Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ACE SSL end-to-end

Hi

I am attempting to configure an ACE4710 to perform SSL end-to-end confguration. i.e. SSL termination - load balance - SSL initiate to backend server

The configuration appears to work fine in a test lab using any old web server, however when I peform the same configuration in the production environment it does not work. It appeatrs from a capture run on the ace that the ace is reseting the tcp connections after communicating with the back end server.

The main difference I can think of in this environment is that the cert and key pair the ace is using where exported from the backend server, i.e. both the ace and the backend server have the same certificates and keys. Is this allowed? Any tips on how to troubleshoot why the ace resets the connection.

Regards

Dave

Everyone's tags (4)
6 REPLIES
Bronze

ACE SSL end-to-end

Hi Dave,

Using the cert and key pair in the ACE and the backend server at the same time shouldn't be a problem. Do you have the same design routing wise in your lab and production? Perhaps NAT is configured in the lab ACE but not in production.

If you can share a sanitize copy of the relevant portion of your configs we can take a look.

Cheers

__ __

Pablo

Community Member

ACE SSL end-to-end

Hi Pablo

Here is the sanitised config, neither the lab nor production environments use any nat. The SSL config is only required for the port 4443 vserver.

Regards

Dave

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.06.01 00:23:28 =~=~=~=~=~=~=~=~=~=~=~=
h run  [J  [J  [J  [J  [J  [Jterm   [J  [J  [J  [J  [Jterm len 0


CORP-CIV-ACE-PRI/Lync# sh run

Generating configuration....

logging enable
logging timestamp
logging trap 5
logging monitor 3


access-list cap line 8 extended permit ip host 10.249.3.221 host 10.249.140.10
access-list permit_any line 1 extended permit ip any any

probe icmp ICMP
probe tcp TCP-443
  port 443
probe tcp TCP-4443
  port 4443
probe tcp TCP-80
  port 80

rserver host LYNCDR01
  ip address 10.249.141.7
  conn-limit max 4000000 min 4000000
  probe ICMP
  inservice
rserver host LYNCDR02
  ip address 10.249.141.8
  conn-limit max 4000000 min 4000000
  probe ICMP
  inservice


serverfarm host LYNCDIR01-443
  predictor response syn-to-close
  probe TCP-443
  rserver LYNCDR01
    inservice
  rserver MLYNCDR02
    inservice
serverfarm host LYNCDIR01-4443
  predictor response syn-to-close
  probe TCP-4443
  rserver LYNCDR01 4443
    inservice
  rserver LYNCDR02 4443
    inservice

sticky ip-netmask 255.255.255.255 address source S-LYNCDIR01-443
  replicate sticky
  serverfarm LYNCDIR01-443
sticky ip-netmask 255.255.255.255 address source S-LYNCDIR01-4443
  replicate sticky
  serverfarm LYNCDIR01-4443
sticky http-cookie MS-WSMAN S-LYNCDIR01-4443-COOKIE
  cookie insert
  replicate sticky
  serverfarm LYNCDIR01-4443
sticky http-cookie MS-WSMAN S-LYNCPOOL01-443-COOKIE
  cookie insert
  replicate sticky
  serverfarm LYNCPOOL01-4443


ssl-proxy service LYNCDIRSSL
  key kcomlyncdir01.pfx
  cert kcomlyncdir01.pfx

ssl-proxy service SSL-dir-client

class-map match-all LYNCDIR01-443
  2 match virtual-address 10.249.140.10 tcp eq https
class-map match-all LYNCDIR01-4443
  2 match virtual-address 10.249.140.10 tcp eq 4443

policy-map type management first-match mgmt-pm
  class class-default
    permit

policy-map type loadbalance first-match LYNCDIR01-443-l7slb
  class class-default
    sticky-serverfarm S-LYNCDIR01-443
policy-map type loadbalance first-match LYNCDIR01-4443-l7slb
  class class-default
    sticky-serverfarm S-LYNCDIR01-4443
    ssl-proxy client SSL-dir-client

policy-map multi-match int404

  class LYNCDIR01-443
    loadbalance vip inservice
    loadbalance policy LYNCDIR01-443-l7slb
    loadbalance vip icmp-reply
  class LYNCDIR01-4443
    loadbalance vip inservice
    loadbalance policy LYNCDIR01-4443-l7slb
    loadbalance vip icmp-reply
    ssl-proxy server LYNCDIRSSL

interface vlan 141
  ip address 10.249.141.28 255.255.255.224
  alias 10.249.141.30 255.255.255.224
  peer ip address 10.249.141.29 255.255.255.224
  access-group input permit_any
  no shutdown
interface vlan 404
  ip address 10.249.140.125 255.255.255.128
  alias 10.249.140.124 255.255.255.128
  peer ip address 10.249.140.126 255.255.255.128
  access-group input permit_any
  service-policy input mgmt-pm
  service-policy input int404
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.249.140.123


CORP-CIV-ACE-PRI/Lync#
[J [J
CORP-CIV-ACE-PRI/Lync# exit

Community Member

ACE SSL end-to-end

Hi Dave,

I doubt ssl-proxy service.

ssl-proxy service LYNCDIRSSL

  key kcomlyncdir01.pfx

  cert kcomlyncdir01.pfx

Verify the key and cert using crypto verify command and confirm its a valid pair.

ACE SSL end-to-end

Hello Dave,

What version you are running?

Yes, you can check your certs and keys with:

  • Show crypto files—Displays certificates and keys stored under a context.

    This example provides sample output:

    switch/C1#show crypto files
    Filename                                 File  File    Expor      Key/
                                             Size  Type    table      Cert
    -----------------------------------------------------------------------
    inter.pem                                1992  PEM     Yes        CERT
    rsakey.pem                               891   PEM     Yes         KEY
    slot2-1tier.pem                          1923  PEM     Yes        CERT
    slot2-2tier.pem                          1762  PEM     Yes        CERT
  • Crypto verify key certificate—Verifies that the Certificate and key match.

    This example provides sample output:

    switch/C1#crypto verify rsakey.pem slot2-2tier.pem
    Keypair in rsakey.pem matches certificate in slot2-2tier.pem

Here you have a sample about how a END-TO-END SSL should look like:

class-map match-all L4-CLASS-HTTPS

  2 match virtual-address 172.16.0.15 tcp eq https

policy-map multi-match VIPs

  class L4-CLASS-HTTPS

    loadbalance vip inservice

    loadbalance policy HTTPS-POLICY

    loadbalance vip icmp-reply

    loadbalance vip advertise active

    appl-parameter http advanced-options http_parameter_map

    ssl-proxy server CISCO-SSL-PROXY

policy-map type loadbalance http first-match HTTPS-POLICY

  class class-default

    serverfarm SF-1

    ssl-proxy client CLIENT-SSL-PROXY

serverfarm host SF-1

  rserver S1 443

    inservice

  rserver S2 443

    inservice

  rserver S3 443

    inservice

  rserver S4 443

    inservice

rserver host S1

  ip address 192.168.0.200

  inservice

rserver host S2

  ip address 192.168.0.201

  inservice

rserver host S3

  ip address 192.168.0.202

  inservice

rserver host S4

  ip address 192.168.0.203

  inservice

ssl-proxy service CLIENT-SSL-PROXY

ssl-proxy service CISCO-SSL-PROXY

  key rsakey.pem

  cert slot2-2tier.pem

  chaingroup Chaingroup1

  ssl advanced-options PARAMETER_SSL

crypto chaingroup Chaingroup1

  cert inter.pem

parameter-map type http http_parameter_map

  persistence-rebalance

  set content-maxparse-length 8192

  set header-maxparse-length 8192

parameter-map type ssl PARAMETER_SSL

session-cache timeout 300

queue-delay timeout 1

Here you have a link about it:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/endtoend.pdf

Can you upload these outputs?

# show stats loadbalance

# show stats http

For the details which I included on the http parameter, here you have some additional details:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1245246

Setting the Maximum Number of Bytes to Parse for Content

By default, the maximum number of bytes that the ACE parses to check for content is 4096. If a content string exceeds the default value, the ACE drops the packet and sends a RST (reset) to the client browser. You can increase the number of bytes that the ACE parses using the set content-maxparse-length command in HTTP parameter map configuration mode. The syntax of this command is as follows:

set content-maxparse-length bytes

The bytes argument is the maximum number of bytes to parse for the total length of a content string. Enter an integer from 1 to 65535. The default is 4096 bytes.

For example, to set the content maximum parse length to 8192, enter:

host1/Admin(config-parammap-http)# set content-maxparse-length 8192

Setting the Maximum Number of Bytes to Parse for Cookies, HTTP Headers, and URLs

By default, the maximum number of bytes that the ACE parses to check for a cookie, HTTP header, or URL is 4096. If a cookie, HTTP header, or URL exceeds the default value, the ACE drops the packet and sends a RST (reset) to the client browser. You can increase the number of bytes that the ACE parses using the set header-maxparse-length command in HTTP parameter-map configuration mode. The syntax of this command is as follows:

set header-maxparse-length bytes

The bytes argument is the maximum number of bytes to parse for the total length of all cookies, HTTP headers, and URLs. Enter an integer from 1 to 65535. The default is 4096 bytes.

For example, to set the HTTP header maximum parse length to 8192, enter:

host1/Admin(config-parammap-http)# set header-maxparse-length 8192

Jorge

Community Member

ACE SSL end-to-end

Hi

The answer to this one is that the http header was greater than 4K so needed to use a parameter map to increase the header size that the ace would look at.

Thanks for the advice

ACE SSL end-to-end

It sounds great the information was useful for you.

Please mark it, if you consider it helped you.

:-D

1920
Views
0
Helpful
6
Replies
CreatePlease to create content