ACE 4710 & SSL Offloading
I testing the 4710 for load balancing between 2 web servers. I have the http portion working just fine but would like to get some input on the SSL portion.
We have a section of our site that requires user login and the whole session is https from when they login and when they are browsing through our site.
My questions are within the design aspects. Would this best be designed using SSL offloading and then using clear text from the ACE to the web servers? Also, what would the differences be with configuring ssl offloading with stickiness if configured with http server load balancing on the same server farm versus creating a new server farm just for https? Would end-to-end ssl be best in this scenario?
Description of the web application usage:
Users log in and their whole session is https. Users will be filling out forms, inputting data, registering for events and uploading some files.
Okay so that makes sense to me now. When the client requests an HTTPS page and the ACE terminates the connection, the ACE uses SSL rewrite/redirect to send the request back to the client so that the client still maintains the SSL connection. Otherwise it will request an HTTP page instead of the HTTPS page.
Am I correct?
Similar Messages
-
ACE 4710 SSL server LB with stickiness
I will be replacing 11500 CSS which are not doing SSL termination, just load-balancing SSL sessions terminated on servers with ACE 4710.
On their CSS config, they were doing SSL-sticky. I understand the 4710 doesn't support SSL sticky, but can perform the same function by parsing the HTTP header. Has anyone done this config before and know where/how to parse the header to look for the SSL session# and stick connections to same server?
THANKS!In Ace 2.x code GPP (Generic protocol parsing) was introduced that enables ACE to look into the Layer 4 payload.Which is how this stickiness id achieved.
details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1133923
I dont think its currently available on ACE appliance yet.
Syed -
ACE Appliance SSL Offload: IE 7 / and other browser issues
I'm using a pait of ACE's to offload SSL from our web sites. I'm using the server reuse function on the ACE, I have the SSL certifiates working, in that you can connect to the site using SSL and the certs check out, etc..
The problem is: Some of our customers are experiencing issues particularly in IE7, where they will get partial page loads. I have reproduced it, and what I see is the page never seems to finish loading, When I sniff the outside stream I see resets coming back from the server side (ie the ACE.). Anyone have any thoughts? Or things to look at?
Thanks,
Geofffurther information: I turned off server reuse and the problem diminished. there are still some long pauses in page updates but that could be server wait times. So anyone have any idea how I can tune server-reuse? or check what might be causing this issue.
-Geoff -
CSS11503/ACE 4710 - SSL session id cache
I have a couple of questions.
1. I'd like to know what happens when the SSL session id cache (def 10k) gets filled on a CSS11503. Do new connections get dropped or do they still work but are they less efficient?
2. What is the cache size on an ACE4710?The problem was caused by an incorrect nat pool. Correct Mask was 255.255.255.0.
-
What exactly happens when the SSL connection rate is exceeded. Is the connection dropped, queued or what ?
Defined as the SSL TPS. In our case 1000 but upgradeable to 5000Hi,
The connection will be denied once the SSL connection rate is exceeded.
That can be identified by using the command :
show resource usage all
You will see something like this :
Resource Current Peak Min Max Denied
ssl-connections rate 995 1000 0 1000 28975
You will notice that the deny counter will start increasing once the rate is exceeded.
hope that helps.
regards,
Ajay Kumar -
Ace 4710 SSL Proxy TLS (Beast) Mitigation
Has anyone heard if there is an upgrade path to mitigate this recent tls1.0 and sslv3 exploit?
Thanks
Darren
Sent from Cisco Technical Support iPad AppHi Darren,
I haven't seen any official cisco comment about this yet.
Also our customers are asking for updates on this security advisory....
Edwin -
ACE 4710 in failover - ssl offload, cert for second ACE
Hi,
I'm testing two ACE 4710 appliances that should work in active/standby mode and do ssl offload in bridged mode.
At the moment I have configured one of the devices to do basic load balancing (without ssl offload).
Now I would like to move further and configure ssl offload and configure High availability.
I read that the certificate for ssl can be localy generated on the ACE device but I couldn't find any information regarding the cert that should be used on the second ACE.
Should I generate a new cert od the standby unit or somehow use the one on the first ACE?
Is it better to first set up high availability and then configure ssl offload or vice versa?
Does anyone have a config example of ssl offload and active/standby configuration?
Thank you in advance.You simply need to generate keys & CSR on the primary ACE. Export the Keys from Primary ACE, Import these keys to Standby ACE and once you recieve the certs from CA then simply import the cert to both ACEs.
FOllowing will be steps to achive that
On primary Ace
1. create RSA Keys
crypto generate key 2048 app1.key
2. Create CSR & send it to CA
ace/Admin(config)# crypto csr-params app1-csr
ace/Admin(config-csr-params)# common-name www.app1.com
ace/Admin(config-csr-params)# country US
ace/Admin(config-csr-params)# email [email protected]
ace/Admin(config-csr-params)# locality xyz
ace/Admin(config-csr-params)# organization-name xyz
ace/Admin(config-csr-params)# organization-unit xyz
ace/Admin(config-csr-params)# state CA
ace/Admin(config-csr-params)# serial-number 1234
ace/Admin(config-csr-params)# end
ace/Admin(config)# crypto generate csr app1-csr app1.key
(copy the result to a file)
4. Import certificate recieved from CA
crypto import terminal app1.cert
(pasted the content from the cert)
5. verify the cert & keys match
crypto verify app1.key app1.cert
6. Export the keys from Active
crypto export app1.key
(copy the result to a file)
ON Standby ACE:
1. Import the keys
crypto import terminal app1.key
2. Import the cert
crypto import terminal app1.cert
3.verify the cert & keys match
crypto verify app1.key app1.cert
Hope this helps
Syed -
Hi,
I need to configure ssl offloading so that user will send request on port 443 while ACE will so ssl offload so servers will handle http connection. my current config is as below(i haven't copied probe port80 here):
rserver server1:80
ip add 192.168.1.1
inservice
serverfarm secure-rediect-SF
probe port80
reserver server1:80
inservice
class-map match-any secure-rediect-CM
match virtual-address 10.10.1.1 tcp 80
policy-map type loadbalance first-match secure-rediect-PM
class class-default
sticky-serverfarm secure-rediect-SG
policy-map multi-match LBR-LB
class secure-rediect-CM
loadbalance vip inservice
loadbalance policy secure-rediect-PM
loadbalance vip icmp-reply
could you help! how do I configure SSL offloading? what is required to configure it?Hello, Gavin
Here you have some additional examples which might help you out:
Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
cert-test 2088 PEM Yes CERT
key-test 1675 PEM Yes KEY
# crypto verify key-test cert-test
Keypair in key-test matches certificate in cert-test
Admin(config)# crypto chaingroup my-chaingroup
Admin(config-chaingroup)# cert my-root
Admin(config-chaingroup)# cert my-intermediate
ACE-M2/Admin(config-chaingroup)# exit
Admin# sh crypto chaingroup all
chaingroup muflas contains:
my-root
my-intermediate
(config)# ssl-proxy service my-ssl-proxy
Admin(config-ssl-proxy)# chaingroup my-chaingroup
Admin(config-ssl-proxy)# cert cert-test
Admin(config-ssl-proxy)# key key-test
Admin(config-ssl-proxy)# end
Then finally, your configuration should like this:
interface vlan 100
ip address 10.198.16.75 255.255.255.192
access-group input Allow_Access
nat-pool 1 10.198.16.103 10.198.16.103 netmask 255.255.255.192 pat
service-policy input MGMT
service-policy input my-multimatch
no shutdown
policy-map multi-match my-multimatch
class vip
loadbalance vip inservice
loadbalance policy http
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
class ssl
loadbalance vip inservice
loadbalance policy http
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
ssl-proxy server my-ssl-proxy
class-map match-all ssl
2 match virtual-address 10.198.16.103 tcp eq https
class-map match-all vip
10 match virtual-address 10.198.16.103 tcp eq www
policy-map type loadbalance http first-match http
class class-default
serverfarm http
serverfarm host http
rserver 1-80 80
inservice
rserver 2-80 80
inservice
rserver host 1-80
ip address 10.198.16.99
inservice
rserver host 2-80
ip address 10.198.16.100
inservice
ssl-proxy service my-ssl-proxy
key key-test
cert cert-test
chaingroup my-chaingroup
Hope this helps!!! -
ACE SSL offloading troubleshooting
Hi All,
I need a help on trobleshooting ACE SSL offloading. Can anybody post the link to know about the commands for troubleshooting?
Regards,
ThiyaguHi Thiyagu
Have a read on the following link, what is the issue you are seeing?
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Troubleshooting_SSL#Troubleshooting_ACE_SSL
Regards Craig -
SSL Certificates Update Error in ACE 4710
Hi,
I am facing a problem while updating the SSL certificates in ACE 4710. Our certificate is expired and we have purchased a new certificate from CA. Moreover the common name of the certificate is also changed.
I tried importing the certificate to the repository and change the SSL proxy likewise to use the new certificate. but still the new certificate with new CN is not recognised by the clients. they can see the old certificate only. I even tried deleting and creating a new ssl proxy service with the new cert and attaching it to policy map.
but still the new certificate is not used even after a reboot,
Attaching screenshots and running config. Any help will be appreciated.
BR//RajivRavi,
Here are the procedures for updating your certificate on the ACE.
1) Create New RSA Key
2) Create CSR
3) Send CSR to CA authority for a new certificate
4) Import Certificate into the ACE
5) Change the ssl-proxy to use the new Certificate and Key
6) Remove the SSL-Proxy from the policy map and reapply
Now if you created the CSR on a different box, you will need to import both the RSA key are the certificate. Another thing you should be aware of is a possible change in the Root and intermediate certicates that are used by the CA. In your configuration, you have
crypto chaingroup iotms-chain-gr-1
cert inter-root-new
Is the the correct certificates for your cert? If so, it seems odd that there is only on certificate in the Chaingroup. Most CAs use an intermediate and and a root certificate.
Verify that you have the correct chaingroup (with the correct root and intermediate certificates). -
SSL Termination in ACE 4710 not working
Hi,
I have configured a new ACE 4710 with only a sinlge context to redirect https traffic to http real servers using SSL Termination. When I do a telnet on port 443 or 80 to the VIP it works fine but when I try to open the URL it prompts me for accepting the certificate then it tries to find and establish connection to the URL but eventually dies out giving a "Page cannot be displayed error". I have done some troubleshooting and found that the connection to the VIP on 443 port is Established but the out connection from the real server to the client remains in the INIT state. I am attaching the configs and all the troubleshooting data I have collected. Pls someone help.Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE.So as suggested I have configured default route in the servers towards the ACE interface vlan ip address. Still the server packet count is not incrementing. I am posting the updated configuration of the ACE as an attachment. Pls help.
-
Cisco ACE SSL Offloading not working
Dear All,
I have configured SSL offloading on ACE when i tried to test it from the PC i found that:
1. when i try to test the SSL Offloading by (https://192.168.69.110) i can reach the main page on WEB1 but i can't open any virual directory or any link inside this server (ex: https://192.168.69.110/web).
Thanks,
BaderHello Mohammed,
The behavior which you are getting is totally expected since you are NOT matching the url.
Why do not you try this?
(config-cmap-http-lb)# class-map type http loadbalance match-all MATCH-URL
(config-cmap-http-lb)# match http url /.*
class-map type http loadbalance match-all MATCH-URL
2 match http url /.*
Also you can try this one instead of the one above, since this one will be more specific:
class-map type http loadbalance match-all MATCH-URL
2 match http url /web.*
policy-map type loadbalance first-match WEB-SERVERS-LB
class MATCH-URL
sticky-serverfarm Sticky-WEB-SERVERS
class class-default
sticky-serverfarm Sticky-WEB-SERVERS
Please mark it, if it fixes your issue.
Jorge -
Cisco ACE - Exempt HTTP URL from SSL Offloading
Hi,
I have a cisco ACE module A2 (3.6). I am offloading url www.abc.com on cisco ACE. HTTP redirection to https is working & over https I am able to browse website perfectly. real servers are redirecting some pages over http. Due to page redirection from webserver I have to exempt one URL (http://www.abc.com/modules/docs/abc.aspx) from ssl offloading. It is possible or as a work around i have to rewrite complete url www.abc.com as ssl port.
Your inputs highly appreciated.
Regards,Hi Masif,
In case you have not gotten assistance with this one, you just need to specify the specific URL and match it on top of the loadbalance policy that is already doing the redirection.
class-map type http loadbalance match-any No-Redirect
2 match http url /docs/abc.aspx
policy-map type loadbalance first-match ABC
class No-Redirect
serverfarm HTTP-Servers
class class-default
serverfarm Redirect
Hope this helps.
Pablo -
ACE 4710 - Gracefully Shutting Down a Server
Hi,
Recently I had to stop an RServer to allow for software upgrades. I entered a no inservice command in the rserver config and all the connections on the serverfarm disappeared. I thought the no inservice should allow existing connections to finish. Is there another way of taking a server out of service?
We are running on an ACE 4710 version A3(2.5). We offload SSL on the ACE and use sticky connections using cookie insert
Thanks for your helpHi,
To gracefully shutdown use the "no inservice" on the rserver within the serverfarm rather than on the rserver definition.
HTH
Cathy -
ACE 4710 - Parameters Lost in URL
Hi Everyone,
I have configured SSL offloading and redirection on a 4710 appliance. Everything works fine. The issue I am facing is that some parameters in url are getting lost.
I have https://%h/%p configured as a redirect server which works fine as far as hostname and path is concerned. i.e. full hostname and path are preserved, but that there are some parameters after the full path in encrypted format which are getting lost. I think 307 redirect can resolve this issue but ACE does not support that.
Has anyone faced something similar? Any suggestions would be helpful.
Thanks.
RehanHi,
See the snip of the config
parameter-map type ssl SSL-MAP
session-cache timeout 600
parameter-map type http HTTP-MAP
persistence-rebalance
rserver host E-SERVER01
ip address X.X.X.Y
inservice
rserver host E-SERVER02
ip address X.X.X.Z
inservice
rserver redirect E-SERVICE
webhost-redirection https://%h/%p 302
inservice
serverfarm host E-SERVERS
rserver E-SERVER01 80
inservice
rserver E-SERVER02 80
inservice
serverfarm redirect SF-RE-DIRECT
rserver E-SERVICE
inservice
class-map match-any E-WEB-HTTP
2 match virtual-address X.X.X.15 tcp eq www
class-map match-any E-WEB-HTTPS
3 match virtual-address X.X.X.15 tcp eq https
sticky ip-netmask 255.255.255.255 address source WEB-STICKY
replicate sticky
serverfarm E-SERVERS
policy-map type loadbalance first-match PM-E-WEB
class class-default
sticky-serverfarm WEB-STICKY
insert-http ClientProtocol header-value "https"
policy-map type loadbalance first-match PM-REDIRECT
class class-default
serverfarm SF-RE-DIRECT
policy-map multi-match SLB-POLICY
class E-WEB-HTTPS
loadbalance vip inservice
loadbalance policy PM-E-WEB
loadbalance vip icmp-reply
appl-parameter http advanced-options HTTP-MAP
ssl-proxy server SSL-MAP
class E-WEB-HTTP
loadbalance vip inservice
loadbalance policy PM-REDIRECT
loadbalance vip icmp-reply
appl-parameter http advanced-options HTTP-MAP
@Jorge: The device has many policies and has been running for a few years, therefore the show stats http command will not be of much help as we may see other traffic statistics/errors. If your looking for max parse len errors then thats not happening. The url length is not that long. Let me know if anything specific you want me to check.
@Cesar: I will check but as per the information I have there are some parameters after the complete path "/" which are hash value of an authentication request. Basically what is happening when the user goes to the page, user needs to enter credentials. Once the user clicks submit the page just reloads, instead of going to the requested url.
Thanks for your support,
Rehan
Maybe you are looking for
-
Copy a COPA Report painter Report KE30 to a Z-Report in SE38
Dear all, We have to copy a existing KE30 - Report Painter Report which is for COPA to a Z- Report in SE38 to have some conditions which was not possible through the report painter. When copied we are not able to get the output in the screen as a dri
-
Mac Mini G4 A1103 Apple Hardware Test
Hi, I would like to perform a Apple Hardware Test for my Mac Mini model A 1103, G4. And original CD is missing. Is it possible to download it ? and where? Thank you!
-
I have OS X Server 10.4.8 running in a school with all Windows PCs. I'm trying to figure out how to get the PCs to authenticate to the OS X server and upon logging in, map several share points on the server to drive letters on the clients (PCs). I kn
-
Transposing in Piano Roll with the Function
I have a tune that's 2 midi tracks (green), piano and sax. I just want to transpose them without having to do it manually ,( selecting all the nots and nudging them up). I don't like doing that with a thousand notes. Don't you just hate it when all y
-
Is there a head-to-head comparision of MF and IE, the most recent the better.
I need a head-to-head feature-by-feature comparison of Firefox and MS IE. The most recent the better, but I can take an older Firefox and IE10. I need this by Wed 04/30, so please help!!!!