sha 10.60.0.67 80

ssl-server 1 cipher rsa-export-with-des40-cbc-sha 10.60.0.67 80

ssl-server 1 cipher rsa-export-with-rc4-40-md5 10.60.0.67 80

ssl-server 1 cipher rsa-with-3des-ede-cbc-sha 10.60.0.67 80

ssl-server 1 cipher rsa-with-des-cbc-sha 10.60.0.67 80

ssl-server 1 cipher rsa-with-rc4-128-sha 10.60.0.67 80

ssl-server 1 cipher rsa-with-rc4-128-md5 10.60.0.67 80

active

!************************** SERVICE **************************

service HTTP

ip address 10.60.0.67

keepalive type http

active

service HTTPS

add ssl-proxy-list Servidores_SSL

slot 2

keepalive type none

type ssl-accel

active

!*************************** OWNER ***************************

owner tripartita

content HTTP

protocol tcp

add service HTTP

balance aca

vip address 10.60.2.1

port 80

active

content SSL-Prueba

vip address 10.60.2.1

balance aca

add service HTTPS

application ssl

protocol tcp

port 443

active

Labels:
0 Helpful
1 Reply 1

mvoight
Level 1
Level 1

‎03-06-2004 09:07 PM

The current configuration causes port 443 traffic to go to the SSL module and then the SSL module sends it to 10.60.0.67. This is also listed as a service on the CSS. There is nothing in the configuration in your note that would cause the CSS to send traffic to port 443 on the server. Is the 10.60.2.1 configured on any other device, like a firewall translation, for instance?

Are you saying that "show summary" doesn't show any hits on either content rule?

What URL do you enter on the browser?

What URL do you see on the browser after the attempt has concluded?

Michael

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card