ACE 4710 SSL connection rate

Similar Messages

• ACE20 SSL-connection rate performance

  Hello,
  One of our customers are challenging our ACE20 modules ssl-connection rate performance. During a loadtest performed against our webportals, they concluded, that the ACE-module showed signs of severe performance degredations, when the number of new ssl-connections hit 40.
  While I disagree with that conclusion, I find it somewhat difficult to disprove it. Nothing on the ACE-module suggest any ssl-resource depletion, the highest recorded ssl-connection rate is 677 tps and the license permits 10k. The context is currently sized to 4k. I've gone through numerous troubleshooting steps, trying to locate anything that would suggest a problem with the module, but so far nothing has turned up.
  I've been given somewhat conflicting information about what the ssl-connection rate resouce actually represent. Some say is represent the total number of new ssl-connections pr/sec, other say it represents ssl-transaction capacity as a whole, which among other things would include ssl-handshakes. Regardsless, 40 in my opinion seems way to low and this is very inconsistent with the generel load on our modules, which often climbs into the hundreds.
  So I'm looking for suggestions on how to conduct a simple ssl/tps test against the ACE-modules. The test is expected to be very basic, as I'm not looking to test the webportal end-to-end, but simply doing an ssl-tps performace test.
  Any help will do
  Thanks
  /Ulrich

  Hi,
  The connection will be denied once the SSL connection rate is exceeded.
  That can be identified by using the command :
  show resource usage all
  You will see something like this :
          Resource         Current       Peak        Min        Max       Denied
  ssl-connections rate        995       1000          0       1000     28975
  You will notice that the deny counter will start increasing once the rate is exceeded.
  hope that helps.
  regards,
  Ajay Kumar

• ACE 4710 & SSL Offloading

  I testing the 4710 for load balancing between 2 web servers. I have the http portion working just fine but would like to get some input on the SSL portion.
  We have a section of our site that requires user login and the whole session is https from when they login and when they are browsing through our site.
  My questions are within the design aspects. Would this best be designed using SSL offloading and then using clear text from the ACE to the web servers? Also, what would the differences be with configuring ssl offloading with stickiness if configured with http server load balancing on the same server farm versus creating a new server farm just for https? Would end-to-end ssl be best in this scenario?
  Description of the web application usage:
  Users log in and their whole session is https. Users will be filling out forms, inputting data, registering for events and uploading some files.

  Okay so that makes sense to me now. When the client requests an HTTPS page and the ACE terminates the connection, the ACE uses SSL rewrite/redirect to send the request back to the client so that the client still maintains the SSL connection. Otherwise it will request an HTTP page instead of the HTTPS page.
  Am I correct?

• ACE 4710 SSL server LB with stickiness

  I will be replacing 11500 CSS which are not doing SSL termination, just load-balancing SSL sessions terminated on servers with ACE 4710.
  On their CSS config, they were doing SSL-sticky. I understand the 4710 doesn't support SSL sticky, but can perform the same function by parsing the HTTP header. Has anyone done this config before and know where/how to parse the header to look for the SSL session# and stick connections to same server?
  THANKS!

  In Ace 2.x code GPP (Generic protocol parsing) was introduced that enables ACE to look into the Layer 4 payload.Which is how this stickiness id achieved.
  details at
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1133923
  I dont think its currently available on ACE appliance yet.
  Syed

• CSS11503/ACE 4710 - SSL session id cache

  I have a couple of questions.
  1. I'd like to know what happens when the SSL session id cache (def 10k) gets filled on a CSS11503. Do new connections get dropped or do they still work but are they less efficient?
  2. What is the cache size on an ACE4710?

  The problem was caused by an incorrect nat pool.   Correct Mask was 255.255.255.0.

• ACE 4710 send Connection:Close when should be Keep-Alive

  After user request to front end http to 10.85.10.4 (default 80) after a port redirect and action list header rewrite
  header rewrite request host header-value http://10[.]85[.]10[.]4 replace http://10.85.10.67:84/jde/E1Menu.maf%1
  I see the request go out (wireshark) to the back-end javaserver but in the Connection it's close not keepalive:
  GET /jde/E1Menu.maf HTTP/1.1
  Connection: Close
  Host:10.85.10.67:84
  After the get from the ACE the jserver replies with the JDE login screen but the ACE ignores it?

  Try by enabling persistence rebalance in an http parameter-map.
  Also your rewrite rule is wrong, you've been mistaken regarding the role of the Host field I guess. What you try to configure in your config is a URL rewrite but it's not supported by the ACE.

• Ace 4710 SSL Proxy TLS (Beast) Mitigation

  Has anyone heard if there is an upgrade path to mitigate this recent tls1.0 and sslv3 exploit?
  Thanks
  Darren
  Sent from Cisco Technical Support iPad App

  Hi Darren,
  I haven't seen any official cisco comment about this yet.
  Also our customers are asking for updates on this security advisory....
  Edwin

• ACE 4710 MAC Address

  All physical interfaces on ACE 4710 share the same MAC address. Also, VIP addresses share the same MAC address. ACE 4710 is connected to a switch. How is the switch supposed to know which interface to send the packet to if it is doing layer2 switching.
  Thank you in advance for the explanation.

  You can't put 2 interfaces in the same vlan
  switch/Admin(config-if)# switchport access vlan 20
  vlan 20 is associated with GigabitEthernet 1/3.
  switch/Admin(config-if)#
  So, the L2 switch will have an entry for the mac-address in each vlan and this entry can point to different interfaces.
  Gilles.

• SSL Termination in ACE 4710 not working

  Hi,
  I have configured a new ACE 4710 with only a sinlge context to redirect https traffic to http real servers using SSL Termination. When I do a telnet on port 443 or 80 to the VIP it works fine but when I try to open the URL it prompts me for accepting the certificate then it tries to find and establish connection to the URL but eventually dies out giving a "Page cannot be displayed error". I have done some troubleshooting and found that the connection to the VIP on 443 port is Established but the out connection from the real server to the client remains in the INIT state. I am attaching the configs and all the troubleshooting data I have collected. Pls someone help.

  Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE.So as suggested I have configured default route in the servers towards the ACE interface vlan ip address. Still the server packet count is not incrementing. I am posting the updated configuration of the ACE as an attachment. Pls help.

• ACE 4710 Can not confirm http cookie sticky connections

  We are using a ACE 4710 with A3(2.6) software release.
  I had to change our sticky load balancing method for HTTPS to cookie based.
  However while connections appear to work if I look at the sho sticky database table I can not see or confirm sticky entries for the cookie based connections.
  Here or config snippets to show the config
  sticky http-cookie ghh-www scook-ghh
    cookie insert browser-expire
    serverfarm ghh-www-443
  class-map match-all ghh-www-443_CLASS
    2 match virtual-address 172.16.1.21 tcp eq https
  class-map type http loadbalance match-any ghh-www-443_CLASSURL
    2 match http url [.]*
  policy-map type loadbalance first-match ghh-sticky-443_POLICY
    class class-default
      sticky-serverfarm scook-ghh
  policy-map multi-match POLICY
  class ghh-www-443_CLASS
        loadbalance vip inservice
        loadbalance policy ghh-sticky-443_POLICY
        loadbalance vip icmp-reply active
        appl-parameter http advanced-options CASE_PARAM

  Another point: please check whether your servers are listening only for HTTPS traffic or also for HTTP traffic:
  in the first case the ACE will have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and then re-encrypt it and send it to the server
  in the second case the ACE would have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and send it out as it is unencrypted to the server
  the second solution would have the benefit of being easier to configure and to require less resoucerces both on the ACE (only decryption to be performed) and on the servers (no need for SSL operations at all there) but it might be that your company or business sector have requirements for which this traffic should never flow unencrypted, in which case you would have to go for the first solution.
  Here you have a config example for the first solution:
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
  I would not expect you to have to pay extra for importing the cert and kepair into the ace, it would be just a copy, however as Alex said that may still depend on the license agreement with the CA.
  Cheers,
  Francesco

• ACE 4710 - show stats connection questions

  Hi,
  I have three questions regarding the "show stats connection" command in the ACE 4710:
  1. What is the criteria for a connection to be added to the "Total Connections Failed" counter?
  2. What is the criteria for a connection to be added to the "Total Connections Timed-out" counter?
  3. Is there a command to get more information why the connection was failed or timed-out (e.g. to/from which IP, url accessed etc.)?
  Thanks in advance for your help!
  Best regards,
  Harry

  Harry,
  a connection failed if the server did not respond or resonded with a RST.
  As long as the connection gets establised, it is counted as a success.
  The connection timeout counter is incremented when the connection is idle for the configured timeout value or for L7 connections if it does not complete the 3-way handshale within the embryonic timeout interval.
  Since this is clear why those counters are incrementing, the only way to get more information is to capture a sniffer trace to verify if the conditions above are met.
  Gilles.

• ACE 4710 Connectivity help?

  I'm using an ACE 4710 in a new datacenter, with the following setup:
  2/4 physical ethernet interfaces port channeled into port-channel 1
  2/4 physical ethernet interfaces port channeled into port-channel 2
  I have the following vlans defined:
  1001 - admin     - interface ip: 10.53.136.70
  400 - client side - interface ip: 10.53.136.100
  500 - server side - interface ip: 192.168.128.1
  999 - fault tolerance - interface ip: 192.168.11.2
  My problem is I am trying to nat ssh and web server traffic from the client side, to the server side, but it's never getting to the server.  For example, if I ssh to 10.53.136.102, it times out.  (10.53.136.102 should get nat'd to 192.168.128.2)
  Also, I can connect to the ACE 4710 via telnet using 10.53.136.70, but cannot connect to 10.53.136.100.
  I'm thinking there is either something wrong with the port-channels, or the access lists.  On the other hand there could be something wrong with the nat'ing, but I had it working before switching over to the port-channels.
  Any thoughts?
  Thanks,
  Brent

  I've attached the two contexts which we are using.  The admin context is new_lb_config.txt and the second context where the loadbalancing occurs is in the new_lb_config_VC_WBPX.txt file.
  From the load balancer, I am able to ping the real server ips in the 192.168. ip range.  The 4710 recognizes that they are in service.
  I believe the ACL for the VLAN 400 is set to permit all traffic, but I don't know if the service policies are preventing something from happening.
  Right now, I have disconnected the two 4710s and I am only working on one of them to see if I can get the basic connectivity going.  Once I accomplish that, I will work on high availability.  I'll have to check whether it thinks it is in passive mode...not entirely sure how to do that, but I will check it out.
  Thanks,
  Brent

• SSL Certificates Update Error in ACE 4710

  Hi,
  I am facing a problem while updating the SSL certificates in ACE 4710. Our certificate is expired and we have purchased a new certificate from CA. Moreover the common name of the certificate is also changed.
  I tried importing the certificate to the repository and change the SSL proxy likewise to use the new certificate. but still the new certificate with new CN is not recognised by the clients. they can see the old certificate only. I even tried deleting and creating a new ssl proxy service with the new cert and attaching it to policy map.
  but still the new certificate is not used even after a reboot,
  Attaching screenshots and running config. Any help will be appreciated.
  BR//Rajiv

  Ravi,
        Here are the procedures for updating your certificate on the ACE. 
  1) Create New RSA Key
  2) Create CSR
  3) Send CSR to CA authority for a new certificate
  4) Import Certificate into the ACE
  5) Change the ssl-proxy to use the new Certificate and Key
  6) Remove the SSL-Proxy from the policy map and reapply
  Now if you created the CSR on a different box, you will need to import both the RSA key are the certificate.  Another thing you should be aware of is a possible change in the Root and intermediate certicates that are used by the CA.  In your configuration, you have
  crypto chaingroup iotms-chain-gr-1
    cert inter-root-new
  Is the the correct certificates for your cert?  If so, it seems odd that there is only on certificate in the Chaingroup.  Most CAs use an intermediate and and a root certificate. 
  Verify that you have the correct chaingroup (with the correct root and intermediate certificates). 

• ACE 4710 in failover - ssl offload, cert for second ACE

  Hi,
  I'm testing two ACE 4710 appliances that should work in active/standby mode and do ssl offload in bridged mode.
  At the moment I have configured one of the devices to do basic load balancing (without ssl offload).
  Now I would like to move further and configure ssl offload and configure High availability.
  I read that the certificate for ssl can be localy generated on the ACE device but I couldn't find any information regarding the cert that should be used on the second ACE.
  Should I generate a new cert od the standby unit or somehow use the one on the first ACE?
  Is it better to first set up high availability and then configure ssl offload or vice versa?
  Does anyone have a config example of ssl offload and active/standby configuration?
  Thank you in advance.

  You simply need to generate keys & CSR on the primary ACE. Export the Keys from Primary ACE, Import these keys to Standby ACE and once you recieve the certs from CA then simply import the cert to both ACEs.
  FOllowing will be steps to achive that
  On primary Ace
  1. create RSA Keys
  crypto generate key 2048 app1.key
  2. Create CSR & send it to CA
  ace/Admin(config)# crypto csr-params app1-csr
  ace/Admin(config-csr-params)# common-name www.app1.com
  ace/Admin(config-csr-params)# country US
  ace/Admin(config-csr-params)# email [email protected]
  ace/Admin(config-csr-params)# locality xyz
  ace/Admin(config-csr-params)# organization-name xyz
  ace/Admin(config-csr-params)# organization-unit xyz
  ace/Admin(config-csr-params)# state CA
  ace/Admin(config-csr-params)# serial-number 1234
  ace/Admin(config-csr-params)# end
  ace/Admin(config)# crypto generate csr app1-csr app1.key
  (copy the result to a file)
  4. Import certificate recieved from CA
  crypto import terminal app1.cert
  (pasted the content from the cert)
  5. verify the cert & keys match
  crypto verify app1.key app1.cert
  6. Export the keys from Active
  crypto export app1.key
  (copy the result to a file)
  ON Standby ACE:
  1. Import the keys
  crypto import terminal app1.key
  2. Import the cert
  crypto import terminal app1.cert
  3.verify the cert & keys match
  crypto verify app1.key app1.cert
  Hope this helps
  Syed

• High Connections within Ace 4710

  Is this normal to have millions of current connections within an ace 4710? There is only 3 current connections but shows a high number?
  Thanks!!

  TAC is claiming a bug.
  Reference  hitting bug ID: CSCtq39716