Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE module https Probe operation question with nested request method

Fellow Networkers,

Could someone kindly provide an explanation in regard to the https probe (standard https probe provided with ACE) operation?

What I'm trying to determine/uderstand is how does the ACE interpert the expected status code, since I am not terminating SSL in the ACE or is it even neccessary for me to include the expected status code.

When the probe is being applied, does the ACE look for the handshaking routine (client hello, etc) to built the session ID, and then sends an "get" to check the status code? I'm trying to understand if the ACE is not terminating the SSL, is the return code status encrypted or not encrypted.

One of our server admin would like to send an specific request, like the command below, and I wasn't sure if it would work. Unfortunatly i do not have a spare ACE module to do some testing.

request method head url /aims/enterprise/user

Example:

!

!

probe https generic-HTTPs
   interval 5
   passdetect interval 5
   receive 5
   expect status 200 405

!

serverfarm host generic-HTTPS
  predictor leastconns

  probe generic-HTTPs
  rserver RSRV1
    inservice
  rserver RSRV2
    inservice

If you need any additional information, please let me know.

Thanks,

raman

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACE module https Probe operation question with nested reques

When you configure https probe on ACE, a connection is established between ACE and rserver

by 3 way handshake. And then ssl handshake is processed between ACE and rserver.

After receiving Finished message from rserver, ACE sends http request to rserver.

If you configure 'request method head url /aims/enterprise/user' on the probe generic-HTTPs,

this http request becomes head request.

If you configure 'expect status 200 405', ACE checks status code is valid. If you don't configure

'expect status' command, ACE only check whether status code is returned or not.

Since probe process works between ACE and rserver configured probe, you don't need 'ssl-proxy

service' config.

As an example, I attached capture trace of https probe with the following configuration.

I got this trace with NAM module on the same chassis and then filtered with tcp.port==443.

Since I also attached private key, you can decode the capture trace with wireshark.

http://wiki.wireshark.org/SSL

Edit -> Preference -> Protocols -> SSL

RSA key list: 192.168.72.254,443,http,c:\key_probe-ssl.pem

SSL debug file: c:\ssl_debug.txt

### config

ACE20a/Admin# sh run probe

Generating configuration....

probe https probe-ssl

  interval 5

  passdetect interval 5

  receive 5

  request method head url /aims/enterprise/user

  expect status 200 200

ACE20a/Admin#

ACE20a/Admin# sh run rserver

Generating configuration....

rserver host rserver-ssl

  ip address 192.168.72.254

  inservice

ACE20a/Admin# sh run serverfarm

Generating configuration....

serverfarm host sf-ssl

  probe probe-ssl

  rserver rserver-ssl

    inservice

Regards,

Yuji

1 REPLY
Cisco Employee

Re: ACE module https Probe operation question with nested reques

When you configure https probe on ACE, a connection is established between ACE and rserver

by 3 way handshake. And then ssl handshake is processed between ACE and rserver.

After receiving Finished message from rserver, ACE sends http request to rserver.

If you configure 'request method head url /aims/enterprise/user' on the probe generic-HTTPs,

this http request becomes head request.

If you configure 'expect status 200 405', ACE checks status code is valid. If you don't configure

'expect status' command, ACE only check whether status code is returned or not.

Since probe process works between ACE and rserver configured probe, you don't need 'ssl-proxy

service' config.

As an example, I attached capture trace of https probe with the following configuration.

I got this trace with NAM module on the same chassis and then filtered with tcp.port==443.

Since I also attached private key, you can decode the capture trace with wireshark.

http://wiki.wireshark.org/SSL

Edit -> Preference -> Protocols -> SSL

RSA key list: 192.168.72.254,443,http,c:\key_probe-ssl.pem

SSL debug file: c:\ssl_debug.txt

### config

ACE20a/Admin# sh run probe

Generating configuration....

probe https probe-ssl

  interval 5

  passdetect interval 5

  receive 5

  request method head url /aims/enterprise/user

  expect status 200 200

ACE20a/Admin#

ACE20a/Admin# sh run rserver

Generating configuration....

rserver host rserver-ssl

  ip address 192.168.72.254

  inservice

ACE20a/Admin# sh run serverfarm

Generating configuration....

serverfarm host sf-ssl

  probe probe-ssl

  rserver rserver-ssl

    inservice

Regards,

Yuji

2085
Views
0
Helpful
1
Replies
CreatePlease to create content