Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Silver

ACE: Problem with end-to-end SSL

Hi,

I'm having a problem with configuring end-to-end SSL as documented in Section 5 of the ACE SSL guide.

Without the ssl-proxy definition it "works" in the sense that the response is HTTPS format from either of the real servers.

If I add

ssl-proxy server PSERVICE_SERVER into

policy-map multi-match LB-VIP

class VIP-CATHY-https

loadbalance vip inservice

loadbalance policy VIP-LB-CATHY-https

then it fails and a wireshark trace shows a Handshake Failure - but no helpful details.

What I'm trying to do is terminate and re-initiate the SSL traffic to the two real servers.

Am I missing something obvious? The configuration of my Test context is attached.

Kind Regards

Cathy

4 REPLIES
Bronze

Re: ACE: Problem with end-to-end SSL

Check this bug information :CSCsg04254

Silver

Re: ACE: Problem with end-to-end SSL

Thank you.

I don't have access to the bug database - so if you could copy it to here that would be helpful.

I think I've got a config that works. I hadn't grasped the necessity for a layer 7 policy to make it work. Also I needed to set the close-protocol in the SSL parameters to be none rather than strict (default).

Kind Regards

Cathy

Cisco Employee

Re: ACE: Problem with end-to-end SSL

Cathy, are you using IE ??

If yes, could you try another brother like mozilla.

Are you using certificate group ?

Is the total size bigger than 4k ?

Gilles.

Silver

Re: ACE: Problem with end-to-end SSL

I was using IE. By chance I saw another query on here that mentioned the close-protocol option.

I don't think the chaingroup exceeded 4K - but it was probably borderline. I took out the server certificate and just left in the 3 GlobalSign certificates. I couldn't see the point of including it in the chain as well as in the server definition.

I think I have it working - it was just a lot more complicated than I thought it would be. It would be useful if the manual had an example of an end-to-end configuration rather than just referring to Ch4 and Ch3.

Thank you for your help.

Kind Regards

Cathy

219
Views
0
Helpful
4
Replies
CreatePlease to create content