Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
2
Replies

Problem with java application behind ACE module

dustin.black
Level 1
Level 1

‎11-27-2007 10:26 AM - edited ‎03-05-2019 07:39 PM

The ACE module is configured to direct traffic inbound on port 443 to a farm of internal servers on port 8443. The ACE is setup as a proxy for end-to-end SSL communication between the client and the internal server. The SSL key and certificate on the ACE were both generated external to the system (i.e., the key was not locally generated, and no CSR from the ACE was used).

With this configuration, most SSL web services on the internal server are functional from outside the ACE, but a couple of key functions are broken. Particularly, a Java application that downloads a number of files to the client via the Java Web Start function will hang ("Download stalled") during the file download, finally reporting an "unexpected end of file" or "connection reset" error in the Java console.

Viewing the packet data with Wireshark, there appear to be RST signals that are being sent from the server prematurely, about the same time that the download hangs.

I have removed every extraneous setting from the ACE configuration, with no affect on the problem. I have also attempted to modify a number of settings on the VLAN interfaces, such as adjusting fragment options and setting 'ip df' to 'clear'. None of these changes has made a difference.

The only way the Java application will function through the ACE is to de-configure the SSL proxy settings, letting the SSL data pass through as-is. This, however, breaks other needed functions for layer-7 URL-based load balancing.

Pertinent configuration is below:

hostname ACE_MFG

access-list ANY line 10 extended permit ip any any

rserver host HTTPS1

description HTTPS Server 1

ip address 172.30.3.6

inservice

ssl-proxy service SSL_PROXY_SERVER

key ACE_RSA_KEY_4.PEM

cert ACE_CERT_4.PEM

ssl-proxy service SSL_PROXY_CLIENT

serverfarm host HTTPS

description HTTPS Server Farm

failaction purge

retcode 200 500 check count

rserver HTTPS1

inservice

class-map match-any L4_HTTPS_SLB_VIP_CLASS

4 match virtual-address 172.30.255.2 tcp eq https

policy-map type loadbalance first-match L7_HTTPS_SLB_POLICY

class class-default

serverfarm HTTPS

ssl-proxy client SSL_PROXY_CLIENT

policy-map multi-match L4_HTTPS_SLB_POLICY

class L4_HTTPS_SLB_VIP_CLASS

loadbalance vip inservice

loadbalance policy L7_HTTPS_SLB_POLICY

loadbalance vip icmp-reply active

loadbalance vip advertise active

nat dynamic 1 vlan 310

ssl-proxy server SSL_PROXY_SERVER

interface vlan 110

description Client-side Interface

ip address 172.30.255.254 255.255.255.0

access-group input ANY

service-policy input L4_HTTPS_SLB_POLICY

no shutdown

interface vlan 310

description Server-side Interface

ip address 172.30.0.200 255.255.248.0

nat-pool 1 172.30.0.199 172.30.0.199 netmask 255.255.255.255 pat

no shutdown

ip route 0.0.0.0 0.0.0.0 172.30.255.1

Labels:
0 Helpful
2 Replies 2

owillins
Level 6
Level 6

‎12-04-2007 12:16 PM

could you paste the following

1. 'show tech' from the device

2. 'show tech' from the ACE

0 Helpful

dustin.black
Level 1
Level 1
In response to owillins

‎12-04-2007 12:26 PM

Attached.

Preview file
280 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card