Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
794
Views
0
Helpful
1
Replies

Expired Certificate and HTTPS Probe Problem

yves.haemmerli
Level 1
Level 1

‎10-15-2009 05:26 AM

Hi,

While configuring an HTTPS probe I observe that if the certificate on the target server is expired, the ACE marks the server as PROBE-FAILED. A Wireshark trace shows that the ACE refuses an expired certificate. Here is the probe configuration :

probe https NCL_PROBE_HTTPS

description *** Server Health Probe ***

interval 5

faildetect 2

passdetect interval 5

passdetect count 2

receive 4

ssl version all

request method get url /monitor/

expect status 200 200

header User-Agent header-value "Juniper DX 3200"

open 2

expect regex "OK"

I know that I can disable the validation check with an ssl parameter-map, but such a map is only applicable to a ssl-proxy service, not on a probe...

How do I make sure that the probe also ignors the unvalid certificate ?

Thank you for any help

Yves Haemmerli

Labels:
0 Helpful
1 Reply 1

hadbou
Level 5
Level 5

‎10-22-2009 06:27 AM

For the HTTPS probe sent by the ACE, if the server sends the expired certificate, then the ACE rejects that certificate and closes the connection with the RST.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents