Application Delivery (ADX)

Reply
Contributor
Posts: 25
Registered: ‎05-04-2009

SSL termination does not work - client is getting a RST from the ServerIron right after the SSL handshake

Hi all,

I am working at a simple SSL offload setup but it does not work for some reason. I want to ensure I am not missing anything simple here. The configuration is pretty simple:


ssl profile myprofile
keypair-file key-test
certificate-file cert-test
cipher-suite all-cipher-suites
session-cache off


server port 80
session-sync
tcp
tcp 60
tcp keepalive 30 1


server source-nat



server real rs-xyz a.b.c.d

  port http



server virtual vs-xyz q.w.e.r

  port ssl

  port ssl ssl-terminate myprofile

  bind ssl rs-xyz http

I guess this should work... This is just the part of the config which seems to be important - the config is of course a bit bigger because the box is offering plain-text http as well and I do have redundancy configured as well with a second ServerIron 4G-SSL being backup for the first one.

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: SSL termination does not work - client is getting a RST from the ServerIron right after the SSL handshake

I do see that you have source-nat enabled in your setup. I do not see special source-nat-ip address (lines starting with: server source-nat-ip...) - do you have source-nat-ip's configured or not?

Contributor
Posts: 25
Registered: ‎05-04-2009

Re: SSL termination does not work - client is getting a RST from the ServerIron right after the SSL handshake

There is no such source-nat-ip in my configuration - do I need one? I thought the ServerIron is going to use the VEs IP address for source-nat doing it the way I did it. It is working perfectly for plain-text HTTP traffic to other VIPs including source-nat.

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: SSL termination does not work - client is getting a RST from the ServerIron right after the SSL handshake

You do have to define a special source-nat-ip for SSL related traffic - it is not going to work if that is not part of the configuration. Out of the security guide:

Use the server source-ip <ip> <mask> <gateway> port-range <range> for-ssl command when source-nat is configured.

For ServerIron router code, use the server source-nat-ip <ip> <mask> <gateway> port-range <range> for-ssl command.

The RESET directly after the SSL handshake is something you get if you have not done so.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.