Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
2
Replies

Stickyness and SSL-Termination

glischer
Level 1
Level 1

‎01-18-2008 06:30 AM

Hello to all

We have the following problem. We use ssl-termination on the ace. This should work as follows : Plain http-requests should go directly to the server (Port80) and https-requests should terminate on the ace and decryptet to the server with a "pseudo-https" (Port 8443/http) request.

After first http-request, the server sends a redirect to : "https://URL" for the Login procedure (this should be encryptet). After login, the server switch back to http.

Our problem now is the stickyness. This two connections should be sticky together, because only the server, where the client logged-in (https) knows about the user.

We have a config, which works, but not with "ONE" stickyness. Is there a solution to match these two connection together ?

You can see in the output of the sticky db, that the http-Part now matches on Server3 and the https-Part on Server1 (which should be the same).

Thanks for help

Gery

Config-Parts :

--------------

crypto chaingroup VERISIGN-CHAIN

cert chain-verisign

probe http HTTP-80-30

interval 30

faildetect 2

passdetect interval 30

passdetect count 2

expect status 200 200

expect status 302 302

probe http HTTP-8443-30

port 8443

interval 30

faildetect 2

passdetect interval 30

passdetect count 2

expect status 200 200

expect status 302 302

parameter-map type connection MYDOOR-CONN-PARAMS

parameter-map type ssl SSL-WEB

cipher RSA_WITH_RC4_128_MD5 priority 2

cipher RSA_EXPORT_WITH_RC4_40_MD5

rserver host fdintegra-rip1

ip address 10.10.20.1

inservice

rserver host fdintegra-rip2

ip address 10.10.20.2

inservice

rserver host fdintegra-rip3

ip address 10.10.20.3

inservice

ssl-proxy service myhost.mydomain.com

key keyfile.pem

cert certfile.pem

chaingroup VERISIGN-CHAIN

ssl advanced-options SSL-WEB

serverfarm host MYDOOR-Integration

probe HTTP-80-30

probe HTTP-8443-30

rserver fdintegra-rip1 80

inservice

rserver fdintegra-rip2 80

inservice

rserver fdintegra-rip3 80

inservice

serverfarm host MYDOOR-Integration-8443

probe HTTP-80-30

probe HTTP-8443-30

rserver fdintegra-rip1 8443

inservice

rserver fdintegra-rip2 8443

inservice

rserver fdintegra-rip3 8443

inservice

sticky ip-netmask 255.255.255.240 address source MY-INTEGRATION

timeout 600

replicate sticky

sticky-serverfarm MYDOOR-Integration

sticky ip-netmask 255.255.255.240 address source MY-INTEGRATION-SSL

timeout 600

replicate sticky

sticky-serverfarm MYDOOR-Integration-8443

class-map match-all L4-MY-INTEGRATION-FIP-TESTVIP

2 match virtual-address 10.10.10.10 tcp eq www

class-map match-all SSL-L4-MY-INTEGRATION-FIP-TESTVIP

2 match virtual-address 10.10.10.10 tcp eq https

policy-map type loadbalance first-match MY-INTEGRATION

class class-default

serverfarm MYDOOR-Integration

policy-map type loadbalance first-match MY-INTEGRATION-SSL

class class-default

serverfarm MYDOOR-Integration-8443

policy-map multi-match LB-Traffic

class SSL-L4-MY-INTEGRATION-FIP-TESTVIP

loadbalance vip inservice

loadbalance policy MY-INTEGRATION-SSL

loadbalance vip icmp-reply active

loadbalance vip advertise active

ssl-proxy server myhost.mydomain.com

connection advanced-options MYDOOR-CONN-PARAMS

class L4-MY-INTEGRATION-FIP-TESTVIP

loadbalance vip inservice

loadbalance policy MY-INTEGRATION

loadbalance vip icmp-reply active

loadbalance vip advertise active

connection advanced-options MYDOOR-CONN-PARAMS

Labels:
0 Helpful
2 Replies 2

glischer
Level 1
Level 1

‎01-23-2008 03:47 AM

Hello to all

I did not became any response on my ACE-Problem. Maybe because my english skills,

I could not explain exactly what's the problem. So here some more informations

about it. I hope, somebody can help me.

Communication Client/ACE/Server

-------------------------------

CLIENT LOADBALANCER SERVER

----http/80-----> ----http/80----> Client sends HTTP Request to Server

( SYN SYN/ACK ACK )

<----Redirect to https for Login ---- Server sends a Redirect to https://URL

for Login procedure

---https/443----> ----http/8443--> Client log in Server

<----Redirect back to http ---------- If successful, Server sends redirect

to http

----http/80-----> ----http/80----> Client works with http

At the Servers there are 2 Listeners working. One on port 80 ( for http ) and one

on port 8443 ( for ACE-decripted https [ -> also http on server ] )

The Server needs this separation ( two http listeners on separate ports ) because

it has to know, if the request was actualy a http or a https request.

My problem now is to find a working ACE-Configuration, which is sticky on both

sessions ( 80->80 and 443->8443 ) to same server.

This works on CSS with following config (on this I have to find a equivalent

config for that), but not on ACE .

ssl associate rsakey myhost.mydomain.com keyfile-pem

ssl associate cert myhost.mydomain.com certfile.pem

ssl-proxy-list lbcss-pl-ssl

ssl-server 1

ssl-server 1 vip address 10.10.10.10

ssl-server 1 rsakey myhost.mydomain.com

ssl-server 1 rsacert myhost.mydomain.com

ssl-server 1 cipher rsa-with-rc4-128-md5 10.10.10.10 8443

ssl-server 1 cipher rsa-export-with-rc4-40-md5 10.10.10.10 8443

active

service fdintegra-rip1

ip address 10.10.20.1

keepalive frequency 30

keepalive retryperiod 10

keepalive maxfailure 6

keepalive type script ap-my-http-httph-icon "10.10.20.1"

keepalive tcp-close fin

active

service fdintegra-rip2

ip address 10.10.20.2

keepalive frequency 30

keepalive retryperiod 10

keepalive maxfailure 6

keepalive type script ap-my-http-httph-icon "10.10.20.2"

keepalive tcp-close fin

active

service fdintegra-rip3

ip address 10.10.20.3

keepalive frequency 30

keepalive retryperiod 10

keepalive maxfailure 6

keepalive type script ap-my-http-httph-icon "10.10.20.3"

keepalive tcp-close fin

active

content fdintegra-ssl@real

vip address 10.10.10.10

protocol tcp

port 443

add service ssl-module-1

active

content fdintegra@real

vip address 10.10.10.10

add service fdintegra-rip1

add service fdintegra-rip2

add service fdintegra-rip3

protocol tcp

advanced-balance sticky-srcip

flow-reset-reject

flow-timeout-multiplier 6

sticky-inact-timeout 720

sticky-mask 255.255.255.240

balance leastconn

active

Can someone help me ?

Gery

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to glischer

‎01-23-2008 06:26 AM

Gery,

enable static cookie stickyness.

Check the 'sticky' command.

To use the static mode, configure 'cookie insert' under the cookie sticky configuration.

Then use this sticky serverfarm for both your ssl policy and http policy.

This should work.

Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents