ACE service module SSL termination for soap over HTTPS

Unanswered Question
Sep 30th, 2009
User Badges:

I have a virtual server configured to terminate SSL traffic and send to the real server in clear text. This works great when I test from my browser and access the web site on the server.

However when another group attempts to sent soap over HTTPS to the same virtual server the ACE drops the connection.

Just wondering if anyone has seen this before?

access-list PERMIT line 8 extended permit ip any any

serverfarm host SecureSite


rserver SecureSite 81


parameter-map type connection TCP_PARAM

syn-data drop

exceed-mss allow

class-map match-all SecureSite

2 match virtual-address tcp eq https

policy-map type loadbalance first-match SecureSite-l7slb

class class-default

serverfarm SecureSite

policy-map multi-match POLICY

class SecureSite

loadbalance vip inservice

loadbalance policy SecureSite-l7slb

loadbalance vip icmp-reply active

nat dynamic 1 vlan 332

ssl-proxy server SecureSite

connection advanced-options TCP_PARAM

Service policy is applied at the interface.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
koltl-gold Wed, 09/30/2009 - 22:06
User Badges:

I suspect the server sends an HTTP redirect which will not be usable until you set up SSL URL rewrite. It is a very good practice to have this feature enabled for all SSL termination configs.


koltl-gold Wed, 09/30/2009 - 22:12
User Badges:

I assume you just omitted to paste the 'ssl-proxy service SecureSite' section with the cert and the key.

JeramyKoval Thu, 10/01/2009 - 04:21
User Badges:

Yes, I actually forgot to include the ssl-proxy service in my post. It is there and is configured. Works just fine with regular website traffic. I even tried a different ssl-proxy service just to see if there was any change.

huangedmc Fri, 10/09/2009 - 03:15
User Badges:

"However when another group attempts to sent soap over HTTPS to the same virtual server the ACE drops the connection."

Where's this group connecting to the VIP from?

Is it from a client-side or server-side vlan?

JeramyKoval Mon, 10/12/2009 - 11:15
User Badges:

We ended up resolving this issue. It turned out to be something really simple. The client that was sending the soap traffic did not have the proper SSL certificate installed on the server that was generating the soap traffic.


This Discussion