Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ACE ssl termination issue

Hi,

I have two ACE 4710 which configured az virtual context and active/active, i configured ssl termination and Load balancing.

  load balancong works fine but with ssl termination, after the main page (web server login page)  display and i enter username and password, error page display, in the ACE ,"show conn" command  shows connection established,

can any one help me plz?

i create certificate with openssl, with these command:

openssl genrsa –out key.pem 1024

openssl req -new -x509 -nodes -sha1 -days 365  -key key.pem –out cert.pem

my configuration:

access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

rserver host NS1
  ip address 192.168.1.11
  inservice
rserver host NS2
  ip address 192.168.1.12
  inservice


ssl-proxy service proxy-1
  key key.pem
cert cert.pem

serverfarm host NS
  rserver NS1 80
    inservice
  rserver NS2 80
    inservice

class-map match-all NS-vip
  match virtual-address 192.168.215.138 tcp eq https

policy-map type management first-match remote-access
  class class-default
    permit

policy-map type loadbalance http first-match slb
  class class-default
    serverfarm NS

policy-map multi-match NS-vips
  class NS-vip
    loadbalance vip inservice
    loadbalance policy slb
    ssl-proxy server proxy-1

interface vlan 75
  ip address 192.168.215.132 255.255.255.224
  access-group input everyone
  service-policy input NS-vips
  no shutdown

2 REPLIES

ACE ssl termination issue

Hedyeh,

Have you tried to bypass the ACE? What results do you have if you do that?

What do you see with #show service-policy class-map detail

Please apply the following change:

parameter-map type http http-parameterTAC  ---> This parameter should be applied in multimatch policy.

  case-insensitive

  persistence-rebalance

  set header-maxparse-length 65535

  set content-maxparse-length 65535

  length-exceed continue

policy-map multi-match MULTI-TAC

    class VIP-TAC

    loadbalance vip inservice

    loadbalance policy VIP-TAC-L7

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 112

    appl-parameter http advanced-options http-parameterTAC ---> applied  parameter

    ssl-proxy server VIP-TAC-SSL

Additionally, you might be missing the intermediate certificate, then maybe you can try to use a chaingroup with the intermediate certificate:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/chaingrp.html

Hope this helps!

Jorge

Bronze

ACE ssl termination issue

Hi Hedyeh,

Do you have simultaneous captures on both sides showing this issue?

Have you tried with stickiness configured?

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
733
Views
0
Helpful
2
Replies
CreatePlease to create content