ACE SSL - Decryption failure

Unanswered Question
Feb 16th, 2009

I have deployed ACE in a portal architecture with two web servers in test environment. ACE does the SSL offloading.

Users are experiencing 'Invalid Session' error 'randomly' while accessing various links on the web page. However, at other times same pages show perfectly.

This is only experienced while accessing the pages from the internet. It never happens on the local lan. So the only addition via internet is 1) the internet itself 2) outside ASA with CSC-SSM and 3) outside ASA with AIP-SSM

The URL is currently registered with the ISP DNS with a different IP (current Production). The test environment uses another public IP and the site is accessed via local host file. Over the internet, the traffic goes through transparent proxy as well.

When I captured the packets via Ethereal/Wireshark, I noticed 'Encrypted Alert' packets sent by ACE to the client. Following are the details of the packet

- SSLv3 Record Layer: Encrypted Alert

Content Type: Alert (21)

Version: SSL 3.0 (0x0300)

Length: 18

Alert Message: Encrypted Alert

Alert code 21 means 'Decryption failed (fatal, TLS only)'

The certificate is authentic and verified.

Please advise on how to troubleshoot this error.

Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco_lite Mon, 02/16/2009 - 10:50

Ok. Out of the above, internet is ruled out. I connected my laptop to the outside of the ASA and tried testing the portal. In this case, I bypassed the internet but included all the components of our infrastructure including firewalls. The problem still happens.

So the only two things now are the 1) ASA CSC-SSM and 2) ASA AIP-SSM on the perimeter.

Does ASA in any way tamper with the SSL traffic flowing througn it or any other data.

edgarfc254 Tue, 10/25/2011 - 06:25

I am having the same problem with SSL termination with the ACE only in the picture. No ASA in use. All works well with a server which is not behind the ACE.

Have anyone got a work around of the decryption failure.

edgarfc254 Tue, 10/25/2011 - 15:13

Software Version A2(1.5) Resolved Caveats

CSCsz26513

—When you transfer a  large file, the ACE sends an encrypted alert to the client. Prior to  this action, the ACE reduces its TCP window to zero, bumps up the size,  receives the packet that it was acknowledging from the client, and sends  the encrypted alert

I am running Version A2(3.2), I found that implementing sticky group helped with yhis issue.

serverfarm host webfarm
  rserver r1
    inservice standby
  rserver r2
    inservice
  rserver r3
    backup-rserver r1
    inservice

\\define static sticky server, here we are mapping r2 to r3 and r3 to r2

sticky ip-netmask 255.255.255.255 address source sticky_webfarm
  serverfarm webfarm
  8 static client source 172.16.4.5 rserver r3
  16 static client source 172.16.4.6 rserver r2

(https://supportforums.cisco.com/docs/DOC-17765)

edgarfc254 Wed, 10/26/2011 - 02:09

Actually, there has not been any change. Traffic from the LAN works perfectly fine but for some reason, Microsoft (e-mail cloud) and Blackberry traffic is still having the same issue.

Any ideas why those two are being affected. Might it have something to do with how there implement IMAPS on their side which is different from all other services.

Actions

This Discussion