Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WebApp Secure/Mykonos] Unable to configure multiple SSL applications due to error "ip/port combination must be unique across all applications for SSL traffic"

0

0

Article ID: KB29710 KB Last Updated: 28 Dec 2015Version: 1.0
Summary:

This article describes the steps used to implement configuring and protecting multiple websites through WebApp Secure which run on HTTPS.

Symptoms:

When trying to configure multiple SSL backend servers on WebApp Secure, the following error is seen and is preventing the configuration changes:

Please correct the following validation errors.
• applications.website1.listen.ip_address.0, applications.website2.listen.ip_address.0 both use the same ip/port combination for SSL: [20.20.20.45:443]. The ip/port combination must be unique across all applications for SSL traffic. Change the ip or the port for one of the applications.

Cause:

WebApp Secure requires that each SSL application be mapped to a unique IP address or port to associate the SSL certificate and key to the appropriate backend server.

Solution:

The solution is to configure an alias IP so that WebApp Secure can associate that IP with the other SSL backend server.

The syntax to configure the alias IP is as follows (the following example uses eth0 as the traffic interface and is applicable for versions 5.5.x and later):

cli system set interface eth0:0 onboot yes bootproto static ipaddr <alias_ip> netmask <subnet_mask> gateway <default_gateway_of traffic_interface>

After configuring the alias IP, network service needs to be restarted in order for WebApp Secure to detect the new alias IP. If network service is not restarted, it doesn’t show up under the listening IP address list in the SSL application configuration. To restart network service, use the following command:

cli system services restart network

For example, eth0 is the traffic interface with IP 20.20.20.45 on which the device listens for SSL application #1. SSL application #2 listens on eth0 alias IP 20.20.20.101:

"interfaces": {
"eth0": {
"bootproto": "static",
"gateway": "20.20.20.1",
"ipaddr": "20.20.20.45",
"netmask": "255.255.255.0",
"nm_controlled": "no",
"onboot": "yes",
"userctl": "yes" },
"eth0:0": {
"bootproto": "static",
"gateway": "20.20.20.1",
"ipaddr": "20.20.20.101",
"netmask": "255.255.255.0",
"onboot": "yes" },

When configuring SSL application #2 under Applications > select the relevant application > Proxy/SSL settings, the listening IP should be selected as 20.20.20.101 in the above example to make it unique. Thereafter, both SSL applications will be working fine.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search