Cisco ACE Mod 30 - HTTPS probes are failing after hardware replacement.

Unanswered Question
Mar 13th, 2014
User Badges:

We recently had a hardware failure on ACE Mod30. The replacement went in relatively painless (except for having to import about 100 SSL Certificates and Private Keys).

 

However, on the new ACE, the HTTPS probes are failing for all contexts using them. We can work around this by using TCP-443 probe, but the customer prefers that we actually request a logon page to ensure that the application is running properly.

 

Here are the probe stats for one context (THIS ONE IS ACTIVE)

BRTDCSCRTR2/INTRA-DEV-TST# sho stats probe type https

+------------------------------------------+
+----------- Probe statistics -------------+
+------------------------------------------+
 ----- https probe ----
 Total probes sent       : 52422        Total send failures   : 0
 Total probes passed     : 0            Total probes failed   : 52422
 Total connect errors    : 0            Total conns refused   : 0
 Total RST received      : 0            Total open timeouts   : 52422
 Total receive timeout   : 0            Total active sockets  : 0

 

Here are the probe stats for one context (THIS ONE IS HOT_STANDBY)

BRTDCSCRTR2/INTRA-PROD# sho stats probe type https

+------------------------------------------+
+----------- Probe statistics -------------+
+------------------------------------------+
 ----- https probe ----
 Total probes sent       : 69398        Total send failures   : 0
 Total probes passed     : 0            Total probes failed   : 69398
 Total connect errors    : 0            Total conns refused   : 0
 Total RST received      : 0            Total open timeouts   : 69398
 Total receive timeout   : 0            Total active sockets  : 0

 

Everything else appears to be working properly, except for the HTTPS probes.

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Fnu Kanwaljeet Singh Thu, 03/13/2014 - 14:03
User Badges:
  • Cisco Employee,

Hi Nelson,

If you do show probe <probe name>detail, what do you see there? Do you see any resource usage issue? You can check by using "show resource-usage"command. We would need more information to proceed further on this.  I see that all the probes have failed. What changed? Anything on server or probe configuration or version of ace after replacement? What do you see in logs as the failure reason?

Regards,

Kanwal

hamalik Fri, 03/14/2014 - 09:59
User Badges:
  • Cisco Employee,

Hi,

For HTTS Probes to be successful, you don't need to have SSL Certs/Private keys on ACE, unless servers are doing client authentication. When ACE sends HTTS Probes to servers, it acts as a client.

Here are few things that can be tried:

- Test HTTS probe with only one server. Reload the server to clear any SSL cache on it.

- check SSL probe detail to verify the error code received

- Take captures between ACE and that server to find at what stage of the probe packet exchange flow is failing.

Here is a good link to troubleshoot HTTPS probe issues:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29...

Regards,

Hasham

Actions

This Discussion