Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Cisco Employee

ACE4710 : Unable to perform end to end SSL

Hi

I have to load balance traffic between 2 servers sitting behind the LB. The webservices are on HTTPS/8443.

I followed the end to end configuration guide for SSL. No success.

Here is my configuration -

rserver host nms1

  ip address 10.29.36.31

  conn-limit max 4000000 min 4000000

  probe nms-tcp-8443

  inservice

serverfarm host nms-farm

  probe nms-http-probe

  rserver nms1 8443

    conn-limit max 4000000 min 4000000

    inservice

class-map type http loadbalance match-any SSL

  2 match http url .*

class-map match-any SSL_C1

  2 match virtual-address 10.29.36.42 tcp eq 8443

  3 match virtual-address 10.29.36.42 tcp any

policy-map type loadbalance first-match SSL_BACK

  class SSL

    serverfarm nms-farm

  class class-default

    serverfarm nms-farm

    ssl-proxy client SSL_CLIENT

policy-map multi-match L7_1

  class SSL_C1

    loadbalance vip inservice

    loadbalance policy SSL_BACK

    loadbalance vip icmp-reply

    ssl-proxy server SSL_SERVER

seadmz-ace-c11/Admin# show service-policy

Policy-map : L7_1

Status     : ACTIVE

-----------------------------------------

Interface: vlan 1 1000

  service-policy: L7_1

    class: SSL_C1

      ssl-proxy server: SSL_SERVER

      loadbalance:

        L7 loadbalance policy: SSL_BACK

        Regex dnld status    : SUCCESSFUL

        VIP ICMP Reply       : ENABLED

        VIP State: INSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: ENABLED

        curr conns       : 0         , hit count        : 87       

        dropped conns    : 83       

        client pkt count : 507       , client byte count: 56753              

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

      compression:

        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        

So essentially, I am doing the following - VIP is 10.29.36.42 and rserver is 10.29.36.31

Need help with debugging this issue !

thanks

Nikhil

  • Application Networking
3 REPLIES
Cisco Employee

Re: ACE4710 : Unable to perform end to end SSL

Hi Nikhil,

The problem with your config is here:

class-map type http loadbalance match-any SSL

  2 match http url .*

class-map match-any SSL_C1

  2 match virtual-address 10.29.36.42 tcp eq 8443

  3 match virtual-address 10.29.36.42 tcp any

policy-map type loadbalance first-match SSL_BACK

  class SSL

    serverfarm nms-farm

  class class-default

    serverfarm nms-farm

    ssl-proxy client SSL_CLIENT

Basically, you are matching all connections with the SSL class, and this one is not configured for SSL initiation. It should work if you remove this class and leave only the class-default entry.

Anyway, according to your configuration, you are not doing any L7 processing of the traffic. Unless you are planning to do L7, just forget about the end-to-end SSL and just do L4 load-balancing of the traffic.

I hope this helps

Daniel

Message was edited by: Daniel Arrondo Ostiz

Cisco Employee

Re: ACE4710 : Unable to perform end to end SSL

Thanks for this Daniel. I am first trying to get a barebones end to end SSL working. Will then try to apply L7 policies.

I could get the regular L3/4 LB working .

BUT, the end to end SSL is not working even after fixing what you suggested. I was wondering if you could let me know how to debug SSL on the ACE !

thanks

nikhil

Cisco Employee

Re: ACE4710 : Unable to perform end to end SSL

Hi Nikhil,

First of all, start with the divide and conquer approach to check which of the parts of the configuration is failing. Try the following scenarios:

  • HTTP L7 load-balancing
  • SSL termination
  • SSL initiation

Once you know which part of the config is failing, you can troubleshoot that one in more detail.

Most likely you are facing an issue with the certificates, so, I would suggest the commands below:

  • "crypto verify " to confirm that the server certificate and key (for the ssl termination part) match
  • "show crypto certificate all" to see the details of the imported certificates

Just as a reminder, for the termination part, the certificate to be imported needs to be the one from the server, while for the initiation part it will be the one of the CA

Regards

Daniel

446
Views
0
Helpful
3
Replies
This widget could not be displayed.