Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1108
Views
0
Helpful
3
Replies

Config Assistance

Go to solution
z08mjk2374
Level 1
Level 1

‎08-13-2013 08:58 AM

The avdirecto http works great. The SSL termination gives tcp resets. They are both pointing the same real server. The plan is to have everything South of the ACE in clear. See attached config. I would greatly appreciate someone sanity checking the config. Is there an issue where the return traffic doesn't match the SSL policy and gets dropped due to lack of state?

Labels:
15365681-ace4710.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
chrhiggi
Level 3
Level 3

‎08-13-2013 12:30 PM

You have 2 things to fix ->

1.) Once the traffic is decrypted, it goes to the server.  The TCP port number it uses should be whatever your server is listening for on http.  I would assume port 80.  However, in your serverfarm that links to the SSL configuration, you have no port number. That means ACE looks at the class map for the port number to utilize, which is port 443.  It isnt common for a server to listen for HTTP traffic on port 443.  Modify the serverfarm like this :

serverfarm host AVDirecto

  description AV Directo Server Farm

  probe icmp-probe

  rserver avdirecto01 80 <- Add the port here.

    conn-limit max 4000000 min 4000000

    probe icmp-probe

    inservice

  rserver avdirecto02 80 <- Add the port here.

    conn-limit max 4000000 min 4000000

    probe icmp-probe

    inservice

parameter-map type ssl AVWildcard_PM

  cipher RSA_WITH_AES_128_CBC_SHA

ssl-proxy service AVWildcard_PS

  key AV_Wildcard_Key.p12

  cert AV_Wildcard_Key.p12

  ssl advanced-options AVWildcard_PM

serverfarm host AVDirecto
  description AV Directo Server Farm
  probe icmp-probe
  rserver avdirecto01 80 <- Add the port here.
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice
  rserver avdirecto02 80 <- Add the port here.
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice

Keep in mind, you need to remove the rserver, then add it back in with the port.

The second issue is the cipher list.  You don't need a cipher list, and by specifying a single cipher, you are limiting the client to use only 1. Although most clients support 128 bit CBC SHA encryption, some don't, and it might be part of the failure. With no cipher list, ace defaults to using all ciphers possible. (uses the highest supported between the client and itself)

ssl-proxy service AVWildcard_PS
  key AV_Wildcard_Key.p12
  cert AV_Wildcard_Key.p12
  ssl advanced-options AVWildcard_PM <- remove this

parameter-map type ssl AVWildcard_PM <- then remove this.
  cipher RSA_WITH_AES_128_CBC_SHA

That should be it!

Chris

View solution in original post

0 Helpful
3 Replies 3

Go to solution
chrhiggi
Level 3
Level 3

‎08-13-2013 12:30 PM

You have 2 things to fix ->

1.) Once the traffic is decrypted, it goes to the server.  The TCP port number it uses should be whatever your server is listening for on http.  I would assume port 80.  However, in your serverfarm that links to the SSL configuration, you have no port number. That means ACE looks at the class map for the port number to utilize, which is port 443.  It isnt common for a server to listen for HTTP traffic on port 443.  Modify the serverfarm like this :

serverfarm host AVDirecto

  description AV Directo Server Farm

  probe icmp-probe

  rserver avdirecto01 80 <- Add the port here.

    conn-limit max 4000000 min 4000000

    probe icmp-probe

    inservice

  rserver avdirecto02 80 <- Add the port here.

    conn-limit max 4000000 min 4000000

    probe icmp-probe

    inservice

parameter-map type ssl AVWildcard_PM

  cipher RSA_WITH_AES_128_CBC_SHA

ssl-proxy service AVWildcard_PS

  key AV_Wildcard_Key.p12

  cert AV_Wildcard_Key.p12

  ssl advanced-options AVWildcard_PM

serverfarm host AVDirecto
  description AV Directo Server Farm
  probe icmp-probe
  rserver avdirecto01 80 <- Add the port here.
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice
  rserver avdirecto02 80 <- Add the port here.
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice

Keep in mind, you need to remove the rserver, then add it back in with the port.

The second issue is the cipher list.  You don't need a cipher list, and by specifying a single cipher, you are limiting the client to use only 1. Although most clients support 128 bit CBC SHA encryption, some don't, and it might be part of the failure. With no cipher list, ace defaults to using all ciphers possible. (uses the highest supported between the client and itself)

ssl-proxy service AVWildcard_PS
  key AV_Wildcard_Key.p12
  cert AV_Wildcard_Key.p12
  ssl advanced-options AVWildcard_PM <- remove this

parameter-map type ssl AVWildcard_PM <- then remove this.
  cipher RSA_WITH_AES_128_CBC_SHA

That should be it!

Chris

0 Helpful

Go to solution
z08mjk2374
Level 1
Level 1
In response to chrhiggi

‎08-13-2013 01:04 PM

Awesome! I'm going to try it in a few minutes. I'll let you know the outcome and rate it.

0 Helpful

Go to solution
z08mjk2374
Level 1
Level 1
In response to chrhiggi

‎08-13-2013 01:48 PM

Works like a champ! Thank you sir! I owe you a beer!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents