Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Config Assistance

The avdirecto http works great. The SSL termination gives tcp resets. They are both pointing the same real server. The plan is to have everything South of the ACE in clear. See attached config. I would greatly appreciate someone sanity checking the config. Is there an issue where the return traffic doesn't match the SSL policy and gets dropped due to lack of state?

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Config Assistance

You have 2 things to fix ->

1.) Once the traffic is decrypted, it goes to the server.  The TCP port number it uses should be whatever your server is listening for on http.  I would assume port 80.  However, in your serverfarm that links to the SSL configuration, you have no port number. That means ACE looks at the class map for the port number to utilize, which is port 443.  It isnt common for a server to listen for HTTP traffic on port 443.  Modify the serverfarm like this :

serverfarm host AVDirecto

  description AV Directo Server Farm

  probe icmp-probe

  rserver avdirecto01 80 <- Add the port here.

    conn-limit max 4000000 min 4000000

    probe icmp-probe

    inservice

  rserver avdirecto02 80 <- Add the port here.

    conn-limit max 4000000 min 4000000

    probe icmp-probe

    inservice

parameter-map type ssl AVWildcard_PM

  cipher RSA_WITH_AES_128_CBC_SHA

ssl-proxy service AVWildcard_PS

  key AV_Wildcard_Key.p12

  cert AV_Wildcard_Key.p12

  ssl advanced-options AVWildcard_PM

serverfarm host AVDirecto
  description AV Directo Server Farm
  probe icmp-probe
  rserver avdirecto01 80 <- Add the port here.
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice
  rserver avdirecto02 80 <- Add the port here.
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice

Keep in mind, you need to remove the rserver, then add it back in with the port.

The second issue is the cipher list.  You don't need a cipher list, and by specifying a single cipher, you are limiting the client to use only 1. Although most clients support 128 bit CBC SHA encryption, some don't, and it might be part of the failure. With no cipher list, ace defaults to using all ciphers possible. (uses the highest supported between the client and itself)

ssl-proxy service AVWildcard_PS
  key AV_Wildcard_Key.p12
  cert AV_Wildcard_Key.p12
  ssl advanced-options AVWildcard_PM <- remove this

parameter-map type ssl AVWildcard_PM <- then remove this.
  cipher RSA_WITH_AES_128_CBC_SHA

That should be it!

Chris

3 REPLIES
Bronze

Config Assistance

You have 2 things to fix ->

1.) Once the traffic is decrypted, it goes to the server.  The TCP port number it uses should be whatever your server is listening for on http.  I would assume port 80.  However, in your serverfarm that links to the SSL configuration, you have no port number. That means ACE looks at the class map for the port number to utilize, which is port 443.  It isnt common for a server to listen for HTTP traffic on port 443.  Modify the serverfarm like this :

serverfarm host AVDirecto

  description AV Directo Server Farm

  probe icmp-probe

  rserver avdirecto01 80 <- Add the port here.

    conn-limit max 4000000 min 4000000

    probe icmp-probe

    inservice

  rserver avdirecto02 80 <- Add the port here.

    conn-limit max 4000000 min 4000000

    probe icmp-probe

    inservice

parameter-map type ssl AVWildcard_PM

  cipher RSA_WITH_AES_128_CBC_SHA

ssl-proxy service AVWildcard_PS

  key AV_Wildcard_Key.p12

  cert AV_Wildcard_Key.p12

  ssl advanced-options AVWildcard_PM

serverfarm host AVDirecto
  description AV Directo Server Farm
  probe icmp-probe
  rserver avdirecto01 80 <- Add the port here.
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice
  rserver avdirecto02 80 <- Add the port here.
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice

Keep in mind, you need to remove the rserver, then add it back in with the port.

The second issue is the cipher list.  You don't need a cipher list, and by specifying a single cipher, you are limiting the client to use only 1. Although most clients support 128 bit CBC SHA encryption, some don't, and it might be part of the failure. With no cipher list, ace defaults to using all ciphers possible. (uses the highest supported between the client and itself)

ssl-proxy service AVWildcard_PS
  key AV_Wildcard_Key.p12
  cert AV_Wildcard_Key.p12
  ssl advanced-options AVWildcard_PM <- remove this

parameter-map type ssl AVWildcard_PM <- then remove this.
  cipher RSA_WITH_AES_128_CBC_SHA

That should be it!

Chris

New Member

Config Assistance

Awesome! I'm going to try it in a few minutes. I'll let you know the outcome and rate it.

New Member

Config Assistance

Works like a champ! Thank you sir! I owe you a beer!

477
Views
0
Helpful
3
Replies