Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL/TLS Handshake Failure with SSL Termination

Guys

Im wondering if you can help, I have two ACE 4710 configured in FT with 3 contexts, running bridged mode. Everything is working fine, however I cant seem to get SSL working in ssl proxy/termination mode.

When i do a show stats crypto server, I can see that the client has attempted to connect, but there is an SSL/TLS handshake failure, further down the screen it tells me there have been numerous SSL alert INTERNAL_ERRORs.

If i look at the service-policy I get N number of hits, and N number of dropped connections.  Ive no idea where this is going wrong.

At the moment the config on the context is dirt simple, so clearly im missing something

serverfarm host CUSTxxx-vFARM
  predictor reponse app-request-to-resp samples 4
  probe CUSTxx-HTTP-PROBE
   rserver SCEXTWB01 80
    inservice
  rserver SCEXTWB02 0
    inservice
exit


sticky http-cookie SessionID CUSTxxx-vFARM-STICKY
  cookie insert browser-expire
  timeout 1800
  replicate sticky
  serverfarm CUSTxxx-vFARM
exit


rserver redirect REDIRECT-TO-HTTPS
  webhost-redirection https://%h%p 301
inservice

action-list type modify http CUSTxxx-HTTPS-REWRITE
  ssl url rewrite location ???? sslport 443 clearport 80

ssl-proxy service CUSTxxx-SSL-SERVICE
  key CUSTxxx-key.pem
  cert CUSTxxx-cert.pem


serverfarm redirect REDIRECT-vFARM
  rserver REDIRECT-TO-HTTPS
inservice

class-map match-all CUSTxxx-HTTP
  2 match virtual-address ???? tcp eq 80
exit

class-map match-all CUSTxxx-HTTPS
  2 match virtual-address ???? tcp eq 443
exit

policy-map type loadbalance http first-match CUSTxxx-HTTPS-POLICY
  class class-default
  action CUSTxxx-HTTPS-REWRITE
  sticky-serverfarm CUSTxxx-vFARM-STICKY

policy-map type loadbalance first-match REDIRECT-TO-HTTPS-POLICY
  class class-default
    serverfarm REDIRECT-vFARM

policy-map multi-match VIP-POLICY
  class CUSTxxx-HTTP
    loadbalance vip inservice
    loadbalance policy REDIRECT-TO-HTTPS-POLICY

class CUSTxxx-HTTPS
    loadbalance vip inservice
    loadbalance policy CUSTxxx-HTTPS-POLICY
    loadbalance vip icmp-reply active
    ssl-proxy server CUSTxxx-SSL-SERVICE
    advanced-options tcp-parameter-map
    appl-parameter http advanced-options http-parameter-map
exit

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: SSL/TLS Handshake Failure with SSL Termination

Do you have ssl resource allocated for the context ?

Did you verify key and cert match ? (crypto verify ....)

Do you have a sniffer trace showing the problem ?

Gilles.

5 REPLIES
Cisco Employee

Re: SSL/TLS Handshake Failure with SSL Termination

Hi,

The configuration looks in good shap, the only thing that seems to be misconfigured is the PAT for rserver SCEXTWB02, perhaps you hit the VIP and got a stuck to this server so any subsequent request will fail as port 0 is not your clear text TCP port

serverfarm host CUSTxxx-vFARM
  predictor reponse app-request-to-resp samples 4
  probe CUSTxx-HTTP-PROBE
   rserver SCEXTWB01 80
    inservice
  rserver SCEXTWB02 0
    inservice
exit

Once you've changed the port, clear the browser cache and try to connect again, if still no luck, paste the output of show service-policy VIP-POLICY and show serverfarm CUSTxxx-vFARM detail

HTH

__ __

Pablo

New Member

Re: SSL/TLS Handshake Failure with SSL Termination

Hi

As requested.  If I run this up in firefox i get the following error.

Peer reports it experienced an internal error.

(Error code: ssl_error_internal_error_alert)

I can see from a show stats crypto server, that the client is trying to connect using TLS, and the cipher count does increase, however nothing works.  If i set an SSL parameter-map to nail this to SSL, i get a message about no common agreeable ciphers.

Context Global Policy:
  service-policy: VIP-POLICY
    class: CUST01-HTTP
      loadbalance:
        L7 loadbalance policy: CUST01-HTTP-POLICY
        Regex dnld status    : QUEUED
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: ENABLED
        curr conns       : 0         , hit count        : 11
        dropped conns    : 0
        client pkt count : 1054      , client byte count: 54164
        server pkt count : 1405      , server byte count: 1940545
        conn-rate-limit      : -         , drop-count : -
        bandwidth-rate-limit : -         , drop-count : -
      compression:
        bytes_in  : 0                          bytes_out : 0
        Compression ratio : 0.00%
                Gzip: 0               Deflate: 0
      compression errors:
        User-Agent  : 0               Accept-Encoding    : 0
        Content size: 0               Content type       : 0
        Not HTTP 1.1: 0               HTTP response error: 0
        Others      : 0
        Parameter-map(s):
          http-parameter-map
          tcp-parameter-map
    class: CUST01-HTTPS
      ssl-proxy server: CUST01-HTTPS-SERVICE
      loadbalance:
        L7 loadbalance policy: CUST01-HTTPS-POLICY
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: ENABLED
        curr conns       : 0         , hit count        : 107
        dropped conns    : 2
        client pkt count : 427       , client byte count: 29603
        server pkt count : 3         , server byte count: 629
        conn-rate-limit      : -         , drop-count : -
        bandwidth-rate-limit : -         , drop-count : -
      compression:
        bytes_in  : 0                          bytes_out : 0
        Compression ratio : 0.00%
                Gzip: 0               Deflate: 0
      compression errors:
        User-Agent  : 0               Accept-Encoding    : 0
        Content size: 0               Content type       : 0
        Not HTTP 1.1: 0               HTTP response error: 0
        Others      : 0
        Parameter-map(s):
          http-parameter-map
          tcp-parameter-map

---------------------------------
                                                ----------connections-----------
       real                  weight state        current    total      failures
   ---+---------------------+------+------------+----------+----------+---------
   rserver: SCEXTWB01
       10.20.30.1:80         8      OPERATIONAL  0          6          0
         description          : -
         max-conns            : -         , out-of-rotation count : -
         min-conns            : -
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         average response time (usecs) : 0

   rserver: SCEXTWB02
       10.20.30.2:80         8      OPERATIONAL  0          4          0
         description          : -
         max-conns            : -         , out-of-rotation count : -
         min-conns            : -
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         average response time (usecs) : 0

Cisco Employee

Re: SSL/TLS Handshake Failure with SSL Termination

Do you have ssl resource allocated for the context ?

Did you verify key and cert match ? (crypto verify ....)

Do you have a sniffer trace showing the problem ?

Gilles.

New Member

Re: SSL/TLS Handshake Failure with SSL Termination

Giles

That got it, it was the resource call, howeevr what is confusing me is the resource class is defined for 20% of all the boxes capabilities.  I even created a seperate resource allocation for SSL and it didnt work.  If I remove the member allocation it works a treat.

How can I keep my resource allocations in place to protect the other contexts and still have ssl?

Cisco Employee

Re: SSL/TLS Handshake Failure with SSL Termination

Weird, because you always need to be a member of some resource class.

Could you get a 'show resource usage' and 'show resource allocation'.

Thanks,

Gilles.

3052
Views
0
Helpful
5
Replies
CreatePlease login to create content