Solved: SSL Offloading not working right

rowelldionicio · ‎12-05-2011

I'm having trouble getting SSL Offloading to work correctly in my test environment. I built a test web server and can get HTTP to load balance just fine. In the same context I am doing SSL offloading. Within Wireshark I can see the source making it to the ACE and then the ACE communicating with the web server but the connection stops after the web server sends an ACK packet to the nat address on the ACE. The connection eventually RST. Here's the configuration:

ACE/VC_test# sh run

Generating configuration....

crypto chaingroup INTERMED_GODADDY

cert intermediate.pem

access-list Allow_VLAN205_Traffic line 15 extended permit tcp any host 10.90.205

.10 eq https

access-list Allow_VLAN205_Traffic line 18 extended permit tcp any host 10.90.205

.10 eq www

probe icmp ICMP_PROBE

description PROBE INTENDED FOR LOAD BALANCING TRAFFIC

interval 2

faildetect 2

passdetect interval 2

passdetect count 5

rserver host WEB01

ip address 10.90.10.46

inservice

rserver host WEB02

ip address 10.90.10.47

inservice

serverfarm host SF_test

description TEST SERVER FARM

probe ICMP_PROBE

rserver WEB01

inservice

rserver WEB02

parameter-map type ssl SSL_TERM_PARAM

cipher RSA_WITH_3DES_EDE_CBC_SHA

cipher RSA_WITH_AES_128_CBC_SHA priority 2

cipher RSA_WITH_AES_256_CBC_SHA priority 3

rehandshake enabled

sticky http-cookie SSL_PERS SFTEST_STICKY

cookie insert browser-expire

serverfarm SF_test

action-list type modify http SSL_ACTIONLIST

ssl url rewrite location "lb\.website\.org\.*"

ssl-proxy service SSL_PROXY_SSLTEST

key lbprivatekey.pem

cert lbservercert.pem

chaingroup INTERMED_GODADDY

ssl advanced-options SSL_TERM_PARAM

class-map match-all HTTPS_CLASS

2 match virtual-address 10.90.205.10 255.255.255.0 tcp eq https

class-map type management match-any Remote-Mgmt_Class

2 match protocol ssh any

3 match protocol https any

4 match protocol icmp any

5 match protocol snmp any

6 match protocol xml-https any

class-map match-all VIP_CLASS

2 match virtual-address 10.90.205.10 tcp eq www

policy-map type management first-match Remote-Mgmt_Policy

class Remote-Mgmt_Class

permit

policy-map type loadbalance http first-match HTTP_POLICY

class class-default

serverfarm SF_test

policy-map type loadbalance http first-match SSL_POLICY

class class-default

sticky-serverfarm SFTEST_STICKY

action SSL_ACTIONLIST

policy-map multi-match HTTPS_VIPs

class HTTPS_CLASS

loadbalance vip inservice

loadbalance policy SSL_POLICY

loadbalance vip icmp-reply active

nat dynamic 30 vlan 205

ssl-proxy server SSL_PROXY_SSLTEST

policy-map multi-match VIPs

class VIP_CLASS

loadbalance vip inservice

loadbalance policy HTTP_POLICY

loadbalance vip icmp-reply active

class class-default

nat dynamic 20 vlan 205

interface vlan 200

interface vlan 205

description TEST

ip address 10.90.205.11 255.255.255.0

no normalization

access-group input Allow_VLAN205_Traffic

nat-pool 20 10.90.205.250 10.90.205.254 netmask 255.255.255.0 pat

nat-pool 30 10.90.205.240 10.90.205.245 netmask 255.255.255.0 pat

service-policy input VIPs

service-policy input HTTPS_VIPs

no shutdown

ip route 0.0.0.0 0.0.0.0 10.90.205.1

Could the problem be the ssl rewrite?

pablo.nxh · ‎12-06-2011

I think I spotted another problem in your configuration your HTTPS VIP is using a /24 mask instead of 32.

Remove the current line and enter the following line instead:

2 match virtual-address 10.90.205.10 255.255.255.255 tcp eq https

To answer your question... yeah makes no sense using 443 in your backend servers for what you're trying to accomplish, this would be called End-to-End SSL and it would add extra processing to your servers.

HTH

__ __

Pablo

View solution in original post

pablo.nxh · ‎12-05-2011

Hello,

In order for SSL termination to work correctly you need to specify the clear text port used in the backend servers otherwise the ACE will make the call to the servers using the same port configured for the VIP.

Try removing the rservers from the serverfarm first and then add the clear text port number next to them, it would end up

looking like this:

serverfarm host SF_test

description TEST SERVER FARM

probe ICMP_PROBE

rserver WEB01 80

inservice

rserver WEB02 80

HTH

__ __

Pablo

rowelldionicio · ‎12-06-2011

Unfortuantely that didn't work for me. Since SSL offloading is done at the ACE there is no reason to have the web server answering on port 443, correct?

pablo.nxh · ‎12-06-2011

I think I spotted another problem in your configuration your HTTPS VIP is using a /24 mask instead of 32.

Remove the current line and enter the following line instead:

2 match virtual-address 10.90.205.10 255.255.255.255 tcp eq https

To answer your question... yeah makes no sense using 443 in your backend servers for what you're trying to accomplish, this would be called End-to-End SSL and it would add extra processing to your servers.

HTH

__ __

Pablo

rowelldionicio · ‎12-06-2011

That did it! Now https is working. Thanks!

Is it possible to have regular HTTP on this context or is it best practice to put https on it's own context?

UPDATE: I just got HTTP load balancing as well on the same context.