Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

how to tell is SSL is being terminated on the ACE

Hi,

We've inherited a pair of ACE30 modules running A5(2.1) that have a config that appears to be terminating SSL, however there's no ssl-proxy statement in the class statement under the multi match policy. The servers in the corresponding  serverfarm are listening on port 8080, which is not a secure port, so it looks like ACE should be terminating the SSL and passing these connection on the clear text port.

However, we have no documentation for this app, nor the folks who had written it. Is there a way to definitevly determine if the ACE is terminating the SSL or the back-end servers do?

 

Thanks.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi,From the configuration you

Hi,

From the configuration you should be able to find out if the ACE is configured for SSL termination or not. You should see ssl-proxy server <name> statement under policy multi-match. If not, then ACE is not doing SSL termination. ssl-proxy client <name> under L7 policy map would indicate that ACE is configured for SSL initiation. Both would show that ACE is configured for End-to-End SSL.

You can also check "show stats crypto server/client" to see the statistics. A quick packet capture on server would also show if the traffic passed to it  by ACE is decrypted or encrypted or you can also take pcap on ACE itself to see that.

Let me know if you have any questions.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

1 REPLY
Cisco Employee

Hi,From the configuration you

Hi,

From the configuration you should be able to find out if the ACE is configured for SSL termination or not. You should see ssl-proxy server <name> statement under policy multi-match. If not, then ACE is not doing SSL termination. ssl-proxy client <name> under L7 policy map would indicate that ACE is configured for SSL initiation. Both would show that ACE is configured for End-to-End SSL.

You can also check "show stats crypto server/client" to see the statistics. A quick packet capture on server would also show if the traffic passed to it  by ACE is decrypted or encrypted or you can also take pcap on ACE itself to see that.

Let me know if you have any questions.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

58
Views
0
Helpful
1
Replies