cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2058
Views
0
Helpful
7
Replies

ACE SSL Pass

meckel
Level 1
Level 1

Does the ACE allow HTTPS passthrough?

Here's what I've tried to do without success.

rserver host nuxi

description TEST SERVER

ip address 10.10.2.100

probe ping-probe

inservice

serverfarm host https-test

description TEST SERVER FARM

failaction purge

predictor leastconns

probe imap-probe

rserver nuxi 443

inservice

class-map match-all VIP-HTTPS

2 match virtual-address 10.10.1.1 tcp eq 443

policy-map type loadbalance first-match HTTPS-POLICY

class class-default

serverfarm https-test

policy-map multi-match CLIENT-VIPS

class VIP-HTTPS

loadbalance vip inservice

loadbalance policy HTTPS-POLICY

loadbalance vip icmp-reply active

1 Accepted Solution

Accepted Solutions

the problem is this line :

retcode 100 500 check count

Because of that, you need to use the serverfarm only for http as the ace module will interpret all traffic as http in order to detect the retcode.

Create another serverfarm and rule for https or remove the retcode line.

Gilles.

View solution in original post

7 Replies 7

Gilles Dufour
Cisco Employee
Cisco Employee

yes, ACE allows https to go be loadbalanced without being terminated.

Get a sniffer trace to see what is going on.

Does http work ?

Gilles.

Hi Gilles,

Yes, HTTP works. I had a trace but didn't save it. I thought perhaps it was a bug with the version we are running - 3.0(0)A1(5a).

We reverted everything back to an old LDA and are planning to try with the ACE again soon; this time with SSL termination though.

Since you say it should work, I'll schedule some time to try and make SSL pass through work on our next attempt. And save the trace.

Thanks,

Milo

Gilles,

I've attached a trace file.

Thanks,

Milo

the trace does not match the config you sent.

Can't find the same ip addresses.

In the trace, it is also clear the module is spoofing the HTTPS connection.

Not sure why.

So I would need a 'show tech' to confirm what is happening.

Also get 'show service-policy detail' before and after a connection attempt to see if you hit the right service-policy.

Gilles.

Gilles,

Sorry about that. It's a production context and complex. Here is the revelent portion of the current config. The show tech is attached.

probe http sys-stat

description WEB SERVER PROBE

faildetect 2

passdetect count 1

receive 60

request method get url /manager/html

expect status 401 401

rserver host systemsStatus1-test

description TEST SYSTEMS STATUS WEB SERVER

ip address 134.114.6.149

probe ping-probe

inservice

rserver host systemsStatus2-test

description TEST SYSTEMS STATUS WEB SERVER

ip address 134.114.6.150

probe ping-probe

inservice

serverfarm host systemsStatus-test

description TEST SYSTEMS STATUS WEB SERVER FARM

failaction purge

predictor leastconns

probe sys-stat

retcode 100 500 check count

rserver systemsStatus1-test

inservice

rserver systemsStatus2-test

inservice

sticky ip-netmask 255.255.255.255 address source GROUP_2_TEST

timeout 480

replicate sticky

serverfarm systemsStatus-test

policy-map multi-match CLIENT-VIPS

class-map match-all VIP-SYSTAT-HTTP-TEST

description system status test web server

2 match virtual-address 134.114.6.148 any

!==========================

ace-its-a/PSOFT# sh service-policy CLIENT-VIPS detail | be VIP-SYSTAT-HTTP-TEST

class: VIP-SYSTAT-HTTP-TEST

VIP Address: Port:

134.114.6.148 any

loadbalance:

L7 loadbalance policy: SYSTAT-HTTP-POLICY-TEST

VIP Route Metric : 77

VIP Route Advertise : DISABLED

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 0 , hit count : 395

dropped conns : 379

client pkt count : 1325 , client byte count: 109445

server pkt count : 1357 , server byte count: 781489

L7 Loadbalance policy : SYSTAT-HTTP-POLICY-TEST

class/match : class-default

LB action :

-

hit count : 392

dropped conns : 376

the problem is this line :

retcode 100 500 check count

Because of that, you need to use the serverfarm only for http as the ace module will interpret all traffic as http in order to detect the retcode.

Create another serverfarm and rule for https or remove the retcode line.

Gilles.

Gilles,

No Sh--!! Yup, removing that line from the serverfarm fixed it. That's a nice way to start a Monday!!

Thank you,

Milo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: