Cisco Services Modules

SSL Module with a CSM in Bridge Mode Configuration Example

Document ID: 59741

Updated: Sep 08, 2004



This document provides a sample configuration for handling HTTPS traffic with a Secure Socket Layer Module (SSLM) and load balancing the decrypted traffic with a Content Switch Module (CSM).

In this example, the CSM is configured in bridge mode. The client VLAN and server VLAN share the same IP address. The same virtual IP address is also configured on the CSM and on the SSLM. This requires some special attention, which you see later in this document.

Before You Begin


Before attempting this configuration, please ensure that you meet these requirements:

  • The SSL module is accessible via console or Telnet.

Components Used

The information in this document is based on these hardware and software versions.

  • CSM version 3.x or higher

  • SSL module version 2.1


For more information on document conventions, refer to Cisco Technical Tips Conventions.


In this section, you are presented with the information to configure the features described in this document.

This is a description of the traffic path based on the network diagram below:

  1. The HTTPS connection is opened by the client to the vserver IP address on port 443.

  2. Traffic is forwarded by the MSFC to the CSM on VLAN 50.

  3. Traffic hits the CSM vserver SSL 21 (see configuration), and is load balanced between the SSL module (in this case, only one). Only MAC addresses are modified; the IP addresses are not changed.

  4. The SSL module decrypts the HTTPS request from the client and opens an HTTP connection with the CSM VIP on port 80.

  5. The CSM load balances this connection to one of the servers.

  6. The server response is sent to the CSM.

  7. The CSM forwards the response to the SSLM.

  8. The SSLM encrypts the traffic from the server, and forwards it to the client through the CSM.

Network Diagram

This document uses this network setup



This document uses this configuration:

msfc1#show running-config
Building configuration...

!--- On the MSFC, you need to configure the VLANs that are
!--- used by the SSL module. This automatically sets up the 
!--- trunk between the Cat6k and the SSLM.

ssl-proxy module 1 allowed-vlan 60,499-501

!--- This is the CSM configuration.

module ContentSwitchingModule 4 
 vlan 50 client

!--- This is the VLAN between MSFC and CSM. This VLAN is bridged 
!--- by the CSM with the server VLAN 500.

  ip address
 vlan 500 server
  ip address
 vlan 60 server

!--- This is the VLAN between CSM and SSLM.

  ip address
 serverfarm MYLINUX

!--- These are the HTTP servers.

  nat server

!--- A NAT server is required to translate the VIP address to the 
!--- server IP address.

  no nat client
serverfarm SSLACC

!--- This is the SSL module serverfarm. You can list more than one module 
!--- here.

  no nat server

!--- You do not want to NAT the server IP address because the SSLM uses 
!--- the same VIP as the CSM.

  no nat client

!--- This is the SSLM interface IP address.

 vserver SSL21

!--- The vserver handles the HTTPS traffic from the client.

  virtual tcp https
  vlan 50

!--- The vlan 50 command limits the access to this VIP
!--- to traffic coming from the MSFC vlan 50.

  serverfarm SSLACC

!--- You need to link the SSL modules to this vserver.

  no persistent rebalance

!--- HTTPS traffic cannot be rebalanced due to encryption.

 vserver WWW21

!--- The vserver handles HTTP traffic from VLAN 60.
!--- This is the decrypted traffic forwarded by the SSLM.

  virtual tcp www

!--- You can reuse the same VIP address, but a different TCP port.

  vlan 60
  serverfarm MYLINUX

!--- You can link the servers to this VIP.

  persistent rebalance

!--- Persistent rebalance is possible for HTTP traffic.

interface Vlan499

!--- This is the MSFC interface to the clients.

 ip address
interface Vlan50

!--- This is the MSFC interface to the CSM.

 ip address

This is the SSLM configuration:

ssl-proxy#sho run
Building configuration...

Current configuration : 23095 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname ssl-proxy
logging queue-limit 100
enable password ww
spd headroom 512
ip subnet-zero
ip tftp source-interface Ethernet0/0.499
ip domain name
ssl-proxy service ssl21  
 virtual ipaddr protocol tcp port 443 secondary

!--- The keyword secondary is necessary since the VIP address
!--- is not part of any VLAN configured on the SSLM.

 server ipaddr protocol tcp port 80

!--- The server IP address is the alias IP address of the CSM.

 certificate rsa general-purpose trustpoint stefano
 no nat server

!--- You need to disable server NAT; this is traffic that is forwarded back
!--- to the CSM MAC address with the VIP address as the destination.

 trusted-ca ca-servidor-pool
ssl-proxy vlan 60 
crypto ca trustpoint stefano
 crl optional
 rsakeypair stefano
crypto ca certificate chain stefano
 certificate 02
 certificate ca 00
ip classless
ip route
no ip http server
no ip http secure-server
no cdp run
line con 0
 exec-timeout 0 0
line 1 3
 no exec
 transport input all
 flowcontrol software
line vty 0 4
 password ww


This section provides information you can use to confirm your configuration is working properly.

  • show mod csm X vserver name name detail — issue this command to verify that traffic hits the vserver. Make sure packets are received from both direction client and server. If you do not see any hits, try to ping the VIP. Make sure the VIP status is OPERATIONAL. If you do not see server packets, check the connectivity between CSM and SSLM.

    msfc1#sho mod csm 4 vser name ssl21 det
    SSL21, type = SLB, state = OPERATIONAL, v_index = 21
      virtual = bidir, TCP, service = NONE, advertise = FALSE
      idle = 3600, replicate csrp = none, vlan = 50, pending = 30, layer 4
      max parse len = 2000, persist rebalance = TRUE
      ssl sticky offset = 0, length = 32
      conns = 0, total conns = 2
      Default policy:
        server farm = SSLACC, backup = <not assigned>
        sticky: timer = 0, subnet =, group id = 0
      Policy          Tot matches  Client pkts  Server pkts
      (default)       2            18           12   
    msfc1#sho mod csm 4 vser name www21 det
    WWW21, type = SLB, state = OPERATIONAL, v_index = 22
      virtual = bidir, TCP, service = NONE, advertise = FALSE
      idle = 3600, replicate csrp = none, vlan = 60, pending = 30, layer 4
      max parse len = 2000, persist rebalance = TRUE
      ssl sticky offset = 0, length = 32
      conns = 0, total conns = 2
      Default policy:
        server farm = MYLINUX, backup = <not assigned>
        sticky: timer = 0, subnet =, group id = 0
      Policy          Tot matches  Client pkts  Server pkts
      (default)       2            11           7    
  • show mod csm X conns detail — issue this command to verify that packets are seen from client and server. Failure to see packets from the server could be an indication that the server has the wrong default gateway, and traffic is bypassing the CSM on the return path.

    This command verifies that there are connections on the CSM. In this example, you can see that client opened a connection from TCP port 1741 to the VIP on VLAN 50. This traffic was forwarded with an IP address that was not changed (no NAT server and no nat client) to the SSLM. The SSLM opened an HTTP connection on behalf of the client to the vserver www21, and the CSM load balanced the connection to the server

    msfc1#sho mod csm 4 conn det
        prot vlan source                destination           state       
    In  TCP  50      ESTAB       
    Out TCP  60    ESTAB       
        vs = SSL21, ftp = No, csrp = False
    In  TCP  60     ESTAB       
    Out TCP  500    ESTAB       
        vs = WWW21, ftp = No, csrp = False
  • show ssl-proxy service name — this SSL module command is very important. This command provides the status of the SSL-proxy service. Make sure the Admin and Operation Status are both up.

    ssl-proxy#show ssl-proxy service ssl21 
    Service id: 3, bound_service_id: 259
    Virtual IP:, port: 443 (secondary configured)
    Server IP:, port: 80
    Certificate authority pool: ca-servidor-pool 
      CA pool complete 
    rsa-general-purpose certificate trustpoint: stefano 
      Certificate chain for new connections:
           Key Label: stefano, 1024-bit, not exportable
           Key Timestamp: 13:52:23 UTC Apr 27 2004
           Serial Number: 02
        Root CA Certificate:
           Serial Number: 00
      Certificate chain complete 
    Admin Status: up
    Operation Status: up


There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Sep 08, 2004
Document ID: 59741