ACE - SSL Termination is not working

Answered Question
Jun 15th, 2010

HTTPS is not working from official IE browser but it is working from test Firefox browser. However HTTP is working with both IE and Firefox browsers. This is true for multiple implementations on the ACE service module with SSL termination.

ACE software 3.0(0)A1(4a)

IE v6 SP3 Cipher 128

Firefox v3.6.3

Sample configuration:

!
access-list FT ethertype permit bpdu
!
access-list ALL-ACCESS extended permit icmp any any
access-list ALL-ACCESS extended permit ip any any
!
crypto chaingroup ROOT-CERT
  cert abc.PEM
  cert xyz.PEM
!
parameter-map type ssl SSL-PARAMETER-1
  cipher RSA_WITH_RC4_128_MD5
  cipher RSA_WITH_RC4_128_SHA
  cipher RSA_WITH_AES_128_CBC_SHA priority 2
  cipher RSA_WITH_AES_256_CBC_SHA
  cipher RSA_EXPORT1024_WITH_DES_CBC_SHA

parameter-map type ssl SSL-PARAMETER-2
  cipher RSA_WITH_AES_128_CBC_SHA priority 2
!
ssl-proxy service SSL-1
  key KEY-1.PEM
  cert CERT-1.PEM
  chaingroup ROOT-CERT
  ssl advanced-options SSL-PARAMETER-1

ssl-proxy service SSL-2
  key KEY-1.PEM
  cert CERT-1.PEM
  chaingroup ROOT-CERT
  ssl advanced-options SSL-PARAMETER-2

ssl-proxy service SSL-3
  key KEY-1.PEM
  cert CERT-1.PEM
  chaingroup ROOT-CERT
!

rserver host server1

  ip address 10.100.15.89
  inservice

rserver host server2
  ip address 10.100.15.121
  inservice

!
probe http PROBE-1
  interval 30
  faildetect 2
  request method get url /keepalive.htm
  expect status 200 200
!
serverfarm host SERVERFARM-1
  probe PROBE-1
  rserver server1 80
    inservice
  rserver server2 80
    inservice
!
sticky ip-netmask 255.255.255.255 address both STICKY-1
  timeout 30
  replicate sticky
  serverfarm SERVERFARM-1
!
class-map type management match-any REMOTE-ACCESS
  match protocol icmp any
  match protocol snmp any
  match protocol ssh any
  match protocol https any
!
class-map match-all VIP-1
  match virtual-address 10.100.15.140 tcp eq https

class-map match-all VIP-2

match virtual-address 10.100.15.140 tcp eq www
!
policy-map type management first-match REMOTE-ACCESS
  class REMOTE-ACCESS
    permit
!
policy-map type loadbalance first-match POLICY-1
  class class-default
    sticky-serverfarm STICKY-1
!
policy-map multi-match LB-1
  class VIP-1
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    loadbalance policy POLICY-1   
    ssl-proxy server SSL-1
(i have tried with ssl-proxy server SSL-2 and ssl-proxy server SSL-3 but did not helP)

policy-map multi-match LB-2
  class VIP-2
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    loadbalance policy POLICY-1
!
interface vlan 15
  description client vlan
  bridge-group 15
  mac-sticky enable
  access-group input FT
  access-group input ALL-ACCESS
  access-group output ALL-ACCESS
  service-policy input REMOTE-ACCESS
  service-policy input LB-1

  service-policy input LB-2
  no shutdown
!
interface vlan 2015
  description server vlan
  bridge-group 15
  mac-sticky enable
  access-group input FT
  access-group input ALL-ACCESS
  access-group output ALL-ACCESS
  service-policy input REMOTE-ACCESS
  no shutdown
!
interface bvi 15
  description bridge group
  ip address 10.100.15.5 255.255.255.0
  peer ip address 10.100.15.6 255.255.255.0
  alias 10.100.15.4 255.255.255.0 
  no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.100.15.1
!

note: Subnet, Server Name, Certificate Name and Key Name are modified for security reason.

I have this problem too.
0 votes
Correct Answer by Sean Merrow about 6 years 5 months ago

Hello,

We will not be able to determine why your SSL terminated connections fail with only your config.  You may want to take a look at a similar thread where someone else was having problems with IE and SSL termination, but Firefox worked fine.  It also includes a solid action plan you can use to gather data needed to diagnose root cause.  That thread can be viewed at the following link:

https://supportforums.cisco.com/thread/2025417?tstart=0

Also, the ACE software you are running is extremely old now and very buggy.  I would strongly urge you to upgrade to A2(2.4) as soon as possible.  It will help you avoid some headaches as you move forward.

Hope this helps,

Sean

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Sean Merrow Tue, 06/15/2010 - 12:27

Hello,

We will not be able to determine why your SSL terminated connections fail with only your config.  You may want to take a look at a similar thread where someone else was having problems with IE and SSL termination, but Firefox worked fine.  It also includes a solid action plan you can use to gather data needed to diagnose root cause.  That thread can be viewed at the following link:

https://supportforums.cisco.com/thread/2025417?tstart=0

Also, the ACE software you are running is extremely old now and very buggy.  I would strongly urge you to upgrade to A2(2.4) as soon as possible.  It will help you avoid some headaches as you move forward.

Hope this helps,

Sean

rveeragandham Tue, 06/15/2010 - 16:26

The listed micosoft article is more specific with file downloads but not relevant with the "default page not found" problem that I have experienced.

However, the problem was resolved after upgrading the ACE software to A2(2.4). Now, I can see the HTTPS web page from servers using IE brower.

Thanks Sean for your input.

Actions

This Discussion