SSL Termination Not Working

krishnadas.R_2 · ‎10-15-2009

Hi,

I have tried configuring SSL termination on ACE. soft ver is Version 3.0(0)A1(4a)

Connectivity was working fine with HTTP and the website was accessible from the Internet. After I put the SSL configs, the connectivity is not working, browser is throwing an error "Secure Connection Failed" "(Error code: ssl_error_rx_record_too_long)"

I am using a trial certificate from thawte for testing. Attached the running-config and the statistics.

Any help/advice is really appreciated.

Thanks,

kris

jason.espino · ‎10-15-2009

Hello kris,

Looking at your configuration your layer 4 class-map does not define/allow HTTP connections to establish to the vip address.

class-map match-all ERDMZ80

3 match virtual-address 10.1.151.100 tcp eq http

class-map match-all ERDMZ443

3 match virtual-address 10.1.151.100 tcp eq https

Regarding your SSL configuration it looks correct if the cert is self-signed, but you can also try to separate the configuration for HTTP and HTTPS traffic for the same VIP.

class-map match-all ERDMZ80

3 match virtual-address 10.1.151.100 tcp eq http

class-map match-all ERDMZ443

3 match virtual-address 10.1.151.100 tcp eq https

policy-map type loadbalance first-match ERDMZ-VIP

class class-default

sticky-serverfarm ERDMZ-STICKY

policy-map multi-match ERDMZ-POLICY

class ERDMZ80

loadbalance vip inservice

loadbalance policy ERDMZ-VIP

loadbalance vip icmp-reply

class ERDMZ443

loadbalance vip inservice

loadbalance policy ERDMZ-VIP

loadbalance vip icmp-reply

ssl-proxy server ERproxy-1

- Jason

krishnadas.R_2 · ‎10-18-2009

Hi Jason,

Many Thanks for taking time in looking into the configs.

I have separated the configs for HTTP and SSL, however it is not working.. I am thinking of installing a new trial certificate from some other CA, shall update you the result.

Thanks,

Kris

ciscocsoc · ‎10-15-2009

Hi Kris,

I'd normally expect to see a chaingroup with the Thawte CA and any intermediate certificates. Or is this test certificate self-signed?

Can you show the crypto file listing of the certificate(s) and key(s)? (sh crypto files)

Kind Regards

Cathy

krishnadas.R_2 · ‎10-18-2009

HiCathy,

The certificate I am using is a trial one from Thawte.

Here is the output,

ICT_ACE1/ERzone# sh crypto files

Filename File File Expor Key/

Size Type table Cert

-----------------------------------------------------------------------

ER-Key.pem 887 PEM Yes KEY

ER-Cert.pem 1903 PEM Yes CERT

ICT_ACE1/ERzone#

I am not sure if the error is because I have installed a wrong certificate type? Do we need to install specific type of certificate for Cisco Devices? I have verified the that the certificate and key does match using crypto verify..

Waiting for the reply.

Thanks,

-Kris

ciscocsoc · ‎10-18-2009

Hi Kris,

You need to import Thawte Test CA Root.pem, add it to a chaingroup and then associate the chaingroup to the SSL server. The ACE needs to see the whole certificate chain.

Kind Regards

Cathy

krishnadas.R_2 · ‎10-19-2009

Hi Cathy,

Thanks for the advice,

I have done it as you suggested, still the browser is showing the same error..

Attached is the current running config, pls have a look.

Thanks

Kris

ciscocsoc · ‎10-19-2009

You shouldn't have an SSL server in the policy for HTTP traffic.

class ERDMZ80

loadbalance vip inservice

loadbalance policy ERDMZ-VIP

loadbalance vip icmp-reply

ssl-proxy server ERproxy-1 <---delete

The error indicates an issue with the FQDN so you need to check the DNS name against the name you quote when generating the certificate.

Cathy