ACE SSL Termination (40) Handshake Failure

Answered Question
Mar 10th, 2010

I have configured the ACE 4710 as a network load balancer and this is working well for most sites.  Now I have installed the SSL cert and the https version of the site will not be displayed.  Ran Wireshark protocol analyser and it indicates a RST packet was recieved with error (40) Handshake failure.. any ideas?

Correct Answer by Sean Merrow about 6 years 11 months ago

Interesting that it doesn't work.  The %h just says to keep whatever hostname the client used in the original request, but just change the http:// to https://.  The %p simply means to keep the same path as the original request.  You don't have to use them, or you can just use one of them if you want.  So in your case, perhaps your answer is:

webhost-redirection https://www.mywebsite.com%p 301

Now, if someone requests http://www.mywebsite.com/contactus they will be redirected to https://www.mywebsite.com/contactus

However, since the hostname in the original request is the same as the hostname in the redirect, I would've expected the %h to work.

Sean

Correct Answer by Sean Merrow about 6 years 11 months ago

Hello,

Unless your real server is listening on port 443 for clear-text, then your current config needs to be modified for this to work.  Unless the rserver within the serverfarm specifies a port number, then the port number used on the frontend will also be used on the backend. You are using 443 on the frontend, but only doing SSL termination, not SSL intiation.  Therefore, you need to specify the clear-text port that the rserver is listening on.  For example, assuming your rserver is listening on the default www port of 80, your serverfarm should look like this:

serverfarm host WEBFARM
  description Web farm for WEBFARM
  rserver website.orgtest 80
    inservice

Hope this helps,

Sean

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Sean Merrow Wed, 03/10/2010 - 13:33

Hello,

Too hard to say without any data.  Would it be possible to upload your config, the capture, and let us know what version of software you are running?

Thanks,

Sean

Gilles Dufour Thu, 03/11/2010 - 01:26

Try maybe without "ssl advanced-options mywebsite.org" under your ssl proxy.

Also, we need a sniffer trace to see the failure and a show tech captured after the problem occured.

Gilles.

Correct Answer
Sean Merrow Thu, 03/11/2010 - 06:19

Hello,

Unless your real server is listening on port 443 for clear-text, then your current config needs to be modified for this to work.  Unless the rserver within the serverfarm specifies a port number, then the port number used on the frontend will also be used on the backend. You are using 443 on the frontend, but only doing SSL termination, not SSL intiation.  Therefore, you need to specify the clear-text port that the rserver is listening on.  For example, assuming your rserver is listening on the default www port of 80, your serverfarm should look like this:

serverfarm host WEBFARM
  description Web farm for WEBFARM
  rserver website.orgtest 80
    inservice

Hope this helps,

Sean

Sean Merrow Thu, 03/11/2010 - 09:04

Hello,

Yes there is.  See the attachment.  It will show you how to get the ACE to take care of this.  Since your backend server is listening on a clear-text port, any HTTP 301 or 302 redirect that comes from the server will likely have a Location header value of http://xxxx  So, you'll see the action-list in the attachment will force the ACE to re-write the http:// in that header to https:// as well.

Hope it helps,

Sean

networker99 Thu, 03/11/2010 - 10:04

Many thanks.. however I still have a slight issue.  It is regarding the line:

webhost-redirection https://%h%p 301

This only works if I put

webhost-redirection https://www.mywebsite.com 301 and not https://%h%p

therefore this is fine if someone goes to http://www.mywebsite.com and they get redirected to https://www.mywebsite.com but if they go to http://www.mywebsite.com/contactus.html they get redirected to https://www.mywebsite.com

Thanks!

Correct Answer
Sean Merrow Thu, 03/11/2010 - 11:11

Interesting that it doesn't work.  The %h just says to keep whatever hostname the client used in the original request, but just change the http:// to https://.  The %p simply means to keep the same path as the original request.  You don't have to use them, or you can just use one of them if you want.  So in your case, perhaps your answer is:

webhost-redirection https://www.mywebsite.com%p 301

Now, if someone requests http://www.mywebsite.com/contactus they will be redirected to https://www.mywebsite.com/contactus

However, since the hostname in the original request is the same as the hostname in the redirect, I would've expected the %h to work.

Sean

networker99 Thu, 03/11/2010 - 11:23

Funny.. I re-entered the commands and now it works.. maybe a typo??!! thanks ago!!!!!

One last question.  Can you direct me on how to set up the health checking so that a webserver will be taken out of the farm if it returns a specific string in the html?

Sean Merrow Thu, 03/11/2010 - 12:00

Hello,

Well, that's a new one to me.  I've yet to see someone want to remove a server from the rotation when it has a string in the content.  Usually, we see customers that want to remove a server from rotation when it doesn't have the string in the body.

A common HTTP keepalive would be something like this:

probe http HTTP-KEEPALIVE
  interval 10
  faildetect 3
  passdetect interval 30
  passdetect count 2
  receive 3
  open 3
  request method get url /keepalive.html
  expect status 200 200  <-- this is required when 'expect regex' is not used

Here, as long as it gets a HTTP 200 OK Response, it will pass.  In addition to, or in place of, the expect status, you can also use the expect regex.  Click the link for details on how to configure that.  If you use expect regex, then the response from the server must include the Content-Length header.

probe http HTTP-KEEPALIVE
   interval 10
   faildetect 3
   passdetect interval 30
   passdetect count 2
   receive 3
   open 3
   request method get url /keepalive.html
   expect regex Hello

  expect status 200 200  <-- this is now optional when the 'expect regex' is used

In the above example, the rserver will be pulled out of rotation if the response does not contain Hello in its response.  I'm not aware of a way to get the ACE to pull the server out of rotation if it does have this string.

Not sure if this helps or not.

Sean

networker99 Thu, 03/11/2010 - 12:04

Maybe I explained it wrong..

If there are two servers that provide website search results for a front end web server .  If the SQL/search service dies on one I only want the other to be queried.

Sean Merrow Thu, 03/11/2010 - 12:42

You can apply multiple probes to each global rserver.  By default, both of them would have to pass for the rserver to be considered healthy.  Each probe below can have a unique IP address.

host1/Admin(config)# rserver WWW-SERVER1
host1/Admin(config-rserver-host)# ip address 192.168.12.15
host1/Admin(config-rserver-host)# probe SQL_PROBE
host1/Admin(config-rserver-host)# probe WWW_PROBE

For example, in the example above, the WWW_PROBE configuration would not have an IP address associated and therefore would inherit the IP address of the rserver.  For the SQL_PROBE, you could specifically configure the IP address of the SQL server in the probe configuration.  So both the SQL server and the WWW server would have to be healthy in order for this server to be included in the load balancing rotation.

Sean

networker99 Thu, 03/11/2010 - 12:51

I guess what I am asking is how can it detect application errors rather than web errors?

Sean Merrow Fri, 03/12/2010 - 08:35

Hello,

Unfortunately, the ACE cannot passively monitor application traffic for specific errors or patterns to determine when an rserver should or should not be in the load balancing rotation.  The only options I'm aware of are all the probes described in the Configuring Health Monitoring document, which includes several application-layer probes.  Obviously, the HTTP and/or HTTPS probes should cover you for your web servers.  For the SQL servers, you might be able to accomplish it with a TCP probe and expect regex.  Otherwise, you would need to get creative with using TCL scripts for probing.  This is documented in the Using Toolkit Command Language (TCL) Scripts with the ACE documentation.

HTH,

Sean

Actions

This Discussion