Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE with SSL with One ARM deployment

I am working with a ACE 4710 in the one arm configuration.  I am trying to enable SSL and well to be honest...am just not getting it.

below is the config...

crypto chaingroup prd_SSLChainGroup

  cert sub_root_2.crt

  cert root.crt

crypto csr-params prdSSL

  country US

  state ST

  locality SMALL TOWN

  organization-name SOME ORG

  common-name www.name.int

access-list allow line 8 extended permit ip any any

probe icmp PROBE_SERVICE_ICMP

  interval 60

  passdetect interval 5

  receive 5

parameter-map type ssl prd_SSL_Parmeter_Map

  cipher RSA_WITH_RC4_128_MD5

  cipher RSA_WITH_3DES_EDE_CBC_SHA

  cipher RSA_WITH_AES_128_CBC_SHA

  cipher RSA_EXPORT1024_WITH_RC4_56_MD5

  cipher RSA_EXPORT1024_WITH_DES_CBC_SHA

  cipher RSA_EXPORT1024_WITH_RC4_56_SHA

rserver host 21-XYZ8-PA-prd-S02

  ip address a.b.c.21

rserver host 25-XYZ8host1

  ip address a.b.c.25

rserver host 26-XYZ8host2

  ip address a.b.c.26

rserver host 27-XYZ8host3

  ip address a.b.c.27

rserver host 29-XYZ10host1

  ip address a.b.c.29

rserver host 30-XYZ10host2

  ip address a.b.c.30

rserver host 31-XYZ10host3

  ip address a.b.c.31

rserver host 32-XYZ8-PA-prd-S03

  ip address a.b.c.32

rserver host 33-XYZ8-PA-prd-S04

  ip address a.b.c.33

  inservice

rserver host PA-prd-VS05

serverfarm host XYZ10-7001

  probe PROBE_SERVICE_ICMP

  rserver 21-XYZ8-PA-prd-S02 7001

  rserver 25-XYZ8host1 7001

  rserver 26-XYZ8host2 7001

  rserver 27-XYZ8host3 7001

  rserver 29-XYZ10host1 7001

  rserver 30-XYZ10host2 7001

  rserver 31-XYZ10host3 7001

  rserver 32-XYZ8-PA-prd-S03 7001

  rserver 33-XYZ8-PA-prd-S04 7001

    inservice

ssl-proxy service prd_SSLProxy

  key KEYPAIR.PEM

  cert mycert.pem

  ssl advanced-options prd_SSL_Parmeter_Map

sticky http-cookie ACE_COOKIE-7001 7001_STICKY

  cookie insert browser-expire

  replicate sticky

  serverfarm XYZ10-7001

class-map match-any XYZ10-HTTP-80-CLASS

  2 match virtual-address a.b.c.10 tcp eq www

class-map match-any XYZ10-HTTPS-CLASS

  2 match virtual-address a.b.c.10 tcp eq https

policy-map type loadbalance first-match HTTP

  class class-default

    serverfarm XYZ10-7001

policy-map type loadbalance first-match HTTPS

  class class-default

    serverfarm XYZ10-7001

policy-map multi-match XYZ10-SLB

  class XYZ10-HTTPS-CLASS

    loadbalance vip inservice

    loadbalance policy HTTPS

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 1000

    ssl-proxy server prd_SSLProxy

  class XYZ10-HTTP-80-CLASS

    loadbalance vip inservice

    loadbalance policy HTTP

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 1000

interface vlan 1000

  ip address a.b.c.11 255.255.255.0

  access-group input allow

  nat-pool 1 a.b.c.200 a.b.c.203 netmask 255.255.255.0 pat

  service-policy input XYZ10-SLB

  no shutdown

ip route 0.0.0.0 0.0.0.0 a.b.c.1

I did see these errors in the debug SSL output...

2010 Nov  4 04:45:01.732206 ssl mgr: (ctx:1)ssl_pki_verify: key in  KEYPAIR.PEM does not match cert in root_2.crt

2010 Nov  4 04:45:01.812870 ssl mgr: (ctx:1)ssl_pki_verify: key in  KEYPAIR.PEM does not match cert in sub_root_2.crt

but as they are the ROOT and SUB Root...I was not to concerned about it

Any thoughts

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: ACE with SSL with One ARM deployment

Once you have imported the cert and generated a key, check your certs en keys using the command crypto verify and replace

the crypto files if command failed.

I couldn't find something specific to the chaingroup in this link but you might find it useful :

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide%2C_Release_A2%28x%29_--_Troubleshooting_SSL

Your config looks fine to me.

Cisco Employee

Re: ACE with SSL with One ARM deployment

Hi Cody,

Did you already assign the resources for the Context in question?

Is HTTP working fine?

__ __

Pablo

7 REPLIES
New Member

Re: ACE with SSL with One ARM deployment

Once you have imported the cert and generated a key, check your certs en keys using the command crypto verify and replace

the crypto files if command failed.

I couldn't find something specific to the chaingroup in this link but you might find it useful :

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide%2C_Release_A2%28x%29_--_Troubleshooting_SSL

Your config looks fine to me.

New Member

Re: ACE with SSL with One ARM deployment

the cert looks good

the isse seems to be like the SSL proxy service is not working on the ACE.

Cisco Employee

Re: ACE with SSL with One ARM deployment

Hi Cody,

Did you already assign the resources for the Context in question?

Is HTTP working fine?

__ __

Pablo

New Member

Re: ACE with SSL with One ARM deployment

The HTTP works fine....now I am not sure about assigning the resources to the Context...can you  explain more please.

Cisco Employee

Re: ACE with SSL with One ARM deployment

Cody,

When dealing with virtualization ACE hardware resources are allocated to individual contexts under the control of
resource-level controls configured in the Admin context.

resource-class LB
  limit-resource all minimum 10.00 maximum unlimited

context Production

  member LB

You can dig further on resource usage and configuration here: http://xrl.us/bh6v6g

Let us know if this does the trick.

HTH

__ __

Pablo

New Member

Re: ACE with SSL with One ARM deployment

we did this...and upgrade A4.1 ...and it is almost working....

New Member

Re: ACE with SSL with One ARM deployment

When we did the upgrade to 4.1, all the mapping of the SSL proxy was removed...once those setting were replaced, we were good....

Finally....Yeah....thank you all your help

333
Views
3
Helpful
7
Replies