04-29-2011 08:12 AM
I configured SSL on my ACE.Applied it to the loadbalancer my current vip.
When I hit the VIP IP as HTTPS. .IT is displaying page cannot be displayed . But with out the SSL the loadbalancing works fine
This is the config I have on my ACE
crypto csr-params test123
country US
state CAlifornia
locality Torrance
organization-name USA
organization-unit ITprobe tcp ftp_tcp
common-name USA serial-number 1
email randy.alpha@gmail.com
access-list ALL line 8 extended permit ip any any
probe tcp ftp_tcp
port 21
interval 10
passdetect interval 5
passdetect count 1
open 1
rserver host server1
ip address 10.128.149.86
inservice
rserver host server2
ip address 10.128.149.171
inservice
serverfarm host FTPFARM
predictor leastconns
probe ftp_tcp
rserver server1
inservice
rserver server2
inservice
ssl-proxy service proxy-1
key rsa.pem
cert trialcert.pem
sticky ip-netmask 255.255.255.255 address source sticky_FTPFARM
timeout 20
timeout activeconns
replicate sticky
serverfarm FTPFARM
class-map match-all L4-MAP-FTPFARM
2 match virtual-address 10.128.149.173 any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match L7-FTPFARM
class class-default
sticky-serverfarm sticky_FTPFARM
policy-map multi-match L4-PolicyMapMulti-FTP
class L4-MAP-FTPFARM
loadbalance vip inservice
loadbalance policy L7-FTPFARM
nat dynamic 2 vlan 817
interface vlan 817
ip address 10.128.149.55 255.255.255.0
peer ip address 10.128.149.56 255.255.255.0
access-group input ALL
nat-pool 2 10.128.149.173 10.128.149.173 netmask 255.255.255.255 pat
service-policy input remote_mgmt_allow_policy
service-policy input L4-PolicyMapMulti-FTP
no shutdown
ip route 0.0.0.0 0.0.0.0 10.128.149.1
Solved! Go to Solution.
05-02-2011 08:56 AM
did that command take? It should be:
ace1/Admin(config)# policy-map multi-match L4-PolicyMapMulti-FTP
ace1/Admin(config-pmap)# class L4-MAP-FTPFARM
ace1/Admin(config-pmap-c)# ssl-proxy server proxy-1
04-29-2011 07:35 PM
You have to apply your ssl proxy service to your l4 policy map
Sent from Cisco Technical Support iPhone App
05-02-2011 08:44 AM
I applied the ssl proxy to the my policy multimatch
ace1/Admin(config)# policy-map multi-match L4-PolicyMapMulti-FTP
ace1/Admin(config-pmap)# class L4-MAP-FTPFARM
ace1/Admin(config-pmap-c)# ssl-proxy service proxy-1
ace1/Admin(config-ssl-proxy)# exit
ace1/Admin(config)# exit
But when I give a sh run all I see under the L4 policy map is
policy-map multi-match L4-PolicyMapMulti-FTP
class L4-MAP-FTPFARM
loadbalance vip inservice
loadbalance policy L7-FTPFARM
nat dynamic 2 vlan 817
When I try to access the server with the VIP IP using HTTPS still getting the message (Message Cannot Be Displayed).But works great with HTTP
Please advise.
05-02-2011 08:56 AM
did that command take? It should be:
ace1/Admin(config)# policy-map multi-match L4-PolicyMapMulti-FTP
ace1/Admin(config-pmap)# class L4-MAP-FTPFARM
ace1/Admin(config-pmap-c)# ssl-proxy server proxy-1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide