Feedback
Table Of Contents
show ssl-proxy certificate-history
Command Reference
This appendix describes the SSL Services Module commands.
Table B-1 provides a brief description of the commands contained in this appendix.
Table B-2 lists the modes and submode commands.
clear ssl-proxy conn
To clear all TCP connections on the entire system, use the clear ssl-proxy conn command.
clear ssl-proxy conn
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
To reset all the statistics counters that the SSL Services Module maintained, use the clear ssl-proxy connection command without options.
Examples
This example shows how to clear the connections for the specified service:
ssl-proxy# clear ssl-proxy conn service S6This example shows how to clear all TCP connections on the entire system:
ssl-proxy# clear ssl-proxy connssl-proxy#clear ssl-proxy session
To clear all entries from the session cache, use the clear ssl-proxy session command.
clear ssl-proxy session
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
SSL Services Module Release 1.2(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
To clear all entries from the session cache for all services, use the clear ssl-proxy session command without options.
Examples
These examples show how to clear the entries from the session cache for the specified service on the SSL Services Module:
ssl-proxy# clear ssl-proxy session service S6This example shows how to clear all entries in the session cache maintained on the SSL Services Module:
ssl-proxy# clear ssl-proxy sessionssl-proxy#clear ssl-proxy stats
To reset the statistics counters maintained in different SSL Services Module system components, use the clear ssl-proxy stats command.
clear ssl-proxy stats [crypto | fdu | ipc | pki | service | ssl | tcp]
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
To reset all the statistics counters that the SSL Services Module maintained, use the clear ssl-proxy stats command without options.
Examples
These examples show how to reset the statistics counters maintained in different system components on the SSL Services Module:
ssl-proxy# clear ssl-proxy stats cryptossl-proxy# clear ssl-proxy stats ipcssl-proxy# clear ssl-proxy stats pkissl-proxy# clear ssl-proxy stats service S6This example shows how to clear all statistic counters that the SSL Services Module maintained:
ssl-proxy# clear ssl-proxy statsssl-proxy#crypto ca export pem
To export privacy-enhanced mail (PEM) files from the SSL Services Module, use the crypto ca export pem command.
crypto ca export trustpoint_label pem {terminal {des | 3des} {url url}} pass_phrase
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
SSL Services Module Release 1.2(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
The pass_phrase can be any phrase including spaces and punctuation escept for "?", which has special meaning to the Cisco IOS parser.
Pass phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key when it is exported, and when this key is imported the same pass phrase must be entered to decrypt it.
A key marked as unexportable cannot be exported.
You can change the default file extensions when prompted. The default file extensions are as follows:
•
public key (.pub)
•
•
•
•
•
Note
Examples
This example shows how to export a PEM-formatted file on the SSL Services Module:
ssl-proxy(config)#crypto ca import TP5 pem url tftp://10.1.1.1/TP5 password% Importing CA certificate...Address or name of remote host [10.1.1.1]?Destination filename [TP5.ca]?Reading file from tftp://10.1.1.1/TP5.caLoading TP5.ca from 10.1.1.1 (via Ethernet0/0.168): ![OK - 1976 bytes]% Importing private key PEM file...Address or name of remote host [10.1.1.1]?Destination filename [TP5.prv]?Reading file from tftp://10.1.1.1/TP5.prvLoading TP5.prv from 10.1.1.1 (via Ethernet0/0.168): ![OK - 963 bytes]% Importing certificate PEM file...Address or name of remote host [10.1.1.1]?Destination filename [TP5.crt]?Reading file from tftp://10.1.1.1/TP5.crtLoading TP5.crt from 10.1.1.1 (via Ethernet0/0.168): ![OK - 1692 bytes]% PEM files import succeeded.ssl-proxy(config)#endssl-proxy#*Apr 11 15:11:29.901: %SYS-5-CONFIG_I: Configured from console by consoleRelated Commands
crypto ca import pem
To import a PEM-formatted file to the SSL Services Module, use the crypto ca import pem command.
crypto ca import trustpoint_label pem [exportable] {terminal | url url | usage-keys} pass_phrase
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
SSL Services Module Release 1.2(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
You will receive an error if you enter the pass phrase incorrectly.The pass_phrase can be any phrase including spaces and punctuation except for "?", which has special meaning to the Cisco IOS parser.
Pass phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key when it is exported, and the same pass phrase must be entered when this key is imported to decrypt it.
When importing RSA keys, a public key or its corresponding certificate can be used.
The crypto ca import pem command imports only the private key (.prv), the server certificate (.crt), and the issuer CA certificate (.ca). If you have more than one level of CA in the certificate chain, you need to import the root and subordinate CA certificates before this command is issued for authentication. Use cut-and-paste or TFTP to import the root and subordinate CA certificates.
Examples
This example shows how to import a PEM-formatted file from the SSL Services Module:
ssl-proxy(config)# crypto ca import TP5 pem url tftp://10.1.1.1/TP5 password% Importing CA certificate...Address or name of remote host [10.1.1.1]?Destination filename [TP5.ca]?Reading file from tftp://10.1.1.1/TP5.caLoading TP5.ca from 10.1.1.1 (via Ethernet0/0.168): ![OK - 1976 bytes]% Importing private key PEM file...Address or name of remote host [10.1.1.1]?Destination filename [TP5.prv]?Reading file from tftp://10.1.1.1/TP5.prvLoading TP5.prv from 10.1.1.1 (via Ethernet0/0.168): ![OK - 963 bytes]% Importing certificate PEM file...Address or name of remote host [10.1.1.1]?Destination filename [TP5.crt]?Reading file from tftp://10.1.1.1/TP5.crtLoading TP5.crt from 10.1.1.1 (via Ethernet0/0.168): ![OK - 1692 bytes]% PEM files import succeeded.ssl-proxy(config)# endssl-proxy#*Apr 11 15:11:29.901: %SYS-5-CONFIG_I: Configured from console by consoleRelated Commands
crypto ca export pkcs12
To export a PKCS12 file from the SSL Services Module, use the crypto ca export command.
crypto ca export trustpoint_label pkcs12 file_system [pkcs12_filename] pass_phrase
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
Imported key pairs cannot be exported.
If you are using SSH, we recommend using SCP (secure file transfer) when exporting a PKCS12 file. SCP authenticates the host and encrypts the transfer session.
If you do not specify pkcs12_filename, you will be prompted to accept the default filename (the default filename is the trustpoint_label) or enter the filename. For the ftp: or tftp: value, include the full path in the pkcs12_filename.
You will receive an error if you enter the pass phrase incorrectly.
If there is more than one level of CA, the root CA and all the subordinate CA certificates are exported in the PKCS12 file.
Examples
This example shows how to export a PKCS12 file using SCP:
ssl-proxy(config)#crypto ca export TP1 pkcs12 scp: sky is blueAddress or name of remote host []? 10.1.1.1Destination username [ssl-proxy]? admin-1Destination filename [TP1]? TP1.p12Password:Writing TP1.p12 Writing pkcs12 file to scp://admin-1@10.1.1.1/TP1.p12Password:!CRYPTO_PKI:Exported PKCS12 file successfully.ssl-proxy(config)#crypto ca import pkcs12
To import a PKCS12 file to the SSL Services Module, use the crypto ca import command.
crypto ca import trustpoint_label pkcs12 file_system [pkcs12_filename] pass_phrase
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
If you are using SSH, we recommend using SCP (secure file transfer) when importing a PKCS12 file. SCP authenticates the host and encrypts the transfer session.
If you do not specify pkcs12_filename, you will be prompted to accept the default filename (the default filename is the trustpoint_label) or to enter the filename. For the ftp: or tftp: value, include the full path in the pkcs12_filename.
You will receive an error if you enter the pass phrase incorrectly.
If there is more than one level of CA, the root CA and all the subordinate CA certificates are exported in the PKCS12 file.
Examples
This example shows how to import a PKCS12 file using SCP:
ssl-proxy(config)# crypto ca import TP2 pkcs12 scp: sky is blueAddress or name of remote host []? 10.1.1.1Source username [ssl-proxy]? admin-1Source filename [TP2]? /users/admin-1/pkcs12/TP2.p12Password:passwordSending file modes:C0644 4379 TP2.p12!ssl-proxy(config)#*Aug 22 12:30:00.531:%CRYPTO-6-PKCS12IMPORT_SUCCESS:PKCS #12 Successfully Imported.ssl-proxy(config)#crypto key export rsa pem
To export a PEM-formatted RSA key to the SSL Services Module, use the crypto key export rsa pem command.
crypto key export rsa keylabel pem {terminal | url url} {{3des | des} pass_phrase}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
SSL Services Module Release 1.2(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
The pass phrase can be any phrase including spaces and punctuation except for "?", which has special meaning to the Cisco IOS parser.
Pass phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key when it is exported, and the same pass phrase must be entered when this key is imported to decrypt it.
Examples
This example shows how to export a key from the SSL Services Module:
ssl-proxy(config)# crypto key export rsa test-keys pem url scp: 3des password% Key name:test-keysUsage:General Purpose KeyExporting public key...Address or name of remote host []? 7.0.0.7Destination username [ssl-proxy]? labDestination filename [test-keys.pub]?Password:Writing test-keys.pub Writing file to scp://lab@7.0.0.7/test-keys.pubPassword:!Exporting private key...Address or name of remote host []? 7.0.0.7Destination username [ssl-proxy]? labDestination filename [test-keys.prv]?Password:Writing test-keys.prv Writing file to scp://lab@7.0.0.7/test-keys.prvPassword:ssl-proxy(config)#crypto key import rsa pem
To import a PEM-formatted RSA key from the SSL Services Module, use the crypto key import rsa pem command.
crypto key import rsa keylabel pem [usage-keys] {terminal | url url} [exportable] passphrase}
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
SSL Services Module Release 1.2(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
The pass phrase can be any phrase including spaces and punctuation except "?", which has special meaning to the Cisco IOS parser.
Pass phrase protection associates a pass phrase with the key. The pass phrase is used to encrypt the key when it is exported, and the same pass phrase must be entered when this key is imported to decrypt it.
Examples
This example shows how to import a PEM-formatted RSA key to the SSL Services Module:
ssl-proxy(config)# crypto key import rsa newkeys pem url scp: password% Importing public key or certificate PEM file...Address or name of remote host []? 7.0.0.7Source username [ssl-proxy]? labSource filename [newkeys.pub]? test-keys.pubPassword:Sending file modes:C0644 272 test-keys.pubReading file from scp://lab@7.0.0.7/test-keys.pub!% Importing private key PEM file...Address or name of remote host []? 7.0.0.7Source username [ssl-proxy]? labSource filename [newkeys.prv]? test-keys.prvPassword:Sending file modes:C0644 963 test-keys.prvReading file from scp://lab@7.0.0.7/test-keys.prv!% Key pair import succeeded.ssl-proxy(config)#debug ssl-proxy
To turn on the debug flags in different system components, use the debug ssl-proxy command. Use the no form of this command to turn off the debug flags.
debug ssl-proxy {app | fdu [type] | ipc | pki [type] | ssl [type] | tcp [type]}
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
The fdu type includes the following values:
•
•
•
•
The pki type includes the following values:
•
•
•
•
•
The ssl type includes the following values:
•
•
•
•
Note
If you run TCP debug commands, the TCP module displays large amounts of debug information on the console, which can significantly slow down module performance. Slow module performance can lead to delayed processing of TCP connection timers, packets, and state transitions.The tcp type includes the following values:
•
•
•
•
Examples
This example shows how to turn on App debugging:
ssl-proxy# debug ssl-proxy appssl-proxy#This example shows how to turn on FDU debugging:
ssl-proxy# debug ssl-proxy fdussl-proxy#This example shows how to turn on IPC debugging:
ssl-proxy# debug ssl-proxy ipcssl-proxy#This example shows how to turn on PKI debugging:
ssl-proxy# debug ssl-proxy pkissl-proxy#This example shows how to turn on SSL debugging:
ssl-proxy# debug ssl-proxy sslssl-proxy#This example shows how to turn on TCP debugging:
ssl-proxy# debug ssl-proxy tcpssl-proxy#This example shows how to turn off TCP debugging:
ssl-proxy# no debug ssl-proxy tcpssl-proxy#show ssl-proxy admin-info
To display the administration VLAN and related IP and gateway addresses, use the show ssl-proxy admin-info command.
show ssl-proxy admin-info
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
This example shows how to display the administration VLAN and related IP and gateway addresses:
ssl-proxy# show ssl-proxy admin-infoSTE administration VLAN: 2STE administration IP address: 207.57.100.18STE administration gateway: 207.0.207.5ssl-proxy#Related Commands
show ssl-proxy buffers
To display the TCP buffer usage information, use the show ssl-proxy buffers command.
show ssl-proxy buffers
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
This example shows how to display the buffer usage and other information in the TCP subsystem:
ssl-proxy# show ssl-proxy buffersBuffers info for TCP module 1TCP data buffers used 2816 limit 112640TCP ingress buffer pool size 56320 egress buffer pool size 56320TCP ingress data buffers min-thresh 7208960 max-thresh 21626880TCP ingress data buffers used Current 0 Max 0TCP ingress buffer RED shift 9 max drop prob 10Conns consuming ingress data buffers 0Buffers with App 0TCP egress data buffers used Current 0 Max 0Conns consuming egress data buffers 0In-sequence queue bufs 0 OOO bufs 0ssl-proxy#Related Commands
show ssl-proxy certificate-history
To display the certificate event history information, use the show ssl-proxy certificate-history command.
show ssl-proxy certificate-history [service [name]]
Syntax Description
service [name]
Displays all certificate records of a proxy service and (optionally) for a specific proxy service.
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
The show ssl-proxy certificate-history command displays these records:
•
•
•
•
•
•
•
•
A syslog message is generated for each record. The oldest records are deleted after the limit of 512 records is reached.
Examples
This example shows how to display the event history of all the certificate processing:
ssl-proxy# show ssl-proxy certificate-historyRecord 1, Timestamp:00:00:51, 16:36:34 UTC Oct 31 2002Installed Server Certificate, Index 5Proxy Service:s1, Trust Point:t3Key Pair Name:k3, Key Usage:RSA General Purpose, ExportableTime of Key Generation:12:27:58 UTC Oct 30 2002Subject Name:OID.1.2.840.113549.1.9.2 = simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST = CA, C = US, EA =<16> simpson-pki@cisco.comSerial Number:5D3D1931000100000D99Validity Start Time:21:58:12 UTC Oct 30 2002End Time:22:08:12 UTC Oct 30 2003Renew Time:00:00:00 UTC Jan 1 1970End of Certificate RecordRecord 2, Timestamp:00:01:06, 16:36:49 UTC Oct 31 2002Installed Server Certificate, Index 6Proxy Service:s5, Trust Point:t10Key Pair Name:k10, Key Usage:RSA General Purpose, ExportableTime of Key Generation:07:56:43 UTC Oct 11 2002Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 = simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST = CA, C = US, EA =<16> simpson-pki@cisco.comSerial Number:24BC81B7000100000D85Validity Start Time:22:38:00 UTC Oct 19 2002End Time:22:48:00 UTC Oct 19 2003Renew Time:00:00:00 UTC Jan 1 1970End of Certificate RecordRecord 3, Timestamp:00:01:34, 16:37:18 UTC Oct 31 2002Installed Server Certificate, Index 7Proxy Service:s6, Trust Point:t10Key Pair Name:k10, Key Usage:RSA General Purpose, ExportableTime of Key Generation:07:56:43 UTC Oct 11 2002Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 = simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST = CA, C = US, EA =<16> simpson-pki@cisco.comSerial Number:24BC81B7000100000D85Validity Start Time:22:38:00 UTC Oct 19 2002End Time:22:48:00 UTC Oct 19 2003Renew Time:00:00:00 UTC Jan 1 1970End of Certificate RecordRecord 4, Timestamp:00:01:40, 16:37:23 UTC Oct 31 2002Deleted Server Certificate, Index 0Proxy Service:s6, Trust Point:t6Key Pair Name:k6, Key Usage:RSA General Purpose, Not ExportableTime of Key Generation:00:28:28 UTC Mar 1 1993Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 = simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.8, OID.2.5.4.5 = B0FFF235Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST = CA, C = US, EA =<16> simpson-pki@cisco.comSerial Number:5CB5CFD6000100000D97Validity Start Time:19:30:26 UTC Oct 30 2002End Time:19:40:26 UTC Oct 30 2003Renew Time:00:00:00 UTC Jan 1 1970End of Certificate Record% Total number of certificate history records displayed = 4ssl-proxy#This example shows how to display the certificate record for a specific proxy service:
ssl-proxy# show ssl-proxy certificate-history service s6Record 3, Timestamp:00:01:34, 16:37:18 UTC Oct 31 2002Installed Server Certificate, Index 7Proxy Service:s6, Trust Point:t10Key Pair Name:k10, Key Usage:RSA General Purpose, ExportableTime of Key Generation:07:56:43 UTC Oct 11 2002Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 = simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.9, OID.2.5.4.5 = B0FFF235Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST = CA, C = US, EA =<16> simpson-pki@cisco.comSerial Number:24BC81B7000100000D85Validity Start Time:22:38:00 UTC Oct 19 2002End Time:22:48:00 UTC Oct 19 2003Renew Time:00:00:00 UTC Jan 1 1970End of Certificate RecordRecord 4, Timestamp:00:01:40, 16:37:23 UTC Oct 31 2002Deleted Server Certificate, Index 0Proxy Service:s6, Trust Point:t6Key Pair Name:k6, Key Usage:RSA General Purpose, Not ExportableTime of Key Generation:00:28:28 UTC Mar 1 1993Subject Name:CN = host1.cisco.com, OID.1.2.840.113549.1.9.2 = simpson5-2-ste.cisco.com, OID.1.2.840.113549.1.9.8 = 207.79.1.8, OID.2.5.4.5 = B0FFF235Issuer Name:CN = SimpsonTestCA, OU = Simpson Lab, O = Cisco Systems, L = San Jose, ST = CA, C = US, EA =<16> simpson-pki@cisco.comSerial Number:5CB5CFD6000100000D97Validity Start Time:19:30:26 UTC Oct 30 2002End Time:19:40:26 UTC Oct 30 2003Renew Time:00:00:00 UTC Jan 1 1970End of Certificate RecordTotal number of certificate history records displayed = 2Related Commands
show ssl-proxy conn
To display the TCP connections from the SSL Services Module, use the show ssl-proxy conn command.
show ssl-proxy conn 4tuple [local {ip local-ip-addr local-port} [remote [{ip remote-ip-addr [port remote-port]} | {port remote-port [ip remote-ip-addr]}]]]
show ssl-proxy conn 4tuple [local {port local-port} [remote [{ip remote-ip-addr [port remote-port]} | {port remote-port [ip remote-ip-addr]}]]]
show ssl-proxy conn 4tuple [local {remote [{ip remote-ip-addr [port remote-port]} | {port remote-port [ip remote-ip-addr]}]]
show ssl-proxy conn service name
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
These examples show different ways to display the TCP connection established from the SSL Services Module:
ssl-proxy# show ssl-proxy connConnections for TCP module 1Local Address Remote Address VLAN Conid Send-Q Recv-Q State--------------------- --------------------- ---- ------ ------ ------ ------2.0.0.10:4430 1.200.200.14:48582 2 0 0 0 ESTAB1.200.200.14:48582 2.100.100.72:80 2 1 0 0 ESTAB2.0.0.10:4430 1.200.200.14:48583 2 2 0 0 ESTAB1.200.200.14:48583 2.100.100.72:80 2 3 0 0 ESTAB2.0.0.10:4430 1.200.200.14:48584 2 4 0 0 ESTAB1.200.200.14:48584 2.100.100.72:80 2 5 0 0 ESTAB2.0.0.10:4430 1.200.200.14:48585 2 6 0 0 ESTAB1.200.200.14:48585 2.100.100.72:80 2 7 0 0 ESTAB2.0.0.10:4430 1.200.200.14:48586 2 8 0 0 ESTAB1.200.200.14:48586 2.100.100.72:80 2 9 0 0 ESTABssl-proxy# show ssl-proxy conn 4tuple local port 443Connections for TCP module 1Local Address Remote Address VLAN Conid Send-Q Recv-Q State--------------------- --------------------- ---- ------ ------ ------ ------2.50.50.133:443 1.200.200.12:39728 2 113676 0 0 TWAITNo Bound Connection2.50.50.133:443 1.200.200.12:39729 2 113680 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:40599 2 113684 0 0 TWAITNo Bound Connection2.50.50.132:443 1.200.200.13:48031 2 114046 0 0 TWAITNo Bound Connection2.50.50.132:443 1.200.200.13:48032 2 114048 0 0 TWAITNo Bound Connection2.50.50.132:443 1.200.200.13:48034 2 114092 0 0 TWAITNo Bound Connection2.50.50.132:443 1.200.200.13:48035 2 114100 0 0 TWAITNo Bound Connectionssl-proxy# show ssl-proxy conn 4tuple remote ip 1.200.200.14Connections for TCP module 1Local Address Remote Address VLAN Conid Send-Q Recv-Q State--------------------- --------------------- ---- ------ ------ ------ ------2.50.50.131:443 1.200.200.14:38814 2 58796 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:38815 2 58800 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:38817 2 58802 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:38818 2 58806 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:38819 2 58810 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:38820 2 58814 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:38821 2 58818 0 0 TWAITNo Bound Connectionssl-proxy# show ssl-proxy conn service iis1Connections for TCP module 1Local Address Remote Address VLAN Conid Send-Q Recv-Q State--------------------- --------------------- ---- ------ ------ ------ ------2.50.50.131:443 1.200.200.14:41217 2 121718 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:41218 2 121722 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:41219 2 121726 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:41220 2 121794 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:41221 2 121808 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:41222 2 121940 0 0 TWAITNo Bound Connection2.50.50.131:443 1.200.200.14:41223 2 122048 0 0 TWAITNo Bound Connectionshow ssl-proxy crash-info
To collect software-forced reset information from the SSL Services Module, use the show ssl-proxy crash-info command.
show ssl-proxy crash-info [brief | details]
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
The following example shows how to collect software-forced reset information:
ssl-proxy# show ssl-proxy crash-info===== SSL SERVICE MODULE - START OF CRASHINFO COLLECTION =====------------- COMPLEX 0 [FDU_IOS] ----------------------NVRAM CHKSUM:0xEB28NVRAM MAGIC:0xC8A514F0NVRAM VERSION:1++++++++++ CORE 0 (FDU) ++++++++++++++++++++++CID:0APPLICATION VERSION:2003.04.15 14:50:20 built for cantucAPPROXIMATE TIME WHEN CRASH HAPPENED:14:06:04 UTC Apr 16 2003THIS CORE DIDN'T CRASHTRACEBACK:222D48 216894CPU CONTEXT -----------------------------$0 :00000000, AT :00240008, v0 :5A27E637, v1 :000F2BB1a0 :00000001, a1 :0000003C, a2 :002331B0, a3 :00000000t0 :00247834, t1 :02BFAAA0, t2 :02BF8BB0, t3 :02BF8BA0t4 :02BF8BB0, t5 :00247834, t6 :00000000, t7 :00000001s0 :00000000, s1 :0024783C, s2 :00000000, s3 :00000000s4 :00000001, s5 :0000003C, s6 :00000019, s7 :0000000Ft8 :00000001, t9 :00000001, k0 :00400001, k1 :00000000gp :0023AE80, sp :031FFF58, s8 :00000019, ra :00216894LO :00000000, HI :0000000A, BADVADDR :828D641CEPC :00222D48, ErrorEPC :BFC02308, SREG :34007E03Cause 0000C000 (Code 0x0):Interrupt exceptionCACHE ERROR registers -------------------CacheErrI:00000000, CacheErrD:00000000ErrCtl:00000000, CacheErrDPA:0000000000000000PROCESS STACK -----------------------------stack top:0x3200000Process stack in use:sp is close to stack top;printing 1024 bytes from stack top:031FFC00:06405DE0 002706E0 0000002D 00000001 .@]`.'.`...-....031FFC10:06405DE0 002706E0 00000001 0020B800 .@]`.'.`..... 8.031FFC20:031FFC30 8FBF005C 14620010 24020004 ..|0.?.\.b..$....................................FFFFFFD0:00000000 00000000 00000000 00000000 ................FFFFFFE0:00627E34 00000000 00000000 00000000 .b~4............FFFFFFF0:00000000 00000000 00000000 00000006 ................===== SSL SERVICE MODULE - END OF CRASHINFO COLLECTION =======The following example shows how to collect software-forced reset information:
ssl-proxy# show ssl-proxy crash-info brief===== SSL SERVICE MODULE - START OF CRASHINFO COLLECTION =====------------- COMPLEX 0 [FDU_IOS] ----------------------SKE CRASH INFO Error: wrong MAGIC # 0CLI detected an error in FDU_IOS crash-info; wrong magic.------------- COMPLEX 1 [TCP_SSL] ----------------------Crashinfo fragment #0 from core 2 at offset 0 error:Remote system reports wrong crashinfo magic.Bad fragment received. Reception abort.CLI detected an error in TCP_SSL crash-info;===== SSL SERVICE MODULE - END OF CRASHINFO COLLECTION =======show ssl-proxy mac address
To display the current MAC address, use the show ssl-proxy mac address command.
show ssl-proxy mac address
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
This example shows how to display the current MAC address used in the SSL Services Module:
ssl-proxy# show ssl-proxy mac addressSTE MAC address: 00e0.b0ff.f232ssl-proxy#show ssl-proxy natpool
To display NAT pool information, use the show ssl-proxy natpool command.
show ssl-proxy natpool [name]
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
This example shows how to display information for a specific NAT address pool configured on the SSL Services Module:
ssl-proxy# show ssl-proxy natpool NP1Start ip: 207.57.110.1End ip: 207.57.110.8netmask: 255.0.0.0vlan associated with natpool: 2SSL proxy services using this natpool:S2S3S1S6Num of proxies using this natpool: 4ssl-proxy#Related Commands
show ssl-proxy policy
To display the configured SSL or TCP policies, use the show ssl-proxy policy command.
show ssl-proxy policy {ssl | tcp} [name]
Syntax Description
ssl
Displays the configured SSL policies.
tcp
Displays the configured TCP policies.
name
(Optional) Policy name.
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
This example shows how to display policy information for a specific SSL policy configured on the SSL Services Module:
ssl-proxy# show ssl-proxy policy ssl ssl-policy1Cipher suites: (None configured, default ciphers included)
rsa-with-rc4-128-md5
rsa-with-rc4-128-sha
rsa-with-des-cbc-sha
rsa-with-3des-ede-cbc-sha
SSL Versions enabled:SSL3.0, TLS1.0
strict close protocol:disabled
Session Cache:enabled
Handshake timeout not configured (never times out)
Num of proxies using this poilicy:0This example shows how to display policy information for a specific TCP policy configured on the SSL Services Module:
ssl-proxy# show ssl-proxy policy tcp tcp-policy1MSS 1250
SYN timeout 75
Idle timeout 600
FIN wait timeout 75
Rx Buffer Share 32768
Tx Buffer Share 32768
Usage count of this policy:0ssl-proxy#show ssl-proxy service
To display the configured SSL virtual server information, use the show ssl-proxy service command.
show ssl-proxy service [name]
Syntax Description
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
This example shows how to display all SSL virtual services configured on the SSL Services Module:
ssl-proxy# show ssl-proxy serviceProxy Service Name Admin Operation Eventsstatus statusS2 up upS3 up upS1 up upS6 down downssl-proxy#This example shows how to display a specific SSL virtual service configured on the SSL Services Module:
ssl-proxy# show ssl-proxy service S6Service id: 0, bound_service_id: 256Virtual IP: 10.10.1.104, port: 443Server IP: 10.10.1.100, port: 80Virtual SSL Policy: SSL1_PLCrsa-general-purpose certificate trustpoint: tptestCertificate chain for new connections:Server Certificate:Key Label: tptestSerial Number: 01Root CA Certificate:Serial Number: 00Certificate chain completeAdmin Status: upOperation Status: downProxy status: No Client VLAN, No Server VLANssl-proxy#show ssl-proxy stats
To display statistics counter information, use the show ssl-proxy stats command.
show ssl-proxy stats [type]
Syntax Description
type
(Optional) Information type; valid values are crypto, ipc, pki, service, ssl, and tcp. See the "Usage Guidelines" section for additional information.
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Usage Guidelines
The type values are defined as follows:
•
•
•
•
•
•
Examples
This example shows how to display all the statistics counters collected on the SSL Services Module:
ssl-proxy# show ssl-proxy statsTCP Statistics:Conns initiated : 20636 Conns accepted : 20636Conns established : 28744 Conns dropped : 28744Conns closed : 41272 SYN timeouts : 0Idle timeouts : 0 Total pkts sent : 57488Data packets sent : 0 Data bytes sent : 0Total Pkts rcvd : 70016 Pkts rcvd in seq : 0Bytes rcvd in seq : 0SSL Statistics:conns attempted : 20636 conns completed : 20636full handshakes : 0 resumed handshakes : 0active conns : 0 active sessions : 0renegs attempted : 0 conns in reneg : 0handshake failures : 20636 data failures : 0fatal alerts rcvd : 0 fatal alerts sent : 0no-cipher alerts : 0 ver mismatch alerts : 0no-compress alerts : 0 bad macs received : 0pad errors : 0 session fails : 0FDU Statistics:IP Frag Drops : 0 Serv_Id Drops : 9Conn Id Drops : 0 Bound Conn Drops : 0Vlan Id Drops : 0 Checksum Drops : 0IOS Congest Drops : 0 IP Version Drops : 0Hash Full Drops : 0 Hash Alloc Fails : 0Flow Creates : 41272 Flow Deletes : 41272conn_id allocs : 41272 conn_id deallocs : 41272Tagged Drops : 0 Non-Tagged Drops : 0Add ipcs : 3 Delete ipcs : 0Disable ipcs : 3 Enable ipcs : 0Unsolicited ipcs : 0 Duplicate ADD ipcs : 0IOS broadcast pkts : 29433 IOS unicast pkts : 5IOS total pkts : 29438ssl-proxy#This example shows how to display PKI statistical information:
ssl-proxy# show ssl-proxy stats pkiPKI Memory Usage Counters:Malloc count: 0Setstring count: 0Free count: 0Malloc failed: 0Ipc alloc count: 0Ipc free count: 0Ipc alloc failed: 0PKI IPC Counters:Request buffer sent: 0Request buffer received: 0Request duplicated: 0Response buffer sent: 0Response buffer received: 0Response timeout: 0Response with error status: 0Response with no request: 0Response duplicated: 0Message type error: 0PKI Accumulative Certificate Counters:Proxy service trustpoint added: 0Proxy service trustpoint deleted: 0Proxy service trustpoint modified: 0Keypair added: 0Keypair deleted: 0Wrong key type: 0Server certificate added: 0Server certificate deleted: 0Server certificate rolled over: 0Server certificate completed: 0Intermediate CA certificate added: 0Intermediate CA certificate deleted: 0Root CA certificate added: 0Root CA certificate deleted: 0Certificate overwritten: 0History records written: 0History records read from NVRAM: 0Key cert table entries in use: 0ssl-proxy#show ssl-proxy status
To display status information, use the show ssl-proxy status command.
show ssl-proxy status
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Examples
This example shows how to display the status on the SSL Services Module:
ssl-proxy# show ssl-proxy statusFDU cpu is alive!FDU cpu utilization:% process util : 0 % interrupt util : 0proc cycles : 0x4D52D1B7 int cycles : 0x6B6C9937total cycles: 0xB954D5BEB6FA% process util (5 sec) : 0 % interrupt util (5 sec) : 0% process util (1 min) : 0 % interrupt util (1 min): 0% process util (5 min) : 0 % interrupt util (5 min) : 0TCP cpu is alive!TCP cpu utilization:% process util : 0 % interrupt util : 0proc cycles : 0xA973D74D int cycles : 0xAA03E1D89Atotal cycles: 0xB958C8FF0E73% process util (5 sec) : 0 % interrupt util (5 sec) : 0% process util (1 min) : 0 % interrupt util (1 min): 0% process util (5 min) : 0 % interrupt util (5 min) : 0SSL cpu is alive!SSL cpu utilization:% process util : 0 % interrupt util : 0proc cycles : 0xD475444 int cycles : 0x21865088Etotal cycles: 0xB958CCEB8059% process util (5 sec) : 0 % interrupt util (5 sec) : 0% process util (1 min) : 0 % interrupt util (1 min): 0% process util (5 min) : 0 % interrupt util (5 min) : 0show ssl-proxy version
To display the current image version, use the show ssl-proxy version command.
show ssl-proxy version
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
This example shows how to display the image version currently running on the SSL Services Module:
ssl-proxy# show ssl-proxy versionCisco Internetwork Operating System SoftwareIOS (tm) SVCSSL Software (SVCSSL-K9Y9-M), Version 12.2(14.6)SSL(0.19) INTERIM TEST SOFTWARECopyright (c) 1986-2003 by cisco Systems, Inc.Compiled Thu 10-Apr-03 03:03 by integImage text-base: 0x00400078, data-base: 0x00ABE000ROM: System Bootstrap, Version 12.2(11)YS1 RELEASE SOFTWAREssl-proxy uptime is 3 days, 22 hours, 22 minutesSystem returned to ROM by power-onSystem image file is "tftp://10.1.1.1/unknown"AP Version 1.2(1)ssl-proxy#show ssl-proxy vlan
To display VLAN information, use the show ssl-proxy vlan command.
show ssl-proxy vlan [vlan-id | debug]
Syntax Description
vlan-id
(Optional) VLAN ID. Displays information for a specific VLAN; valid values are from 1 to 1005.
debug
(Optional) Displays debug information.
Defaults
This command has no default settings.
Command Modes
EXEC mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
This example shows how to display all the VLANs configured on the SSL Services Module:
ssl-proxy# show ssl-proxy vlanVLAN index 2 (admin VLAN)IP addr 10.1.1.1 NetMask 255.0.0.0 Gateway 10.1.1.5Network 10.1.1.2 Mask 255.0.0.0 Gateway 10.1.1.6VLAN index 3IP addr 10.1.1.3 NetMask 255.0.0.0 Gateway 10.1.1.6VLAN index 6IP addr 10.1.1.4 NetMask 255.0.0.0ssl-proxy#Related Commands
ssl-proxy crypto selftest
To initiate a cryptographic self-test, use the ssl-proxy crypto selftest command. Use the no form of this command to disable the testing.
ssl-proxy crypto selftest [time-interval seconds]
no ssl-proxy crypto selftest
Syntax Description
time-interval seconds
(Optional) Sets the time interval between test cases; valid values are from 1 to 8 seconds.
Defaults
3 seconds
Command Modes
Global configuration mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
The ssl-proxy crypto selftest command enables a set of crypto algorithm tests to be run on the SSL processor in the background. Random number generation, hashing, encryption and decryption, and MAC generation are tested with a time interval in between test cases.
This test is run only for troubleshooting purposes. Running this test will impact run-time performance.
To display the results of the self-test, enter the show ssl-proxy stats crypto command.
Examples
This example shows how to start a cryptographic self-test:
ssl-proxy (config)# ssl-proxy crypto selftestssl-proxy (config)#ssl-proxy mac address
To configure a MAC address, use the ssl-proxy mac address command.
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
Enter the MAC address in this format: H.H.H.
Examples
This example shows how to configure a MAC address:
ssl-proxy (config)# ssl-proxy mac address 00e0.b0ff.f232ssl-proxy (config)#Related Commands
ssl-proxy natpool
To define a pool of IP addresses, which the SSL Services Module uses for implementing the client NAT, use the ssl-proxy natpool command.
Syntax Description
nat-pool-name
NAT pool name.
start-ip-addr
Start IP address.
netmask netmask
Netmask; see the "Usage Guidelines" section for additional information.
Defaults
This command has no default settings.
Command Modes
Global configuration mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
This example shows how to define a pool of IP addresses:
ssl-proxy (config)# ssl-proxy natpool NP2 207.59.10.01 207.59.10.08 netmask 255.0.0.0ssl-proxy (config)#Related Commands
ssl-proxy pki history
To enable the PKI event history option, use the ssl-proxy pki history command. Use the no form of this command to disable the logging and clear the memory.
ssl-proxy pki history
no ssl-proxy pki history
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
The ssl-proxy pki history command enables logging of certificate history records per-proxy service into memory and generates a syslog message per record. Each record keeps track of the addition or deletion of a keypair or certificate into the proxy services key and the certificate table.
When the index of the table changes, this command logs the following information:
•
•
•
•
•
Up to 512 records can be stored in the memory at one time.
Examples
This example shows how to enable the PKI event history option:
ssl-proxy (config)# ssl-proxy pki historyssl-proxy (config)#Related Commands
ssl-proxy policy ssl
To enter the SSL-policy configuration submode, use the ssl-proxy policy ssl command.
ssl-proxy policy ssl ssl-policy-name
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
•
•
•
Command Modes
Global configuration mode
Command History
Usage Guidelines
In the SSL-policy configuration submode, you can define the SSL policy for one or more SSL-proxy services.
Each SSL-policy configuration submode command is entered on its own line.
Table B-3 lists the commands available in SSL-policy configuration submode.
You can define the SSL policy templates using the ssl-proxy policy ssl ssl-policy-name command and associate a SSL policy with a particular proxy server using the proxy server configuration CLI. The SSL policy template allows you to define various parameters associated with the SSL handshake stack.
When close-notify is enabled, a close-notify alert message is sent to the client and a close-notify alert message is expected from the client as well. When disabled, the server sends a close-notify alert message to the client, however the server does not expect, nor wait for, a close-notify message from the client before tearing down the session.
The cipher-suite names follow the same convention as the existing SSL Stacks.
The cipher-suites acceptable to the proxy-server are as follows:
•
•
•
•
•
If you enter the timeout session timeout absolute command, the session entry is kept in the session cache for the configured timeout before it is cleaned up. If the session cache is full with the timers being active for all the entries and the absolute option is configured, all further new sessions are rejected.
If you enter the timeout session timeout command without the absolute option, the specified timeout is treated as the maximum timeout and a best-effort is made to keep the session entry in the session cache. If the session cache runs out of session entries, a session entry that is currently being used is removed for incoming new connections.
Examples
This example shows how to enter the SSL-policy configuration submode:
ssl-proxy (config)# ssl-proxy policy ssl sslpl1ssl-proxy (config-ssl-policy)#This example shows how to define the cipher suites supported for the SSL-policy:
ssl-proxy (config-ssl-policy)# cipher RSA_WITH_3DES_EDE_CBC_SHAssl-proxy (config-ssl-policy)#This example shows how to enable the SSL session closing protocol:
ssl-proxy (config-ssl-policy)# close-protocol enablessl-proxy (config-ssl-policy)#This example shows how to disable the SSL session closing protocol:
ssl-proxy (config-ssl-policy)# no close-protocol enablessl-proxy (config-ssl-policy)#These examples show how to set a given command to its default setting:
ssl-proxy (config-ssl-policy)# default cipherssl-proxy (config-ssl-policy)# default close-protocolssl-proxy (config-ssl-policy)# default session-cachessl-proxy (config-ssl-policy)# default versionssl-proxy (config-ssl-policy)#This example shows how to enable the the session-cache option:
ssl-proxy (config-ssl-policy)# session-cache enablessl-proxy (config-ssl-policy)#This example shows how to disable the the session-cache option:
ssl-proxy (config-ssl-policy)# no session-cache enablessl-proxy (config-ssl-policy)#This example shows how to set the maximum number of session entries to be allocated for a given service:
ssl-proxy (config-ssl-policy)# session-cache size 22000ssl-proxy (config-ssl-policy)#This example shows how to configure the session timeout to absolute:ssl-proxy (config-ssl-policy)# timeout session 30000 absolutessl-proxy (config-ssl-policy)#These examples show how to enable the support of different SSL versions:
ssl-proxy (config-ssl-policy)# version allssl-proxy (config-ssl-policy)# version ssl3ssl-proxy (config-ssl-policy)# version tls1ssl-proxy (config-ssl-policy)#This example shows how to print out a general help page:
ssl-proxy (config-ssl-policy)# helpssl-proxy (config-ssl-policy)#Related Commands
show ssl-proxy stats
show ssl-proxy stats sslssl-proxy policy tcp
To enter the proxy policy TCP configuration submode, use the ssl-proxy policy tcp command. In proxy policy TCP configuration submode, you can define the TCP policy templates.
ssl-proxy policy tcp tcp-policy-name
Syntax Description
Defaults
The defaults are as follows:
•
•
•
•
•
•
•
Command Modes
Global configuration mode
Command History
Usage Guidelines
After you have defined the TCP policy, you can associate the TCP policy with a proxy server using the proxy-policy TCP configuration submode commands.
Each proxy-policy TCP configuration submode command is entered on its own line.
Table B-4 lists the commands available in proxy-policy TCP configuration submode.
Usage Guidelines
TCP commands entered on the SSL Services Module can apply either globally or to a particular proxy server.
You can configure a different maximum segment size for the client side and the server side of the proxy server.
The TCP policy template allows you to define parameters associated with the TCP stack.
You can either enter the no form of the command to return to the default setting or use the default option.
Examples
This example shows how to enter the proxy-policy TCP configuration submode:
ssl-proxy (config)# ssl-proxy policy tcp tcppl1ssl-proxy (config-tcp-policy)#These examples show how to set a given command to its default value:
ssl-proxy (config-tcp-policy)# default timeout fin-waitssl-proxy (config-tcp-policy)# default inactivity-timeoutssl-proxy (config-tcp-policy)# default buffer-share rxssl-proxy (config-tcp-policy)# default buffer-share txssl-proxy (config-tcp-policy)# default mssssl-proxy (config-tcp-policy)# default timeout synssl-proxy (config-tcp-policy)#This example shows how to define the FIN wait timeout in seconds:
ssl-proxy (config-tcp-policy)# timeout fin-wait 200ssl-proxy (config-tcp-policy)#This example shows how to define the inactivity timeout in seconds:
ssl-proxy (config-tcp-policy)# timeout inactivity 300ssl-proxy (config-tcp-policy)#This example shows how to define the maximum receive buffer size configuration:
ssl-proxy (config-tcp-policy)# buffer-share rx 16384ssl-proxy (config-tcp-policy)#This example shows how to define the maximum transmit buffer size configuration:
ssl-proxy (config-tcp-policy)# buffer-share tx 13444ssl-proxy (config-tcp-policy)#This example shows how to define the maximum segment size for TCP:
ssl-proxy (config-tcp-policy)# mss 1460ssl-proxy (config-tcp-policy)#This example shows how to define the initial connection (SYN) timeout value:
ssl-proxy (config-tcp-policy)# timeout syn 5ssl-proxy (config-tcp-policy)#This example shows how to define the reassembly timeout value:
ssl-proxy (config-tcp-policy)# timeout reassembly 120ssl-proxy (config-tcp-policy)#Related Commands
ssl-proxy service
To enter the proxy-service configuration submode, use the ssl-proxy-service command. In proxy-service configuration submode, you can configure the virtual IP address and port associated with the proxy service and the associated target IP address and port. You can also define TCP and SSL policies for both the client side (beginning with the virtual keyword) and the serve side of the proxy (beginning with the server keyword).
ssl-proxy service ssl-proxy-name
Syntax Description
Defaults
Server NAT is enabled, and client NAT is disabled
Command Modes
Global configuration mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
Each proxy-service configuration submode command is entered on its own line.
Table B-5 lists the commands available in proxy-service configuration submode.
Both secured and bridge mode between the Content Switching Module (CSM) and the SSL Services Module is supported.
Use the secondary option (optional) for bridge-mode topology.
Examples
This example shows how to enter the proxy-service configuration submode:
ssl-proxy (config)# ssl-proxy service S6ssl-proxy (config-ssl-proxy)#This example shows how to configure the certificate for the specified SSL proxy services:
ssl-proxy (config-ssl-proxy)# certificate rsa general-purpose trustpoint tp1ssl-proxy (config-ssl-proxy)#These examples show how to set a specified command to its default value:
ssl-proxy (config-ssl-proxy)# default certificatessl-proxy (config-ssl-proxy)# default inservicessl-proxy (config-ssl-proxy)# default natssl-proxy (config-ssl-proxy)# default serverssl-proxy (config-ssl-proxy)# default virtualssl-proxy (config-ssl-proxy)#This example shows how to configure a virtual IP address for the specified virtual server:
ssl-proxy (config-ssl-proxy)# virtual ipaddr 207.59.100.20 protocol tcp port 443ssl-proxy (config-ssl-proxy)#This example shows how to configure the SSL policy for the specified virtual server:
ssl-proxy (config-ssl-proxy)# virtual policy ssl sslpl1ssl-proxy (config-ssl-proxy)#This example shows how to configure the TCP policy for the specified virtual server:
ssl-proxy (config-ssl-proxy)# virtual policy tcp tcppl1ssl-proxy (config-ssl-proxy)#This example shows how to configure a clear-text web server for the SSL Services Module to forward the decrypted traffic:
ssl-proxy (config-ssl-proxy)# server ipaddr 207.50.0.50 protocol tcp port 80ssl-proxy (config-ssl-proxy)#This example shows how to configure a TCP policy for the given clear-text web server:
ssl-proxy (config-ssl-proxy)# server policy tcp tcppl1ssl-proxy (config-ssl-proxy)#This example shows how to configure a NAT pool for the client address used in the server connection of the specified service SSL offload:
ssl-proxy (config-ssl-proxy)# nat client NP1ssl-proxy (config-ssl-proxy)#This example shows how to enable a NAT server address for the server connection of the specified service SSL offload:
ssl-proxy (config-ssl-proxy)# nat serverssl-proxy (config-ssl-proxy)#Related Commands
ssl-proxy ssl ratelimit
To prohibit new connections during overload conditions, use the ssl-proxyy ssl ratelimit command. Use the no form of this command to allow new connections as long as memory is available.
ssl-proxyy ssl ratelimit
no ssl-proxyy ssl ratelimit
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Modes
Global configuration
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Examples
This example shows how to prohibit new connections during overload conditions:
ssl-proxy (config)# ssl-proxy ssl ratelimitssl-proxy (config)#This example shows how to allow new connections during overload conditions as long as memory is available:
ssl-proxy (config)# no ssl-proxy ssl ratelimitssl-proxy (config)#ssl-proxy vlan
To enter the proxy-VLAN configuration submode, use the ssl-proxy vlan command. In proxy-VLAN configuration submode, you can configure a VLAN for the SSL Services Module.
ssl-proxy vlan vlan
Syntax Description
Defaults
This command has no default settings.
Command Modes
Global configuration mode
Command History
Cisco IOS Release 12.1(13)E and SSL Services Module Release 1.1(1)
Support for this command was introduced on the Catalyst 6500 series switches.
Usage Guidelines
VLAN 1 is not supported by the CSM.
Extended range VLANs are not supported by the SSL Services Module.
Each proxy-VLAN configuration submode command is entered on its own line.
Table B-6 lists the commands available in proxy-VLAN configuration submode.
You must remove the administration VLAN status of the current administration VLAN before you can configure a different administration VLAN.
An administration VLAN is used for communication with the certificate agent (PKI) and the management station (SNMP).
When configuring the gateway, the drop option allows the SSL Services Module to drop a packet if a virtual service cannot be found relating to the packet.
When configuring the gateway, the forward option allows the SSL Services Module to forward a packet to the gateway of the specified VLAN, if a virtual service cannot be found relating to the packet.
Examples
This example shows how to enter the proxy-VLAN configuration submode:
ssl-proxy (config)# ssl-proxy vlan 6ssl-proxy (config-vlan)#These examples show how to set a specified command to its default value:
ssl-proxy (config-vlan)# default adminssl-proxy (config-vlan)# default gatewayssl-proxy (config-vlan)# default ipaddrssl-proxy (config-vlan)# default routeThis example shows how to configure the specified VLAN with a gateway:
ssl-proxy (config-vlan)# gateway 209.0.207.5ssl-proxy (config-vlan)#This example shows how to configure the specified VLAN with an IP address and subnet mask:
ssl-proxy (config-vlan)# ipaddr 208.59.100.18 255.0.0.0ssl-proxy (config-vlan)#This example shows how to configure a gateway for the SSL Services Module to reach a nondirect connected subnetwork:
ssl-proxy (config-vlan)# route 210.0.207.0 255.0.0.0 gateway 209.0.207.6ssl-proxy (config-vlan)#Related Commands
