10-11-2010 03:44 PM
Guys
Im wondering if you can help, I have two ACE 4710 configured in FT with 3 contexts, running bridged mode. Everything is working fine, however I cant seem to get SSL working in ssl proxy/termination mode.
When i do a show stats crypto server, I can see that the client has attempted to connect, but there is an SSL/TLS handshake failure, further down the screen it tells me there have been numerous SSL alert INTERNAL_ERRORs.
If i look at the service-policy I get N number of hits, and N number of dropped connections. Ive no idea where this is going wrong.
At the moment the config on the context is dirt simple, so clearly im missing something
serverfarm host CUSTxxx-vFARM
predictor reponse app-request-to-resp samples 4
probe CUSTxx-HTTP-PROBE
rserver SCEXTWB01 80
inservice
rserver SCEXTWB02 0
inservice
exit
sticky http-cookie SessionID CUSTxxx-vFARM-STICKY
cookie insert browser-expire
timeout 1800
replicate sticky
serverfarm CUSTxxx-vFARM
exit
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice
action-list type modify http CUSTxxx-HTTPS-REWRITE
ssl url rewrite location ???? sslport 443 clearport 80
ssl-proxy service CUSTxxx-SSL-SERVICE
key CUSTxxx-key.pem
cert CUSTxxx-cert.pem
serverfarm redirect REDIRECT-vFARM
rserver REDIRECT-TO-HTTPS
inservice
class-map match-all CUSTxxx-HTTP
2 match virtual-address ???? tcp eq 80
exit
class-map match-all CUSTxxx-HTTPS
2 match virtual-address ???? tcp eq 443
exit
policy-map type loadbalance http first-match CUSTxxx-HTTPS-POLICY
class class-default
action CUSTxxx-HTTPS-REWRITE
sticky-serverfarm CUSTxxx-vFARM-STICKY
policy-map type loadbalance first-match REDIRECT-TO-HTTPS-POLICY
class class-default
serverfarm REDIRECT-vFARM
policy-map multi-match VIP-POLICY
class CUSTxxx-HTTP
loadbalance vip inservice
loadbalance policy REDIRECT-TO-HTTPS-POLICY
class CUSTxxx-HTTPS
loadbalance vip inservice
loadbalance policy CUSTxxx-HTTPS-POLICY
loadbalance vip icmp-reply active
ssl-proxy server CUSTxxx-SSL-SERVICE
advanced-options tcp-parameter-map
appl-parameter http advanced-options http-parameter-map
exit
Solved! Go to Solution.
10-12-2010 04:50 AM
Do you have ssl resource allocated for the context ?
Did you verify key and cert match ? (crypto verify ....)
Do you have a sniffer trace showing the problem ?
Gilles.
10-11-2010 03:56 PM
Hi,
The configuration looks in good shap, the only thing that seems to be misconfigured is the PAT for rserver SCEXTWB02, perhaps you hit the VIP and got a stuck to this server so any subsequent request will fail as port 0 is not your clear text TCP port
serverfarm host CUSTxxx-vFARM
predictor reponse app-request-to-resp samples 4
probe CUSTxx-HTTP-PROBE
rserver SCEXTWB01 80
inservice
rserver SCEXTWB02 0
inservice
exit
Once you've changed the port, clear the browser cache and try to connect again, if still no luck, paste the output of show service-policy VIP-POLICY and show serverfarm CUSTxxx-vFARM detail
HTH
__ __
Pablo
10-12-2010 02:15 AM
Hi
As requested. If I run this up in firefox i get the following error.
Peer reports it experienced an internal error.
(Error code: ssl_error_internal_error_alert)
I can see from a show stats crypto server, that the client is trying to connect using TLS, and the cipher count does increase, however nothing works. If i set an SSL parameter-map to nail this to SSL, i get a message about no common agreeable ciphers.
Context Global Policy:
service-policy: VIP-POLICY
class: CUST01-HTTP
loadbalance:
L7 loadbalance policy: CUST01-HTTP-POLICY
Regex dnld status : QUEUED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 11
dropped conns : 0
client pkt count : 1054 , client byte count: 54164
server pkt count : 1405 , server byte count: 1940545
conn-rate-limit : - , drop-count : -
bandwidth-rate-limit : - , drop-count : -
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
Parameter-map(s):
http-parameter-map
tcp-parameter-map
class: CUST01-HTTPS
ssl-proxy server: CUST01-HTTPS-SERVICE
loadbalance:
L7 loadbalance policy: CUST01-HTTPS-POLICY
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 107
dropped conns : 2
client pkt count : 427 , client byte count: 29603
server pkt count : 3 , server byte count: 629
conn-rate-limit : - , drop-count : -
bandwidth-rate-limit : - , drop-count : -
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
Parameter-map(s):
http-parameter-map
tcp-parameter-map
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: SCEXTWB01
10.20.30.1:80 8 OPERATIONAL 0 6 0
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
average response time (usecs) : 0
rserver: SCEXTWB02
10.20.30.2:80 8 OPERATIONAL 0 4 0
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
average response time (usecs) : 0
10-12-2010 04:50 AM
Do you have ssl resource allocated for the context ?
Did you verify key and cert match ? (crypto verify ....)
Do you have a sniffer trace showing the problem ?
Gilles.
10-12-2010 05:08 AM
Giles
That got it, it was the resource call, howeevr what is confusing me is the resource class is defined for 20% of all the boxes capabilities. I even created a seperate resource allocation for SSL and it didnt work. If I remove the member allocation it works a treat.
How can I keep my resource allocations in place to protect the other contexts and still have ssl?
10-12-2010 08:54 AM
Weird, because you always need to be a member of some resource class.
Could you get a 'show resource usage' and 'show resource allocation'.
Thanks,
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide