SSL Termination Not Working

Unanswered Question
Oct 15th, 2009
User Badges:

Hi,

I have tried configuring SSL termination on ACE. soft ver is Version 3.0(0)A1(4a)

Connectivity was working fine with HTTP and the website was accessible from the Internet. After I put the SSL configs, the connectivity is not working, browser is throwing an error "Secure Connection Failed" "(Error code: ssl_error_rx_record_too_long)"


I am using a trial certificate from thawte for testing. Attached the running-config and the statistics.


Any help/advice is really appreciated.

Thanks,

kris




Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jason.espino Thu, 10/15/2009 - 07:07
User Badges:
  • Bronze, 100 points or more

Hello kris,


Looking at your configuration your layer 4 class-map does not define/allow HTTP connections to establish to the vip address.


class-map match-all ERDMZ80

3 match virtual-address 10.1.151.100 tcp eq http

class-map match-all ERDMZ443

3 match virtual-address 10.1.151.100 tcp eq https



Regarding your SSL configuration it looks correct if the cert is self-signed, but you can also try to separate the configuration for HTTP and HTTPS traffic for the same VIP.


class-map match-all ERDMZ80

3 match virtual-address 10.1.151.100 tcp eq http

class-map match-all ERDMZ443

3 match virtual-address 10.1.151.100 tcp eq https


policy-map type loadbalance first-match ERDMZ-VIP

class class-default

sticky-serverfarm ERDMZ-STICKY


policy-map multi-match ERDMZ-POLICY

class ERDMZ80

loadbalance vip inservice

loadbalance policy ERDMZ-VIP

loadbalance vip icmp-reply

class ERDMZ443

loadbalance vip inservice

loadbalance policy ERDMZ-VIP

loadbalance vip icmp-reply

ssl-proxy server ERproxy-1


- Jason

krishnadas.R_2 Sun, 10/18/2009 - 01:48
User Badges:

Hi Jason,


Many Thanks for taking time in looking into the configs.


I have separated the configs for HTTP and SSL, however it is not working.. I am thinking of installing a new trial certificate from some other CA, shall update you the result.


Thanks,

Kris




Attachment: 
ciscocsoc Thu, 10/15/2009 - 07:14
User Badges:
  • Silver, 250 points or more

Hi Kris,


I'd normally expect to see a chaingroup with the Thawte CA and any intermediate certificates. Or is this test certificate self-signed?


Can you show the crypto file listing of the certificate(s) and key(s)? (sh crypto files)


Kind Regards


Cathy

krishnadas.R_2 Sun, 10/18/2009 - 01:56
User Badges:

HiCathy,


The certificate I am using is a trial one from Thawte.


Here is the output,


ICT_ACE1/ERzone# sh crypto files

Filename File File Expor Key/

Size Type table Cert

-----------------------------------------------------------------------

ER-Key.pem 887 PEM Yes KEY

ER-Cert.pem 1903 PEM Yes CERT


ICT_ACE1/ERzone#


I am not sure if the error is because I have installed a wrong certificate type? Do we need to install specific type of certificate for Cisco Devices? I have verified the that the certificate and key does match using crypto verify..


Waiting for the reply.


Thanks,

-Kris

ciscocsoc Sun, 10/18/2009 - 23:35
User Badges:
  • Silver, 250 points or more

Hi Kris,


You need to import Thawte Test CA Root.pem, add it to a chaingroup and then associate the chaingroup to the SSL server. The ACE needs to see the whole certificate chain.


Kind Regards


Cathy

krishnadas.R_2 Mon, 10/19/2009 - 02:08
User Badges:

Hi Cathy,


Thanks for the advice,

I have done it as you suggested, still the browser is showing the same error..


Attached is the current running config, pls have a look.


Thanks

Kris



Attachment: 
ciscocsoc Mon, 10/19/2009 - 02:49
User Badges:
  • Silver, 250 points or more


You shouldn't have an SSL server in the policy for HTTP traffic.


class ERDMZ80

loadbalance vip inservice

loadbalance policy ERDMZ-VIP

loadbalance vip icmp-reply

ssl-proxy server ERproxy-1 <---delete


The error indicates an issue with the FQDN so you need to check the DNS name against the name you quote when generating the certificate.


Cathy

Actions

This Discussion