ACE 4710 - end-to-end ssl
Hi,
Is it possible to configure 1024 bits crypto from Client to ACE and 2048 bits from ACE-server, using a CA certificated ? Is Somebody has a config example ?
Thanks
Here is a link to a configuration document regarding end to end SSL. The 2048 keys/certs would be configured on the SSL server, not sure what device that would be in your environment, maybe a webserver?
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
Similar Messages
-
Ace 4710 monitoring compression and SSL throughput in nagios
Hey guys I have been given a task to create 2 checks using snmp for nagios. I am googling left right and center to maybe try and find the appropriate OID's that i can pass to this nagios check for both ssl throughput as well as compression throughput.
Any help would be greatly appreciatedJonathan-
ciscoL4L7moduleResourceLimitMIB
DESCRIPTION
sslConnections (9) <-- Here
mgmtBandwidth (10)
throughput (11)
missedMac (12)
httpCompression (13) <-- Here
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB.my
The numbers aren't throughput, they are a rate CPS. We don't keep track of packet size in relation to speed for those counters specifically. "throughput (11)" relates to the entire context minus management bandwidth.
Regards,
Chris -
ACE 4710 bundle license backup
Hello,
Is it possible to backup ACE appliance licenses if product is bought as a bundle?
ACE-4710-BAS-SK-K9
Promo Bundle - ACE 4710 HW-1Gbps-1K SSL-100MbpsComp-5VC
Following is mentioned in the ACE documentation:
"If you need to replace the ACE, you can copy and install the license file for the license onto the replacement appliance."
But, when we try to backup licenses, we get following results:
ACE-1/Admin# sh license
ACE-1/Admin# copy licenses disk0:mylicenses.tar
Backing up license... failed: License file not found
ACE-1/Admin# sh license status
Licensed Feature Count
Compression Performance in Mbps 100
Web Optimization Concurrent Conns. 50
SSL transactions per second 1000
Virtualized contexts 5
Module bandwidth in Gbps 1.0
ACE-1/Admin# sh license usage
License Ins Lic Status Expiry Date Comments
Count
ACE-AP-C-UP1 No - Unused -
ACE-AP-C-UP2 No - Unused -
ACE-AP-C-UP3 No - Unused -
ACE-AP-01-LIC No - Unused -
ACE-AP-01-UP1 No - Unused -
ACE-AP-02-LIC No - Unused -
ACE-AP-02-UP1 No - Unused -
ACE-AP-04-LIC No - Unused -
ACE-AP-04-UP1 No - Unused -
ACE-AP-04-UP2 No - Unused -
ACE-AP-VIRT-5 No - Unused -
ACE-AP-500M-LIC No - Unused -
ACE-AP-VIRT-020 No - Unused -
ACE-AP-C-100-LIC No - Unused -
ACE-AP-C-500-LIC No - Unused -
ACE-AP-C-500-UP1 No - Unused -
ACE-AP-OPT-50-K9 No - Unused -
ACE-AP-C-1000-LIC No - Unused -
ACE-AP-C-2000-LIC No - Unused -
ACE-AP-OPT-LIC-K9 No - Unused -
ACE-AP-OPT-UP1-K9 No - Unused -
ACE-AP-SSL-05K-K9 No - Unused -
ACE-AP-SSL-07K-K9 No - Unused -
ACE-AP-SSL-100-K9 No - Unused -
ACE-AP-SSL-UP1-K9 No - Unused -
ACE-AP-SSLUP-5K-K9 No - Unused -
ACE-AP-VIRT-020-UP No - Unused -
I suppose licenses cannot be backuped because they are bundled and delivered with the bundle by default, and not installed...
Does anyone know what would be the procedure for this bundled licenses in case of ACE HW replacement needed?
Best regards,
JasminaHi Jasmina,
License file management is quite simple for ACE. Two methods; save original license email or copy from disk0:.
If you purchased and upgraded license, and followed procedure to generate it, you would have received your license via email. We recommend per documentation (License ordering section) that you:
"Step 5 Save the license key e-mail in a safe place in case you need it in the future (for example, to transfer the license to another ACE). "
Also, to apply, you copy the license file to disk0: on the ACE. This *.lic file resides on disk0: thereafter.
So if you did not happen to save the original email when you obtained the license, and the license has been installed, then you can simply copy the *.lic file off the ACE from disk0: to a safe place. Example copying file from ACE to FTP server:
Switch/Admin# copy disk0: ftp:
Enter source filename]? 1ACE2009060306445454.lic
Enter Address for the ftp server]? 10.2.3.4
Enter the destination filename]? [1ACE2009060306445454.lic]
Enter username]? anonymous
Enter the file transfer mode[bin/ascii]: [bin]
Enable Passive mode[Yes/No]: [Yes]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
Switch/Admin#
Administrator Guide - Licenses on ACE:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/administration/guide/license.html#wp1010344
Hope this helps.
-pefrench -
Dear All,
i have ACE-4710-1F-K9 (ACE 4710 Hardware‐1Gbps‐5K SSL‐500MbpsComp‐5VC-50 APPAccel )
and i need to buy ACE-4710-01-K9
I want to ask does (ACE-4710-01-K9) has 50 AppAccel like the old part number (ACE-4710-1F-K9)???As per my understanding
Both will give you same functionality
ACE-4710-BAS-SK-K9 is a basic kit/bundle
that Includes:
- ACE 4710 Hardware
- ACE Software
- 1 Gbps Throughput License
- 1,000 SSL TPS
- 100Mbps Compression
- 5 Virtual Devices
Where as
"ACE-4710-K9 with ACE-AP-01-LIC" is kind of La Carte option
ACE-4710-K9 is the ACE Appliance Hardware includes(1K SSL TPS, 5 contexts, 100Mbps comp)
With it you need to select two mandatory options
ACE Software :ACE-AP-SW-XX Software Version XX
Throughput License :("ACE-AP-01-LIC" 1 Gbps OR "ACE-AP-02-LIC" 2 Gbps )
Then you can select optional licences for
SSL TPS, Virtual Devices, compression & App acceleration...(if you need to upgrade the defaults 1K SSL TPS, 5 contexts, 100Mbps comp)
Syed iftekhar Ahmed -
Question about ACE-4710-BAS-2PAK bundle
Hello,
I want to order ACE-4710-BAS-2PAK bundle (2 Units of ACE 4710 Hardware-1Gbps-1K SSL-100MbpsComp-5VC- 5) and then separate two units of this bundle.
I couldn't get any information about separation possibility, therefore âsome howâ i need to ensure that 2 units of ACE-4710-BAS-2PAK will be able to work separate.
Could you please provide me some suggestion about this issue.
Any advise are welcome.yes, these units can work alone.
The pak is just a sale operation.
The HW is still the same.
G. -
ACE 4710 Appliance end-to-end SSL
Hello,
Am I able to use a port other than 443 to the servers in a end to end SSL config? For example, 443 to the users and 8443 to the servers?
Thanks,
DaveHi Dave,
Sure that's not a problem at all. Just make sure you add the 8443 after the rserver name in the serverfarm configuration
serverfarm host REAL_SERVERS
probe HTTPS-KEEPALIVE
rserver SERVER_01 8443
inservice
rserver SERVER_02 8443
inservice
Hope this helps,
Sean -
ACE end-to-end SSL with Client Authentication
we have a need to perform an end-to-end SSL with the ACE doing client authentication. Is there a mechanism to allow the ACE to inspect certain fields in the user certificate? All I see are checks for signature, validity, expiration, etc. Nothing that would allow me to inspect a user cert field such as "OU" and take an action based on content of the field.
any ideas? thanks
Bob Overberg
RABA Technologies
SRA International, Inc.Thanks for the quick response. Is there another Cisco device that does have those capabilities?
thanks.
Bob O. -
Hello,
I'm in the process of setting up an end to end SSL configuration but it doesn't work and I'm getting a bit confused at this stage.I imported a cert using the terminal (copy/paste) then I imported a key using the same method and the tftp. The TFTP failed and the terminal was displaying a message telling me there was topo many lines.
I checked with the crypto verify command and it failed telling me "Error: invalid or unsupported key".
Is there any clear documentation on how to configure an end to end SSL ?
I used the ACE ssl guide, but it is not really accurate and looks more like a reminder to me rather than a guide.
I attached the existing config to this post although it does not show the cert and key I imported to the ACE module, it gives a better understanding of what the idea is.
Did anybody came across the same issues on the first time configuring end-to-end ssl with ACE?just don't know where to start.
I feel like you do not have the right key/cert.
This would be the very first thing to verify.
Where did you get your key and cert ?
What certificate authority signed your certificate ?
The creation of the session key requires the use of an RSA key pair (private/public).
Every server must have a public and a private key associated with a certificate signed by a certificate authority.
If you're not familiar with those concepts, configuring an SSL offloaded like ACE won't be easy.
Maybe you should start be reading on the subject from various article available on the WEB.
openssl is a great tool to generate keys and certficates.
I would suggest maybe to get this free tool and start by creating your own RSA key pair and a self signed certificate.
Then import everything into ACE.
Once you have valid key/cert we can continue with the configuration.
Gilles -
ACE SSL Offload Advantage on End to End SSL
Is there any advantages to doing SSL termination on ACE if you are doing End to End SSL? It seems as thought it's just another place to manage certs, when you could just pass the port 443 traffic to the server and let it do the SSL decription/encryption.
centralized point of management of your certs
performances (hardware-based)
you can use strong ciphers on the client side and weaker ciphers on the server sides, reducing the load on the servers
use of SSL Reuse combined to TCP offload
There are some whitepapers available on cisco.com on this topic. -
I testing the 4710 for load balancing between 2 web servers. I have the http portion working just fine but would like to get some input on the SSL portion.
We have a section of our site that requires user login and the whole session is https from when they login and when they are browsing through our site.
My questions are within the design aspects. Would this best be designed using SSL offloading and then using clear text from the ACE to the web servers? Also, what would the differences be with configuring ssl offloading with stickiness if configured with http server load balancing on the same server farm versus creating a new server farm just for https? Would end-to-end ssl be best in this scenario?
Description of the web application usage:
Users log in and their whole session is https. Users will be filling out forms, inputting data, registering for events and uploading some files.Okay so that makes sense to me now. When the client requests an HTTPS page and the ACE terminates the connection, the ACE uses SSL rewrite/redirect to send the request back to the client so that the client still maintains the SSL connection. Otherwise it will request an HTTP page instead of the HTTPS page.
Am I correct? -
ACE 4710 in failover - ssl offload, cert for second ACE
Hi,
I'm testing two ACE 4710 appliances that should work in active/standby mode and do ssl offload in bridged mode.
At the moment I have configured one of the devices to do basic load balancing (without ssl offload).
Now I would like to move further and configure ssl offload and configure High availability.
I read that the certificate for ssl can be localy generated on the ACE device but I couldn't find any information regarding the cert that should be used on the second ACE.
Should I generate a new cert od the standby unit or somehow use the one on the first ACE?
Is it better to first set up high availability and then configure ssl offload or vice versa?
Does anyone have a config example of ssl offload and active/standby configuration?
Thank you in advance.You simply need to generate keys & CSR on the primary ACE. Export the Keys from Primary ACE, Import these keys to Standby ACE and once you recieve the certs from CA then simply import the cert to both ACEs.
FOllowing will be steps to achive that
On primary Ace
1. create RSA Keys
crypto generate key 2048 app1.key
2. Create CSR & send it to CA
ace/Admin(config)# crypto csr-params app1-csr
ace/Admin(config-csr-params)# common-name www.app1.com
ace/Admin(config-csr-params)# country US
ace/Admin(config-csr-params)# email [email protected]
ace/Admin(config-csr-params)# locality xyz
ace/Admin(config-csr-params)# organization-name xyz
ace/Admin(config-csr-params)# organization-unit xyz
ace/Admin(config-csr-params)# state CA
ace/Admin(config-csr-params)# serial-number 1234
ace/Admin(config-csr-params)# end
ace/Admin(config)# crypto generate csr app1-csr app1.key
(copy the result to a file)
4. Import certificate recieved from CA
crypto import terminal app1.cert
(pasted the content from the cert)
5. verify the cert & keys match
crypto verify app1.key app1.cert
6. Export the keys from Active
crypto export app1.key
(copy the result to a file)
ON Standby ACE:
1. Import the keys
crypto import terminal app1.key
2. Import the cert
crypto import terminal app1.cert
3.verify the cert & keys match
crypto verify app1.key app1.cert
Hope this helps
Syed -
Internal error int reply to ClientHello on ACE20 module with end-to-end SSL
Hello, world!
We have weird behaviour of our Cisco ACE20 module configured for end-to-end SSL (initiation+termination) - the module from time to time replies with SSLv3/TLSv1 alert "Fatal: internal error" message to the client right after client have sent 'ClientHello' SSL message. So sometimes SSL connection works and sometimes will be immediately closed due to this fatal error. The behaviour is very similar to the one described below:
CSCtc52085—After a client sends a ClientHello message, the SSL hand shake may fail with a fatal alert internal error sent by the ACE. This behavior is intermittent and may occur under the following conditions:
1. An SSL service is configured with the session-cache timeout command (session reuse).
2. SSL connections are aborted by the client after the client sends a ClientHello message to the service in condition 1 and before an internal resource state is changed. This behavior puts the internal resource in an improper state. This error is very timing sensitive.
3. The next connection that uses the internal resource in the improper state fails with a fatal alert internal error. That connection does not have to go to the service in condition 1 to experience this error because the internal resource is shared by all the SSL services.
Workaround: None.
But we have software version A2(3.1) and this bug must have been resolved in this release (at least it's listed in resolved caveats section of release notes).
Software
loader: Version 12.2[123]
system: Version A2(3.1) [build 3.0(0)A2(3.1)]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_3_1.bin
Again, we don't have session-cache timeout configured on the ACE.
On the ACE we have following stats:
ACE1/VC_UNIX# sh stats crypto server
SSL Server Statistics:
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 1
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 2
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 16
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
SSLv2 client hello received: 0
SSLv3 client hello received: 0
TLSv1 client hello received: 68
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 68
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
TLSv1 full handshakes: 33
TLSv1 resumed handshakes: 0
Cipher tlsv1_rsa_rc4_128_md5: 68
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
Session headers extracted: 0
Session headers failed: 0
Server cert headers extracted: 0
Server cert headers failed: 0
Client cert headers extracted: 0
Client cert headers failed: 0
Headers truncated: 0
Redirects due to cert not yet valid: 0
Redirects due to cert expired: 0
Redirects due to unknown issuer cert: 0
Redirects due to cert revoked: 0
Redirects due to no client cert: 0
Redirects due to no CRL available: 0
Redirects due to expired CRL: 0
Redirects due to bad cert signature: 0
Redirects due to other cert error: 0
Internal error: 27
Handshake FlushRX operations: 0
Handshake FlushTX operations: 0
Xscale messages rcvd from ME: 1313330
Xscale messages sent to ME: 2041768
Finish msg split across ssl recs: 0
Fasttx msg ring full: 0
SSL_ME tx msg ring full: 0
N2 encrypt_record: 0
N2 decrypt_record: 144433
N2 random: 439915
N2 handshake_hash: 878094
N2 hash: 0
N2 gpop_master: 291164
N2 gpop_import_master_secret: 5
N2 gpop_pkcs1v15enc: 144430
N2 gpop_pkcs1v15enc_crt: 0
N2 gpop_finish: 291140
N2 gpop_verify: 0
N2 gpop_pkcs1v15dec: 0
N2 gpop_pkcs1v15dec_crt: 146752
N2 rsa_server_full: 15
N2 resume: 12
UXP A: 24576
UXP B: 0
The "Internal error" counter increases with failed connections.
Printscreen from wireshark attached.
Maybe someone has the problem like ours? I have no idea how to troubleshoot these "internal errors"... :-(
Thanks for your replies.Thanks for your reply.
The problem is not server-related, I have exactly the same situation if I do SSL termination only, with unencrypted connection between ACE and backend servers (another servers, with blank apache installed and listening on 443 port for non-SSL traffic) - generally speaking, it works, but often with these "internal errors" - not suitable for production.
Here is the output from the commands
# show np 1 me-stats -E0
SSL Server Statistics:
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
SSLv2 client hello received: 0
SSLv3 client hello received: 0
TLSv1 client hello received: 0
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
Session headers extracted: 0
Session headers failed: 0
Server cert headers extracted: 0
Server cert headers failed: 0
Client cert headers extracted: 0
Client cert headers failed: 0
Headers truncated: 0
Redirects due to cert not yet valid: 0
Redirects due to cert expired: 0
Redirects due to unknown issuer cert: 0
Redirects due to cert revoked: 0
Redirects due to no client cert: 0
Redirects due to no CRL available: 0
Redirects due to expired CRL: 0
Redirects due to bad cert signature: 0
Redirects due to other cert error: 0
Internal error: 0
SSL Client Statistics:
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 4108
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 63355
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 37662
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
SSLv2 client hello received: 0
SSLv3 client hello received: 0
TLSv1 client hello received: 0
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 4062020
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
TLSv1 full handshakes: 4015344
TLSv1 resumed handshakes: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 4062020
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL authentication cache hits: 4059147
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 4059888
Failed SSL server authentications: 0
Session headers extracted: 0
Session headers failed: 0
Server cert headers extracted: 0
Server cert headers failed: 0
Client cert headers extracted: 0
Client cert headers failed: 0
Headers truncated: 0
Redirects due to cert not yet valid: 0
Redirects due to cert expired: 0
Redirects due to unknown issuer cert: 0
Redirects due to cert revoked: 0
Redirects due to no client cert: 0
Redirects due to no CRL available: 0
Redirects due to expired CRL: 0
Redirects due to bad cert signature: 0
Redirects due to other cert error: 0
Internal error: 20380
Handshake FlushRX operations: 0
Handshake FlushTX operations: 0
Xscale messages rcvd from ME: 12092768
Xscale messages sent to ME: 0x0176adac
Finish msg split across ssl recs: 0
Fasttx msg ring full: 0
SSL_ME tx msg ring full: 0
N2 encrypt_record: 0
N2 decrypt_record: 4015344
N2 random: 8148797
N2 handshake_hash: 4322635
N2 hash: 0
N2 gpop_master: 4041700
N2 gpop_import_master_secret: 0
N2 gpop_pkcs1v15enc: 4041700
N2 gpop_pkcs1v15enc_crt: 0
N2 gpop_finish: 4031710
N2 gpop_verify: 0
N2 gpop_pkcs1v15dec: 0
N2 gpop_pkcs1v15dec_crt: 0
N2 rsa_server_full: 0
N2 resume: 0
UXP A: 24576
UXP B: 0
# show np 1 me-stats "-shttp -v"
HTTP Statistics (Current)
Unknown msgs received: 0 0
Data rx msgs received: 288293958 4
TCP proxy rx msgs received: 9816884 1
Ack trigger rx msgs received: 0 0
TCP event rx msgs received: 52961189 2
Dest decision tx msgs received: 55155089 1
LB dest decision tx msgs received: 0 0
Close tx msgs received: 83942817 0
Inspect allow tx msgs received: 0 0
Inspect drop tx msgs received: 0 0
DRAM blocks read: 577612022 16
Buffers dropped: 2702255 0
Regex states read: 38438408 25
Unproxy cancellations: 0 0
Redundant closes: 2990271 0
Internal errors: 0 0
Conn mismatch errors: 2748628 0
Exception with close: 6 0
Dest errors: 1 0
Total Packet count (Tx & Rx): 490169937 8
Stop regex: 12 0
(Context 5 Statistics)
Parse result LB msgs sent: 121180 0
Drop: LB queue full: 0 0
Parse result Inspect msgs sent: 0 0
Drop: Inspect queue full: 0 0
TCP data msgs sent: 96215 0
TCP queue full: 0 0
SSL data msgs sent: 516306 0
SSL queue full: 0 0
TCP fin msgs sent: 939 0
TCP rst msgs sent: 147 0
SSL fin msgs sent: 102907 0
SSL rst msgs sent: 38548 0
Bounced fin msgs sent: 1481 0
Bounced rst msgs sent: 2 0
Unproxy msgs sent: 25333 0
Drain msgs sent: 113966 0
Reuse msgs sent: 2304 0
Particles read: 1448314 0
HTTP requests: 121688 0
Reproxied requests: 17680 0
Headers inserted: 3825 0
Headers removed: 51 0
Headers rewritten: 0 0
HTTP redirects: 0 0
HTTP chunks: 42154 0
Unproxy conns: 25325 0
Pipelined requests: 0 0
Pipeline flushes: 0 0
Whitespace appends: 0 0
Response entries recycled: 24493 0
Second pass parsing: 0 0
Vserver mismatch errors: 5 0
Analysis errors: 0 0
Static parse errors: 20 0
Max parselen errors: 0 0
Resource errors: 75 0
Invalid path errors: 0 0
Bad HTTP version errors: 0 0
Header insert errors: 75 0
Header rewrite errors: 0 0
Invalid policy errors: 0 0
Invalid rserver errors: 0 0
Recycled requests: 0 0
SSL header insert success: 0 0
SSL header insert errors: 0 0
SSL spoof header deleted: 0 0
Drop: RST pipelined request: 0 0
There's nothing in ACE logs.
Forgot to mention - we are running ACE in one-arm mode, but I don't believe it makes a difference. -
Best practice SSL End-to-End in Exchange 2010 CAS loadbalancing
Hi,
I was wondering if there is a best practice for deploying SSL End-to-End in Exchange 2010 CAS loadbalancing.
We have ACE modules A5(1.1) and ANM 5.1(0), although there seems to be a template available in ANM it doesn't work. It throws a error when deploying, i believe the template is corrupt.
As I am undersome pressure to deploy this asap I am looking for a sample config. I found one for SSL offloading, but I need one for End-to-End SSL.
Thanks in advance,
DionHi Dion,
You can open up a case with TAC to have that template reviewed and confirm if the problem is at the ACE or ANM side.
In the meantime here is a nice example for End-To-End SSL that can help you to get that working:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
For CAS load balancing there's nothing special other than opening the right ports, I'd advise you to get SSL working first and take it from there, if any problem comes up you can post it here and we'll give you a hand.
HTH
Pablo -
What are the advantages of end to end ssl vs. server term'd ssl
what would be the advantage of having the ACE terminate ssl and than initating an ssl connection to the backend server
instead of just having the server terminate the ssl connection?
we are currently discussing this..and even from a resource perspective...the server would seem to be using
the same amount of resourcesThe real advantage with end to end SSL is that the ACE can make layer 7 decisions but still keep the traffic encrypted from client to server. This would be the case if you needed to use cookies as the sticky method or make a load balance decision on URL or host header. Most of the time it is financial or government institutions that use this feature to keep the data secure even on the inside of the network.
This is much more resource intensive on the ACE. You are correct about the performance on the server. From the server perspective it would be no different if the ACE just load balanced SSL, or terminated it first then encrypted it going back to the server.
Hope that helps
Best regards
Jim -
How to install a root certificate of private CA for SSL initiation in ACE 4710 ?
Hello ACE Gurus,
We have to deploy end-to-end SSL for one of our application, but of course we won't be buying Entrust or other big name certificates for each web server : we want to use self-issued certs signed by our private CA.The topology looks like this :
Internet Client ----HTTPs_Entrust_Cert----> ACE ------HTTPs_Private_Cert------> WebServers
Maybe my search skills are soft, but I haven't found how to import a private CA certificate in the ACE, so that when the ACE initiates an SSL session with the webserver (as a client), it will recognize the Web Server's SSL Cert as valid, because he already has it in it's root store.
The only thing I've found, is how to configure the ACE to ignore the SSL authentification/validation errors, like this :
host1/Admin(config)# parameter-map type ssl SSL_PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# authentication-failure ignore
Thanks for the help!
Alex.Hi Alex,
From ACE perspective, it doesn't make differences if you are using certificates issued by your local or a "well known" CA. Moreover, if not mistaken, you have to configure authentication group whatever you are doing client or server authentication.
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp1043643
Thanks,
Olivier
Maybe you are looking for
-
How do i get my music back after restoring my ipad accidentaly
I restored my ipod by mistake and now I have no music on my ipod. I still have it on my computer so how do I get back on my ipod?
-
Template link to css styles lost
Hi, why, when I create a new page based a template, does the link to the css style sheet become broken? I can see in the code of the new page that ".." is missing from the "../" in the url to the style sheets – but the template has the correct links
-
Hi all, Can you tell me the procedure to put a hyperlink in LSO_PREBOOK_WHAT_IS_IT300 i want to edit standard text in se61. Document Class: General text Language: Any language Our business req is to change the standard text in Prebooking Screen. I ha
-
Where to find answers about converting to CS6?
I have several questions around converting from CS3 to CS6. Is there a specific person, forum, or web site that can help? I want to upgrade to CS6, but not on a subscription basis. I'd like to know what kind of a hurtle I am facing to convert my webs
-
Can I put my money on Motion for Glitch-Free Pans and Zooms?
Hello all I'm an experienced FCE user, who is tired of the unreliabilty of keyframe for producing good smooth pans and stills. iMovie, Photo to Movie, I tried em all .... Do I have equipment related issues? (absolutely not) Cutting right to the quick