I had worked my way through setting a simple design of two servers, and a http load balance with the ACE across them. I then installed some certificates, and mucked around till I managed to get https frontside, and http backend working. It worked from firefox, and IE6.
I then rebooted the ACE and upgraded the software from A1_2 to A1_5a. Now firefox still works, but IE6 says that it cannot find the server. This is a lie. A packet trace shows it suffering from an SSL handshake failure (40). I'm also seeing now a "malformed Packet SSL", where as before the packet contained certificates.
Does anyone know why IE6 has stopped working? I rolled back to the older code, and the correct behaviour returns. Is there a new option to make IE work with latest ACE code?
When I use ANM to install the certificates (and keys) (using "terminal" cut-n-paste), the files that appear in the "show crypto files" are TWICE the size of the true certificates. By using crypto export terminal, I can see that the file contains two complete sets of ---BEGIN and ---END lines, and two copies of the key or certificate. Hence when I make a chain of our cert, plus the Verisign intermediate CA, I exceed 4k.
I used the CLI to export the certificate to the screen, deleted the file, then imported from terminal by cut'n'paste, the resulting file was half the size. Did this to both certificates and the private key, and now IE6 and Safari are happy.
I had to use ANM initially to install the certificates, as any changes to the crypto files from the CLI are not reflected in ANM database, even after a refresh of the config from the device. The only way ANM seems to know about certificates is if it puts them there, and it seems to get it wrong.
I now see less certificates in the wireshark packets during the SSL exchange. Why it changed between versions 2 and 5a I dont know. Maybe the older version only sent the first instance in the file. Although looking at the capture, the older version was happy with 4231 bytes of certificates.
Topology & Design:
Two ACI fabrics
Stretching VLANs using OTV
Both fabrics are advertising BD subnets into same routing domain
Some BDs(or say VLANs) are stretched, but some are not.
Endpoints can move betwee...
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
Topology &Design:Traffic flow within same fabric:Endpoint moves to Fabric-2Bounce Entry Times OutTraffic Black-holedSummarySolutionAppendix:
In the Previous articles of ACI Automation, we are using Postman/Newman a...