Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE SSL Terminator doesn't work

Hi,

I should implement a balancing HTTP and for HTTPS an  SSL terminator on my ACE.

Public IP 22.235.121.6 port 80 --> balanced on 192.168.250.165-166 on port 8889

Public IP 22.235.121.6 port 443 --> my ace terminate ssl and balance the traffic in clear text to 192.168.250.165-166 on port 8889

This is the configuration:

probe http EXAMPLE_IT_HTTP
  port 8889
  interval 5
  faildetect 2
  passdetect interval 10
  passdetect count 2
  request method get url /probe/probe.html
  expect status 200 206
  expect status 300 307
  open 1
 
serverfarm host example_IT_HTTP
  failaction reassign across-interface
  predictor leastconns
  probe example_IT_HTTP
  fail-on-all
  rserver H-192.168.250.165 8889
    inservice
  rserver H-192.168.250.166 8889
    inservice
serverfarm host example_IT_HTTPS-HTTP
  failaction reassign across-interface
  predictor leastconns
  probe example_IT_HTTP
  fail-on-all
  rserver H-192.168.250.165 8889
    inservice
  rserver H-192.168.250.166 8889
    inservice

sticky ip-netmask 255.255.255.255 address both example-IT-HTTPS-HTTP
  timeout 60
  replicate sticky
  serverfarm example_IT_HTTPS-HTTP

ssl-proxy service SSL_example_IT
  key example_it.key
  cert example_it.cert
  chaingroup SSL_CHAIN_example_IT

crypto chaingroup SSL_CHAIN_example_IT
  cert example_it.ca

class-map match-all example_IT_HTTP
  2 match virtual-address 22.235.121.6 tcp eq www
class-map match-all example_IT_HTTPS-HTTP
  2 match virtual-address 22.235.121.6 tcp eq www

policy-map type loadbalance first-match example_IT_HTTP-l7slb
  class class-default
    serverfarm example_IT_HTTP
policy-map type loadbalance first-match example_IT_HTTPS-HTTP-l7slb
  class class-default
    sticky-serverfarm example-IT-HTTPS-HTTP

policy-map multi-match int41
  class example_IT_HTTP
    loadbalance vip inservice
    loadbalance policy example_IT_HTTP-l7slb
    loadbalance vip icmp-reply active primary-inservice
  class example_IT_HTTPS-HTTP
    loadbalance vip inservice
    loadbalance policy example_IT_HTTPS-HTTP-l7slb
    loadbalance vip icmp-reply active primary-inservice
    ssl-proxy server SSL_example_IT

 

the balancing on http work properly, but doesn't work the ssl termination, when I try to connect from my client in https I don't see request on the server 192.168.250.165-166 coming.

 

Some show:

 

balancer# sh crypto certificate all
example_it.cert:
Subject: /C=GB/ST=United Kingdom/L=London/O=XXXXXXXX/OU=XXXXXXXXX/CN=*.xxxx.com
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
Not Before: Apr 11 00:00:00 2014 GMT
Not After: Apr 12 23:59:59 2015 GMT
CA Cert: FALSE

example_it.ca:
Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Not Before: Nov  8 00:00:00 2006 GMT
Not After: Jul 16 23:59:59 2036 GMT
CA Cert: TRUE

balancer# sh crypto session
SSL Session Cache Stats for Context     
------------------
Number of Client Sessions:                     0
Number of Server Sessions:                     0
balancer#

 

balancer# sh crypto files
Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
cisco-sample-cert                        1082  PEM     Yes        CERT
cisco-sample-key                         887   PEM     Yes         KEY
example_it.ca                              7444  PEM     Yes        CERT
example_it.cert                            1812  PEM     Yes        CERT
example_it.key                             1675  PEM     Yes         KEY

balancer#
 
 
 
balancer# crypto verify example_it.key example_it.cert
Keypair in example_it.key matches certificate in example_it.cert.
balancer#

the show stats crypto client/server give me all 0

Someone can help me to understand why is not working ?

for further information please ask me

 

Thanks a lot

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi,The problem is here:class

Hi,

The problem is here:

class-map match-all example_IT_HTTPS-HTTP
  2 match virtual-address 22.235.121.6 tcp eq www

You should change it to 443 instead of WWW which means port 80.

You will never match this class "example_IT_HTTPS-HTTP".

Regards,

Kanwal

Note: Please mark answers if they are helpful.

2 REPLIES
Cisco Employee

Hi,The problem is here:class

Hi,

The problem is here:

class-map match-all example_IT_HTTPS-HTTP
  2 match virtual-address 22.235.121.6 tcp eq www

You should change it to 443 instead of WWW which means port 80.

You will never match this class "example_IT_HTTPS-HTTP".

Regards,

Kanwal

Note: Please mark answers if they are helpful.

New Member

that's correct. I

that's correct.

 

I changed

class-map match-all example_IT_HTTPS-HTTP
  2 match virtual-address 22.235.121.6 tcp eq www

to

class-map match-all example_IT_HTTPS-HTTP
  2 match virtual-address 22.235.121.6 tcp eq https

 

and now it is working

thanks a lot

209
Views
0
Helpful
2
Replies