ACE 4710 SSL connection rate
What exactly happens when the SSL connection rate is exceeded. Is the connection dropped, queued or what ?
Defined as the SSL TPS. In our case 1000 but upgradeable to 5000
Hi,
The connection will be denied once the SSL connection rate is exceeded.
That can be identified by using the command :
show resource usage all
You will see something like this :
Resource Current Peak Min Max Denied
ssl-connections rate 995 1000 0 1000 28975
You will notice that the deny counter will start increasing once the rate is exceeded.
hope that helps.
regards,
Ajay Kumar
Similar Messages
-
ACE20 SSL-connection rate performance
Hello,
One of our customers are challenging our ACE20 modules ssl-connection rate performance. During a loadtest performed against our webportals, they concluded, that the ACE-module showed signs of severe performance degredations, when the number of new ssl-connections hit 40.
While I disagree with that conclusion, I find it somewhat difficult to disprove it. Nothing on the ACE-module suggest any ssl-resource depletion, the highest recorded ssl-connection rate is 677 tps and the license permits 10k. The context is currently sized to 4k. I've gone through numerous troubleshooting steps, trying to locate anything that would suggest a problem with the module, but so far nothing has turned up.
I've been given somewhat conflicting information about what the ssl-connection rate resouce actually represent. Some say is represent the total number of new ssl-connections pr/sec, other say it represents ssl-transaction capacity as a whole, which among other things would include ssl-handshakes. Regardsless, 40 in my opinion seems way to low and this is very inconsistent with the generel load on our modules, which often climbs into the hundreds.
So I'm looking for suggestions on how to conduct a simple ssl/tps test against the ACE-modules. The test is expected to be very basic, as I'm not looking to test the webportal end-to-end, but simply doing an ssl-tps performace test.
Any help will do
Thanks
/UlrichHi,
The connection will be denied once the SSL connection rate is exceeded.
That can be identified by using the command :
show resource usage all
You will see something like this :
Resource Current Peak Min Max Denied
ssl-connections rate 995 1000 0 1000 28975
You will notice that the deny counter will start increasing once the rate is exceeded.
hope that helps.
regards,
Ajay Kumar -
I testing the 4710 for load balancing between 2 web servers. I have the http portion working just fine but would like to get some input on the SSL portion.
We have a section of our site that requires user login and the whole session is https from when they login and when they are browsing through our site.
My questions are within the design aspects. Would this best be designed using SSL offloading and then using clear text from the ACE to the web servers? Also, what would the differences be with configuring ssl offloading with stickiness if configured with http server load balancing on the same server farm versus creating a new server farm just for https? Would end-to-end ssl be best in this scenario?
Description of the web application usage:
Users log in and their whole session is https. Users will be filling out forms, inputting data, registering for events and uploading some files.Okay so that makes sense to me now. When the client requests an HTTPS page and the ACE terminates the connection, the ACE uses SSL rewrite/redirect to send the request back to the client so that the client still maintains the SSL connection. Otherwise it will request an HTTP page instead of the HTTPS page.
Am I correct? -
ACE 4710 SSL server LB with stickiness
I will be replacing 11500 CSS which are not doing SSL termination, just load-balancing SSL sessions terminated on servers with ACE 4710.
On their CSS config, they were doing SSL-sticky. I understand the 4710 doesn't support SSL sticky, but can perform the same function by parsing the HTTP header. Has anyone done this config before and know where/how to parse the header to look for the SSL session# and stick connections to same server?
THANKS!In Ace 2.x code GPP (Generic protocol parsing) was introduced that enables ACE to look into the Layer 4 payload.Which is how this stickiness id achieved.
details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1133923
I dont think its currently available on ACE appliance yet.
Syed -
CSS11503/ACE 4710 - SSL session id cache
I have a couple of questions.
1. I'd like to know what happens when the SSL session id cache (def 10k) gets filled on a CSS11503. Do new connections get dropped or do they still work but are they less efficient?
2. What is the cache size on an ACE4710?The problem was caused by an incorrect nat pool. Correct Mask was 255.255.255.0.
-
ACE 4710 send Connection:Close when should be Keep-Alive
After user request to front end http to 10.85.10.4 (default 80) after a port redirect and action list header rewrite
header rewrite request host header-value http://10[.]85[.]10[.]4 replace http://10.85.10.67:84/jde/E1Menu.maf%1
I see the request go out (wireshark) to the back-end javaserver but in the Connection it's close not keepalive:
GET /jde/E1Menu.maf HTTP/1.1
Connection: Close
Host:10.85.10.67:84
After the get from the ACE the jserver replies with the JDE login screen but the ACE ignores it?Try by enabling persistence rebalance in an http parameter-map.
Also your rewrite rule is wrong, you've been mistaken regarding the role of the Host field I guess. What you try to configure in your config is a URL rewrite but it's not supported by the ACE. -
Ace 4710 SSL Proxy TLS (Beast) Mitigation
Has anyone heard if there is an upgrade path to mitigate this recent tls1.0 and sslv3 exploit?
Thanks
Darren
Sent from Cisco Technical Support iPad AppHi Darren,
I haven't seen any official cisco comment about this yet.
Also our customers are asking for updates on this security advisory....
Edwin -
All physical interfaces on ACE 4710 share the same MAC address. Also, VIP addresses share the same MAC address. ACE 4710 is connected to a switch. How is the switch supposed to know which interface to send the packet to if it is doing layer2 switching.
Thank you in advance for the explanation.You can't put 2 interfaces in the same vlan
switch/Admin(config-if)# switchport access vlan 20
vlan 20 is associated with GigabitEthernet 1/3.
switch/Admin(config-if)#
So, the L2 switch will have an entry for the mac-address in each vlan and this entry can point to different interfaces.
Gilles. -
SSL Termination in ACE 4710 not working
Hi,
I have configured a new ACE 4710 with only a sinlge context to redirect https traffic to http real servers using SSL Termination. When I do a telnet on port 443 or 80 to the VIP it works fine but when I try to open the URL it prompts me for accepting the certificate then it tries to find and establish connection to the URL but eventually dies out giving a "Page cannot be displayed error". I have done some troubleshooting and found that the connection to the VIP on 443 port is Established but the out connection from the real server to the client remains in the INIT state. I am attaching the configs and all the troubleshooting data I have collected. Pls someone help.Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE.So as suggested I have configured default route in the servers towards the ACE interface vlan ip address. Still the server packet count is not incrementing. I am posting the updated configuration of the ACE as an attachment. Pls help.
-
ACE 4710 Can not confirm http cookie sticky connections
We are using a ACE 4710 with A3(2.6) software release.
I had to change our sticky load balancing method for HTTPS to cookie based.
However while connections appear to work if I look at the sho sticky database table I can not see or confirm sticky entries for the cookie based connections.
Here or config snippets to show the config
sticky http-cookie ghh-www scook-ghh
cookie insert browser-expire
serverfarm ghh-www-443
class-map match-all ghh-www-443_CLASS
2 match virtual-address 172.16.1.21 tcp eq https
class-map type http loadbalance match-any ghh-www-443_CLASSURL
2 match http url [.]*
policy-map type loadbalance first-match ghh-sticky-443_POLICY
class class-default
sticky-serverfarm scook-ghh
policy-map multi-match POLICY
class ghh-www-443_CLASS
loadbalance vip inservice
loadbalance policy ghh-sticky-443_POLICY
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAMAnother point: please check whether your servers are listening only for HTTPS traffic or also for HTTP traffic:
in the first case the ACE will have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and then re-encrypt it and send it to the server
in the second case the ACE would have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and send it out as it is unencrypted to the server
the second solution would have the benefit of being easier to configure and to require less resoucerces both on the ACE (only decryption to be performed) and on the servers (no need for SSL operations at all there) but it might be that your company or business sector have requirements for which this traffic should never flow unencrypted, in which case you would have to go for the first solution.
Here you have a config example for the first solution:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
I would not expect you to have to pay extra for importing the cert and kepair into the ace, it would be just a copy, however as Alex said that may still depend on the license agreement with the CA.
Cheers,
Francesco -
ACE 4710 - show stats connection questions
Hi,
I have three questions regarding the "show stats connection" command in the ACE 4710:
1. What is the criteria for a connection to be added to the "Total Connections Failed" counter?
2. What is the criteria for a connection to be added to the "Total Connections Timed-out" counter?
3. Is there a command to get more information why the connection was failed or timed-out (e.g. to/from which IP, url accessed etc.)?
Thanks in advance for your help!
Best regards,
HarryHarry,
a connection failed if the server did not respond or resonded with a RST.
As long as the connection gets establised, it is counted as a success.
The connection timeout counter is incremented when the connection is idle for the configured timeout value or for L7 connections if it does not complete the 3-way handshale within the embryonic timeout interval.
Since this is clear why those counters are incrementing, the only way to get more information is to capture a sniffer trace to verify if the conditions above are met.
Gilles. -
ACE 4710 Connectivity help?
I'm using an ACE 4710 in a new datacenter, with the following setup:
2/4 physical ethernet interfaces port channeled into port-channel 1
2/4 physical ethernet interfaces port channeled into port-channel 2
I have the following vlans defined:
1001 - admin - interface ip: 10.53.136.70
400 - client side - interface ip: 10.53.136.100
500 - server side - interface ip: 192.168.128.1
999 - fault tolerance - interface ip: 192.168.11.2
My problem is I am trying to nat ssh and web server traffic from the client side, to the server side, but it's never getting to the server. For example, if I ssh to 10.53.136.102, it times out. (10.53.136.102 should get nat'd to 192.168.128.2)
Also, I can connect to the ACE 4710 via telnet using 10.53.136.70, but cannot connect to 10.53.136.100.
I'm thinking there is either something wrong with the port-channels, or the access lists. On the other hand there could be something wrong with the nat'ing, but I had it working before switching over to the port-channels.
Any thoughts?
Thanks,
BrentI've attached the two contexts which we are using. The admin context is new_lb_config.txt and the second context where the loadbalancing occurs is in the new_lb_config_VC_WBPX.txt file.
From the load balancer, I am able to ping the real server ips in the 192.168. ip range. The 4710 recognizes that they are in service.
I believe the ACL for the VLAN 400 is set to permit all traffic, but I don't know if the service policies are preventing something from happening.
Right now, I have disconnected the two 4710s and I am only working on one of them to see if I can get the basic connectivity going. Once I accomplish that, I will work on high availability. I'll have to check whether it thinks it is in passive mode...not entirely sure how to do that, but I will check it out.
Thanks,
Brent -
SSL Certificates Update Error in ACE 4710
Hi,
I am facing a problem while updating the SSL certificates in ACE 4710. Our certificate is expired and we have purchased a new certificate from CA. Moreover the common name of the certificate is also changed.
I tried importing the certificate to the repository and change the SSL proxy likewise to use the new certificate. but still the new certificate with new CN is not recognised by the clients. they can see the old certificate only. I even tried deleting and creating a new ssl proxy service with the new cert and attaching it to policy map.
but still the new certificate is not used even after a reboot,
Attaching screenshots and running config. Any help will be appreciated.
BR//RajivRavi,
Here are the procedures for updating your certificate on the ACE.
1) Create New RSA Key
2) Create CSR
3) Send CSR to CA authority for a new certificate
4) Import Certificate into the ACE
5) Change the ssl-proxy to use the new Certificate and Key
6) Remove the SSL-Proxy from the policy map and reapply
Now if you created the CSR on a different box, you will need to import both the RSA key are the certificate. Another thing you should be aware of is a possible change in the Root and intermediate certicates that are used by the CA. In your configuration, you have
crypto chaingroup iotms-chain-gr-1
cert inter-root-new
Is the the correct certificates for your cert? If so, it seems odd that there is only on certificate in the Chaingroup. Most CAs use an intermediate and and a root certificate.
Verify that you have the correct chaingroup (with the correct root and intermediate certificates). -
ACE 4710 in failover - ssl offload, cert for second ACE
Hi,
I'm testing two ACE 4710 appliances that should work in active/standby mode and do ssl offload in bridged mode.
At the moment I have configured one of the devices to do basic load balancing (without ssl offload).
Now I would like to move further and configure ssl offload and configure High availability.
I read that the certificate for ssl can be localy generated on the ACE device but I couldn't find any information regarding the cert that should be used on the second ACE.
Should I generate a new cert od the standby unit or somehow use the one on the first ACE?
Is it better to first set up high availability and then configure ssl offload or vice versa?
Does anyone have a config example of ssl offload and active/standby configuration?
Thank you in advance.You simply need to generate keys & CSR on the primary ACE. Export the Keys from Primary ACE, Import these keys to Standby ACE and once you recieve the certs from CA then simply import the cert to both ACEs.
FOllowing will be steps to achive that
On primary Ace
1. create RSA Keys
crypto generate key 2048 app1.key
2. Create CSR & send it to CA
ace/Admin(config)# crypto csr-params app1-csr
ace/Admin(config-csr-params)# common-name www.app1.com
ace/Admin(config-csr-params)# country US
ace/Admin(config-csr-params)# email [email protected]
ace/Admin(config-csr-params)# locality xyz
ace/Admin(config-csr-params)# organization-name xyz
ace/Admin(config-csr-params)# organization-unit xyz
ace/Admin(config-csr-params)# state CA
ace/Admin(config-csr-params)# serial-number 1234
ace/Admin(config-csr-params)# end
ace/Admin(config)# crypto generate csr app1-csr app1.key
(copy the result to a file)
4. Import certificate recieved from CA
crypto import terminal app1.cert
(pasted the content from the cert)
5. verify the cert & keys match
crypto verify app1.key app1.cert
6. Export the keys from Active
crypto export app1.key
(copy the result to a file)
ON Standby ACE:
1. Import the keys
crypto import terminal app1.key
2. Import the cert
crypto import terminal app1.cert
3.verify the cert & keys match
crypto verify app1.key app1.cert
Hope this helps
Syed -
High Connections within Ace 4710
Is this normal to have millions of current connections within an ace 4710? There is only 3 current connections but shows a high number?
Thanks!!TAC is claiming a bug.
Reference hitting bug ID: CSCtq39716
Maybe you are looking for
-
I download the installation file, have tried saving it and just opening it directly after downloading from adobe.com and filehippo. I have verified that I am downloading for the correct version of windows and that I want to use it for Internet Explo
-
X-Position from a computed field in Datawindow
Hi all I have a computed field in the DataWindow. This should fix CF are at the position X. The width and the height are taken out of the data in the DB and is always different. Now is the CF are always fixed on X and the width goes to the left. exam
-
Iphoto albums to mobileme gallery
I cannot figure out how mobileme chooses the image to be the cover for the gallery. Is there a way to manipulate this?
-
Bug report: Theme 9 current tab
The One Level Tabs page template for Theme 9 (Underlined tabs) has the following in Standard Tab Attributes/Current Tab < td> < /td> < td> < table cellpadding="0" cellspacing="0" border="0" summary=""> < tr> < td> < a href="f?p=&APP_ID.:&APP_PAGE_ID
-
I have already update to iOS 6.1 on my iPhone 4. I have a problem to sync with the iTunes. I cannot backup, sync or transfer purchases from the iTunes. I can only restore the backup. Anyone has any idea how to solve this problem?