Solved: ACE module https Probe operation question with nested request method

RAMAN AZIZIAN · ‎08-30-2010

Fellow Networkers,

Could someone kindly provide an explanation in regard to the https probe (standard https probe provided with ACE) operation?

What I'm trying to determine/uderstand is how does the ACE interpert the expected status code, since I am not terminating SSL in the ACE or is it even neccessary for me to include the expected status code.

When the probe is being applied, does the ACE look for the handshaking routine (client hello, etc) to built the session ID, and then sends an "get" to check the status code? I'm trying to understand if the ACE is not terminating the SSL, is the return code status encrypted or not encrypted.

One of our server admin would like to send an specific request, like the command below, and I wasn't sure if it would work. Unfortunatly i do not have a spare ACE module to do some testing.

request method head url /aims/enterprise/user

Example:

!

probe https generic-HTTPs
   interval 5
   passdetect interval 5
   receive 5
   expect status 200 405

!

serverfarm host generic-HTTPS
predictor leastconns

probe generic-HTTPs
rserver RSRV1
inservice
rserver RSRV2
inservice

If you need any additional information, please let me know.

Thanks,

raman

yushimaz · ‎08-31-2010

When you configure https probe on ACE, a connection is established between ACE and rserver

by 3 way handshake. And then ssl handshake is processed between ACE and rserver.

After receiving Finished message from rserver, ACE sends http request to rserver.

If you configure 'request method head url /aims/enterprise/user' on the probe generic-HTTPs,

this http request becomes head request.

If you configure 'expect status 200 405', ACE checks status code is valid. If you don't configure

'expect status' command, ACE only check whether status code is returned or not.

Since probe process works between ACE and rserver configured probe, you don't need 'ssl-proxy

service' config.

As an example, I attached capture trace of https probe with the following configuration.

I got this trace with NAM module on the same chassis and then filtered with tcp.port==443.

Since I also attached private key, you can decode the capture trace with wireshark.

http://wiki.wireshark.org/SSL

Edit -> Preference -> Protocols -> SSL

RSA key list: 192.168.72.254,443,http,c:\key_probe-ssl.pem

SSL debug file: c:\ssl_debug.txt

### config

ACE20a/Admin# sh run probe

Generating configuration....

probe https probe-ssl

interval 5

passdetect interval 5

receive 5

request method head url /aims/enterprise/user

expect status 200 200

ACE20a/Admin#

ACE20a/Admin# sh run rserver

Generating configuration....

rserver host rserver-ssl

ip address 192.168.72.254

inservice

ACE20a/Admin# sh run serverfarm

Generating configuration....

serverfarm host sf-ssl

probe probe-ssl

rserver rserver-ssl

inservice

Regards,

Yuji

View solution in original post

yushimaz · ‎08-31-2010

When you configure https probe on ACE, a connection is established between ACE and rserver

by 3 way handshake. And then ssl handshake is processed between ACE and rserver.

After receiving Finished message from rserver, ACE sends http request to rserver.

If you configure 'request method head url /aims/enterprise/user' on the probe generic-HTTPs,

this http request becomes head request.

If you configure 'expect status 200 405', ACE checks status code is valid. If you don't configure

'expect status' command, ACE only check whether status code is returned or not.

Since probe process works between ACE and rserver configured probe, you don't need 'ssl-proxy

service' config.

As an example, I attached capture trace of https probe with the following configuration.

I got this trace with NAM module on the same chassis and then filtered with tcp.port==443.

Since I also attached private key, you can decode the capture trace with wireshark.

http://wiki.wireshark.org/SSL

Edit -> Preference -> Protocols -> SSL

RSA key list: 192.168.72.254,443,http,c:\key_probe-ssl.pem

SSL debug file: c:\ssl_debug.txt

### config

ACE20a/Admin# sh run probe

Generating configuration....

probe https probe-ssl

interval 5

passdetect interval 5

receive 5

request method head url /aims/enterprise/user

expect status 200 200

ACE20a/Admin#

ACE20a/Admin# sh run rserver

Generating configuration....

rserver host rserver-ssl

ip address 192.168.72.254

inservice

ACE20a/Admin# sh run serverfarm

Generating configuration....

serverfarm host sf-ssl

probe probe-ssl

rserver rserver-ssl

inservice

Regards,

Yuji