SSL Module problem

carlsond · ‎03-17-2005

I am trying to get my SSL module up and running. When I do a show ssl-proxy service I see:

Admin Status: up

Operation Status: down

Proxy status: No Client VLAN, No Server VLAN

I have an admin and server vlan configured on the SSL module and trunked on the CSM. Does anyone have any idea why I see a status of down and the Proxy status of no VLANS???

Thank you.

Dave

jfoerster · ‎03-17-2005

Hi Dave,

1) did you configure issue the following command at the cat6k

ssl-proxy module x allowed-vlan 3,12 (if 3 and 12 are the vlans you are using at the SSL-Module for admin and server purpose)

2) did you configure a route in ssl-proxy vlan pointing to the gateway of this vlan?

3) Could you please upload the config of the Cat6k and the module?

Kind Regards,

Joerg

carlsond · ‎03-18-2005

Yes I did allow the admin and server VLANs as well as a default route and gateway on the ssl module. From the SSL module I can ping out to my WAN but I did notice that from the cat6k I cannot ping my SSL virtual 10.249.177.50. Attached are my configs. I stripped the extras out of the router config to save space so if you need something else please let me know. As a side note I have been using the CSM succefully as is.

jfoerster · ‎03-19-2005

Hi,

I assume the vserver 10.249.177.51 is active and not out of service or something like that...

Please try the following on the ssl-module:

ssl-proxy vlan 20

route 10.249.177.51 255.255.255.255 10.249.177.33

and remove the gateway entry as this entry is not used as no entry can be seen in the routing table (ip route...)

Please issus a

-show ssl-proxy service einvoice and

- show run (the ip route part is of interest)

before and after the configuration changeand let us know the output.

For security reason I would advice to remove the ip http server command too. Furthermore enable only ssh on the module if you want to do remote configuration. Telnet is not the best to use on an SSL-Device.

Thanks in advance,

Joerg

cheeseng · ‎07-01-2005

Sorry to hijack the topics. But I have manage to resolve my problem which I post earlier with this example.

May I know, why must I point the static route to my client segment to my server vlan as shown below.

"route 10.249.177.51 255.255.255.255 10.249.177.33"

Pls enlighten. Thanks

jfoerster · ‎07-02-2005

Hi,

well I've no real explantion for this but the problem is routing related. Normaly you have some sort of routing in the admin lan and some in the proxy lan. I experienced a lot of times that I need to route out the "unencrypted" traffic to ensure that ssl-proxy services got active. Maybe this has to deal with more specific routes or something like this.

Regards,

Joerg

Gilles Dufour · ‎07-02-2005

this should not be necessary.

The SSLM uses 3 deferent type of routing table.

One for client.

This one is configured using only the gateway command.

The 2nd one if for the servers.

This one is configured using only the route command.

Finally, all management traffic uses the last routing table that is configured with the 'ip route ...' statement in global config mode.

So, if there is no reason why this route should solve the problem unless the address 10.x.x.51 is the server address.

You should do more tests to verify what exactly solved your problem.

Regards,

Gilles.