Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
4
Replies

ACE: Problem with end-to-end SSL

ciscocsoc
Level 4
Level 4

‎10-04-2007 09:04 AM

Hi,

I'm having a problem with configuring end-to-end SSL as documented in Section 5 of the ACE SSL guide.

Without the ssl-proxy definition it "works" in the sense that the response is HTTPS format from either of the real servers.

If I add

ssl-proxy server PSERVICE_SERVER into

policy-map multi-match LB-VIP

class VIP-CATHY-https

loadbalance vip inservice

loadbalance policy VIP-LB-CATHY-https

then it fails and a wireshark trace shows a Handshake Failure - but no helpful details.

What I'm trying to do is terminate and re-initiate the SSL traffic to the two real servers.

Am I missing something obvious? The configuration of my Test context is attached.

Kind Regards

Cathy

Labels:
Preview file
3 KB
0 Helpful
4 Replies 4

bwilmoth
Level 5
Level 5

‎10-10-2007 11:38 AM

Check this bug information :CSCsg04254

0 Helpful

ciscocsoc
Level 4
Level 4
In response to bwilmoth

‎10-10-2007 10:28 PM

Thank you.

I don't have access to the bug database - so if you could copy it to here that would be helpful.

I think I've got a config that works. I hadn't grasped the necessity for a layer 7 policy to make it work. Also I needed to set the close-protocol in the SSL parameters to be none rather than strict (default).

Kind Regards

Cathy

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to ciscocsoc

‎10-11-2007 01:29 AM

Cathy, are you using IE ??

If yes, could you try another brother like mozilla.

Are you using certificate group ?

Is the total size bigger than 4k ?

Gilles.

0 Helpful

ciscocsoc
Level 4
Level 4
In response to Gilles Dufour

‎10-11-2007 03:25 AM

I was using IE. By chance I saw another query on here that mentioned the close-protocol option.

I don't think the chaingroup exceeded 4K - but it was probably borderline. I took out the server certificate and just left in the 3 GlobalSign certificates. I couldn't see the point of including it in the chain as well as in the server definition.

I think I have it working - it was just a lot more complicated than I thought it would be. It would be useful if the manual had an example of an end-to-end configuration rather than just referring to Ch4 and Ch3.

Thank you for your help.

Kind Regards

Cathy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents