What is the role of SSL fallback option in VIA deployments and how to configure it?

By Arunkumar posted Jul 03, 2014 06:05 PM


This article explains the need for SSL failover in VIA deployments and the method to configure it.



Some network firewalls block UDP ports 4500 and 500 that are essential to establish an IPsec connection. If a user is connected to such a network, the IPsec connection that is initiated by VIA fails. In these situations, the SSL fallback option of VIA can take advantage of the UDP port 443 (used for HTTPS) allowed by almost all firewalls.
If the SSL fallback option is enabled, it allows VIA client to connect securely to the controller by wrapping the IPsec packets in an SSL header. If SSL fallback is enabled, each VIA client accounts for two IPsec tunnels toward the controller IPsec limit calculation.
Environment : This article applies to all the controllers running OS version 5.0 and 6.0 and all the VIA client versions.
The SSL fallback can be enabled or disabled in the VIA global configuration.
To configure SSL Fallback:

(NTWK-SER-3400) #configure t
Enter Configuration commands, one per line. End with CNTL/Z
(NTWK-SER-3400) (config) #aaa authentication via global-config
(NTWK-SER-3400) (VIA Global Configuration) #ssl-fallback-enable
(NTWK-SER-3400) (VIA Global Configuration) #