cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2064
Views
0
Helpful
5
Replies

ACE30 - SSL chunked encoding truncated

aanelso1
Level 1
Level 1

Found an issue with our ACE 30 modules when using SSL termination and SSL client intiation on TCP port 8443.

We have configured a VIP (class-map) for in bound traffic on port 8443.

We use two serverfarms in an active backup config in the load balancer policy.

Within that policy, we have ssl client initiation as the servers also have SSL configured on them on port 8443 (JBOSS),

The client created self signed non-trusted certificates with the subject name for each server (which does not match the VIP host name - thus giving two nags to the clients which are actually servers - web services).

When the request is made, all seems to work well, with the exception that only 9000 bytes (of the 24,000+ bytes expected) are recieved by the client.

We can by pass the load balancer and go straight to the server and it works fine.

We have tried some parameter type ssl and http and have not found any combination that may get all the data back to the client.

Any and all help will be appreciated! Thanks.

Through ACE - With SSL Termination - SSL Client Initiation - 9000 bytes

upm-9000.JPG

Request directly to server returning 25742 bytes

upm-25742.JPG

5 Replies 5

Jorge Bejarano
Level 4
Level 4

Hello,

Can you provide us with these outputs?

#show stats loadbalance

#show stats http

#show run parameter

Basically, when it passes through the ACE it shows the content partially then I assume the page looks like chopped, is that correct?

I forgot, can you include also #show version?

Jorge

Actually, the response is XML, so the close tags are in the truncated packets, thus the page gets an error rendering.

Here are the

BRTDCSCRTR2/INTRA-PROD# show stats loadbalance

+------------------------------------------+
+------- Loadbalance statistics -----------+
+------------------------------------------+
Total version mismatch                       : 5
Total Layer4 decisions                       : 133923
Total Layer4 rejections                      : 0
Total Layer7 decisions                       : 1082781
Total Layer7 rejections                      : 1388
Total Layer4 LB policy misses                : 0
Total Layer7 LB policy misses                : 0
Total times rserver was unavailable          : 0
Total ACL denied                             : 98
Total FT Invalid Id                          : 0
Total IDMap Lookup Failures                  : 0
Total Proxy misses                           : 0
Total Misc Errors                            : 0
Total L4 Close Before Process                : 0
Total L7 Close Before Parse                  : 0
Total Close Msg for Valid Real               : 294234
Total Close Msg for Non-Existing Real        : 33106
Total Cipher Lookup Failures                 : 0
Total Close Before Dest decision             : 1
Total Optimization Msg sent to Real Servers  : 0

BRTDCSCRTR2/INTRA-PROD# sho stats http

+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 212455     , TCP data msgs sent       : 1181482
Inspect parse result msgs : 0          , SSL data msgs sent       : 60348
                      sent
TCP fin msgs sent         : 3342       , TCP rst msgs sent:       : 4405
Bounced fin msgs sent     : 179        , Bounced rst msgs sent:   : 2
SSL fin msgs sent         : 1555       , SSL rst msgs sent:       : 51
Drain msgs sent           : 36117      , Particles read           : 3346502
Reuse msgs sent           : 0          , HTTP requests            : 212583
Reproxied requests        : 174319     , Headers removed          : 0
Headers inserted          : 0          , HTTP redirects           : 317
HTTP chunks               : 37754      , Pipelined requests       : 128
HTTP unproxy conns        : 207028     , Pipeline flushes         : 0
Whitespace appends        : 0          , Second pass parsing      : 0
Response entries recycled : 128        , Analysis errors          : 0
Header insert errors      : 0          , Max parselen errors      : 5
Static parse errors       : 2          , Resource errors          : 0
Invalid path errors       : 0          , Bad HTTP version errors  : 0
Headers rewritten         : 3330       , Header rewrite errors    : 0
SSL headers inserted      : 0          , SSL header insert errors : 0
SSL spoof headers deleted : 0         , Unproxy msgs sent         : 207028
HTTP passthrough stat     : 0

parameter-map type http CASEIN-PERSREBAL-LENEXCDCONT

  case-insensitive

  persistence-rebalance

  length-exceed continue

parameter-map type http PARAMAP_CASE-INSENSTIVE

  case-insensitive

  persistence-rebalance

parameter-map type http SHAREPOINT

  case-insensitive

  persistence-rebalance

  header modify per-request

  set header-maxparse-length 8196

  length-exceed continue

parameter-map type http SHAREPOINT-LONG

  case-insensitive

  persistence-rebalance

  header modify per-request

  set header-maxparse-length 10100

  length-exceed continue

parameter-map type connection TCP-IDLE

  set timeout inactivity 14400

parameter-map type connection TCP_PARAM

  tcp-options selective-ack allow

  tcp-options window-scale allow

  syn-data drop

  exceed-mss allow

parameter-map type ssl UPM

  close-protocol disabled

  rehandshake enabled

BRTDCSCRTR2/INTRA-PROD# sho version
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2012 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.

Software
  loader:    Version 12.2[125]
  system:    Version A5(1.2) [build 3.0(0)A5(1.2) adbuild_10:31:20-2012/01/17_/a
uto/adbure_nightly4/renumber/rel_a5_1_2_throttle/REL_3_0_0_A5_1_2]
  system image file: [LCP] disk0:c6ace-t1k9-mz.A5_1_2.bin
  installed license: ACE30-MOD-UPG1

Hardware
  Cisco ACE (slot: 4)
  cpu info:
    number of cpu(s): 2
    cpu type: SiByte
    cpu: 0, model: SiByte SB1 V0.2, speed: 700 MHz
    cpu: 1, model: SiByte SB1 V0.2, speed: 11.31(BogoMIPS)
  memory info:
    total: 2046920 kB, free: 1129480 kB
    shared: 0 kB, buffers: 5752 kB, cached 0 kB
  cf info:
    filesystem: /dev/cf
    total: 4125248 kB, used: 1037696 kB, available: 3087552 kB

last boot reason:  reload command by admin
configuration register:  0x1
BRTDCSCRTR2 kernel uptime is 46 days 20 hours 12 minute(s) 43 second(s)

What is the parameter-map type http that you are using for the configuration?

Jorge

joseph.bernard
Level 1
Level 1

We are having the exact same issue.  Have you figured out a cause?

joseph.bernard
Level 1
Level 1

This is bug CSCtx92484.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: