ACE 4710 & SSL Offloading

Similar Messages

• ACE 4710 SSL server LB with stickiness

  I will be replacing 11500 CSS which are not doing SSL termination, just load-balancing SSL sessions terminated on servers with ACE 4710.
  On their CSS config, they were doing SSL-sticky. I understand the 4710 doesn't support SSL sticky, but can perform the same function by parsing the HTTP header. Has anyone done this config before and know where/how to parse the header to look for the SSL session# and stick connections to same server?
  THANKS!

  In Ace 2.x code GPP (Generic protocol parsing) was introduced that enables ACE to look into the Layer 4 payload.Which is how this stickiness id achieved.
  details at
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1133923
  I dont think its currently available on ACE appliance yet.
  Syed

• ACE Appliance SSL Offload: IE 7 / and other browser issues

  I'm using a pait of ACE's to offload SSL from our web sites. I'm using the server reuse function on the ACE, I have the SSL certifiates working, in that you can connect to the site using SSL and the certs check out, etc..
  The problem is: Some of our customers are experiencing issues particularly in IE7, where they will get partial page loads. I have reproduced it, and what I see is the page never seems to finish loading, When I sniff the outside stream I see resets coming back from the server side (ie the ACE.). Anyone have any thoughts? Or things to look at?
  Thanks,
  Geoff

  further information: I turned off server reuse and the problem diminished. there are still some long pauses in page updates but that could be server wait times. So anyone have any idea how I can tune server-reuse? or check what might be causing this issue.
  -Geoff

• CSS11503/ACE 4710 - SSL session id cache

  I have a couple of questions.
  1. I'd like to know what happens when the SSL session id cache (def 10k) gets filled on a CSS11503. Do new connections get dropped or do they still work but are they less efficient?
  2. What is the cache size on an ACE4710?

  The problem was caused by an incorrect nat pool.   Correct Mask was 255.255.255.0.

• ACE 4710 SSL connection rate

  What exactly happens when the SSL connection rate is exceeded. Is the connection dropped, queued or what ?
  Defined as the SSL TPS. In our case 1000 but upgradeable to 5000

  Hi,
  The connection will be denied once the SSL connection rate is exceeded.
  That can be identified by using the command :
  show resource usage all
  You will see something like this :
          Resource         Current       Peak        Min        Max       Denied
  ssl-connections rate        995       1000          0       1000     28975
  You will notice that the deny counter will start increasing once the rate is exceeded.
  hope that helps.
  regards,
  Ajay Kumar

• Ace 4710 SSL Proxy TLS (Beast) Mitigation

  Has anyone heard if there is an upgrade path to mitigate this recent tls1.0 and sslv3 exploit?
  Thanks
  Darren
  Sent from Cisco Technical Support iPad App

  Hi Darren,
  I haven't seen any official cisco comment about this yet.
  Also our customers are asking for updates on this security advisory....
  Edwin

• ACE 4710 in failover - ssl offload, cert for second ACE

  Hi,
  I'm testing two ACE 4710 appliances that should work in active/standby mode and do ssl offload in bridged mode.
  At the moment I have configured one of the devices to do basic load balancing (without ssl offload).
  Now I would like to move further and configure ssl offload and configure High availability.
  I read that the certificate for ssl can be localy generated on the ACE device but I couldn't find any information regarding the cert that should be used on the second ACE.
  Should I generate a new cert od the standby unit or somehow use the one on the first ACE?
  Is it better to first set up high availability and then configure ssl offload or vice versa?
  Does anyone have a config example of ssl offload and active/standby configuration?
  Thank you in advance.

  You simply need to generate keys & CSR on the primary ACE. Export the Keys from Primary ACE, Import these keys to Standby ACE and once you recieve the certs from CA then simply import the cert to both ACEs.
  FOllowing will be steps to achive that
  On primary Ace
  1. create RSA Keys
  crypto generate key 2048 app1.key
  2. Create CSR & send it to CA
  ace/Admin(config)# crypto csr-params app1-csr
  ace/Admin(config-csr-params)# common-name www.app1.com
  ace/Admin(config-csr-params)# country US
  ace/Admin(config-csr-params)# email [email protected]
  ace/Admin(config-csr-params)# locality xyz
  ace/Admin(config-csr-params)# organization-name xyz
  ace/Admin(config-csr-params)# organization-unit xyz
  ace/Admin(config-csr-params)# state CA
  ace/Admin(config-csr-params)# serial-number 1234
  ace/Admin(config-csr-params)# end
  ace/Admin(config)# crypto generate csr app1-csr app1.key
  (copy the result to a file)
  4. Import certificate recieved from CA
  crypto import terminal app1.cert
  (pasted the content from the cert)
  5. verify the cert & keys match
  crypto verify app1.key app1.cert
  6. Export the keys from Active
  crypto export app1.key
  (copy the result to a file)
  ON Standby ACE:
  1. Import the keys
  crypto import terminal app1.key
  2. Import the cert
  crypto import terminal app1.cert
  3.verify the cert & keys match
  crypto verify app1.key app1.cert
  Hope this helps
  Syed

• ACE ssl offloading

  Hi,
  I need to configure ssl offloading so that user will send request on port 443 while ACE will so ssl offload so servers will handle http connection. my current config is as below(i haven't copied probe port80 here):
  rserver server1:80
  ip add 192.168.1.1
  inservice
  serverfarm secure-rediect-SF
    probe port80
    reserver server1:80
    inservice
  class-map match-any  secure-rediect-CM
    match virtual-address 10.10.1.1 tcp 80
  policy-map type loadbalance first-match  secure-rediect-PM
    class class-default
     sticky-serverfarm secure-rediect-SG
  policy-map multi-match LBR-LB
    class  secure-rediect-CM
     loadbalance vip inservice
     loadbalance policy secure-rediect-PM
     loadbalance vip icmp-reply
  could you help! how do I configure SSL offloading? what is required to configure it?

  Hello, Gavin
  Here you have some additional examples which might help you out:
  Admin# sh crypto files
  Filename                                 File  File    Expor      Key/
                                           Size  Type    table      Cert
  cert-test                                2088  PEM     Yes        CERT
  key-test                                 1675  PEM     Yes         KEY
  # crypto verify key-test cert-test
  Keypair in key-test matches certificate in cert-test
  Admin(config)# crypto chaingroup my-chaingroup
  Admin(config-chaingroup)# cert my-root
  Admin(config-chaingroup)# cert my-intermediate
  ACE-M2/Admin(config-chaingroup)# exit
  Admin# sh crypto chaingroup all
  chaingroup muflas contains:
  my-root
  my-intermediate
  (config)# ssl-proxy service my-ssl-proxy
  Admin(config-ssl-proxy)# chaingroup my-chaingroup
  Admin(config-ssl-proxy)# cert cert-test
  Admin(config-ssl-proxy)# key key-test 
  Admin(config-ssl-proxy)# end
  Then finally, your configuration should like this:
  interface vlan 100
    ip address 10.198.16.75 255.255.255.192
    access-group input Allow_Access
    nat-pool 1 10.198.16.103 10.198.16.103 netmask 255.255.255.192 pat
    service-policy input MGMT
    service-policy input my-multimatch
    no shutdown
  policy-map multi-match my-multimatch
    class vip
      loadbalance vip inservice
      loadbalance policy http
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 100
  class ssl
      loadbalance vip inservice
      loadbalance policy http
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 100
      ssl-proxy server my-ssl-proxy
  class-map match-all ssl
    2 match virtual-address 10.198.16.103 tcp eq https
  class-map match-all vip
    10 match virtual-address 10.198.16.103 tcp eq www
  policy-map type loadbalance http first-match http
    class class-default
      serverfarm http
  serverfarm host http  
    rserver 1-80 80
      inservice
    rserver 2-80 80
      inservice
  rserver host 1-80
    ip address 10.198.16.99
    inservice
  rserver host 2-80
    ip address 10.198.16.100
    inservice
  ssl-proxy service my-ssl-proxy
    key key-test
    cert cert-test
    chaingroup my-chaingroup
  Hope this helps!!!

• ACE SSL offloading troubleshooting

  Hi All,
  I need a help on trobleshooting ACE SSL offloading. Can anybody post the link to know about the commands for troubleshooting?
  Regards,
  Thiyagu

  Hi Thiyagu
  Have a read on the following link, what is the issue you are seeing?
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Troubleshooting_SSL#Troubleshooting_ACE_SSL
  Regards Craig

• SSL Certificates Update Error in ACE 4710

  Hi,
  I am facing a problem while updating the SSL certificates in ACE 4710. Our certificate is expired and we have purchased a new certificate from CA. Moreover the common name of the certificate is also changed.
  I tried importing the certificate to the repository and change the SSL proxy likewise to use the new certificate. but still the new certificate with new CN is not recognised by the clients. they can see the old certificate only. I even tried deleting and creating a new ssl proxy service with the new cert and attaching it to policy map.
  but still the new certificate is not used even after a reboot,
  Attaching screenshots and running config. Any help will be appreciated.
  BR//Rajiv

  Ravi,
        Here are the procedures for updating your certificate on the ACE. 
  1) Create New RSA Key
  2) Create CSR
  3) Send CSR to CA authority for a new certificate
  4) Import Certificate into the ACE
  5) Change the ssl-proxy to use the new Certificate and Key
  6) Remove the SSL-Proxy from the policy map and reapply
  Now if you created the CSR on a different box, you will need to import both the RSA key are the certificate.  Another thing you should be aware of is a possible change in the Root and intermediate certicates that are used by the CA.  In your configuration, you have
  crypto chaingroup iotms-chain-gr-1
    cert inter-root-new
  Is the the correct certificates for your cert?  If so, it seems odd that there is only on certificate in the Chaingroup.  Most CAs use an intermediate and and a root certificate. 
  Verify that you have the correct chaingroup (with the correct root and intermediate certificates). 

• SSL Termination in ACE 4710 not working

  Hi,
  I have configured a new ACE 4710 with only a sinlge context to redirect https traffic to http real servers using SSL Termination. When I do a telnet on port 443 or 80 to the VIP it works fine but when I try to open the URL it prompts me for accepting the certificate then it tries to find and establish connection to the URL but eventually dies out giving a "Page cannot be displayed error". I have done some troubleshooting and found that the connection to the VIP on 443 port is Established but the out connection from the real server to the client remains in the INIT state. I am attaching the configs and all the troubleshooting data I have collected. Pls someone help.

  Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE.So as suggested I have configured default route in the servers towards the ACE interface vlan ip address. Still the server packet count is not incrementing. I am posting the updated configuration of the ACE as an attachment. Pls help.

• Cisco ACE SSL Offloading not working

  Dear All,
    I have configured SSL  offloading on ACE when i tried to test it from the PC i found that:
  1. when i try to test the SSL Offloading by   (https://192.168.69.110)  i can reach the main page on WEB1 but i can't open any virual directory or any link inside this server (ex: https://192.168.69.110/web).
  Thanks,
  Bader

  Hello Mohammed,
  The behavior which you are getting is totally expected since you are NOT matching the url.
  Why do not you try this?
  (config-cmap-http-lb)# class-map type http loadbalance match-all MATCH-URL
  (config-cmap-http-lb)# match http url /.*
  class-map type http loadbalance match-all MATCH-URL
    2 match http url /.*
  Also you can try this one instead of the one above, since this one will be more specific:
  class-map type http loadbalance match-all MATCH-URL
    2 match http url /web.*
  policy-map type loadbalance first-match WEB-SERVERS-LB
  class MATCH-URL
      sticky-serverfarm Sticky-WEB-SERVERS
  class class-default
      sticky-serverfarm Sticky-WEB-SERVERS
  Please mark it, if it fixes your issue.
  Jorge

• Cisco ACE - Exempt HTTP URL from SSL Offloading

  Hi,
  I have a cisco ACE module A2 (3.6). I am offloading url www.abc.com on cisco ACE. HTTP redirection to https is working & over https I am able to browse website perfectly. real servers are redirecting some pages over http.  Due to page redirection from webserver I have to exempt one URL (http://www.abc.com/modules/docs/abc.aspx) from ssl offloading. It is possible or as a work around i have to rewrite complete url www.abc.com as ssl port.
  Your inputs highly appreciated.
  Regards,

  Hi Masif,
  In case you have not gotten assistance with this one, you just need to specify the specific URL and match it on top of the loadbalance policy that is already doing the redirection.
  class-map type http loadbalance match-any No-Redirect
    2 match http url /docs/abc.aspx
  policy-map type loadbalance first-match ABC
    class No-Redirect
      serverfarm HTTP-Servers
    class class-default
      serverfarm Redirect
  Hope this helps.
  Pablo 

• ACE 4710 - Gracefully Shutting Down a Server

  Hi,
  Recently I had to stop an RServer to allow for software upgrades. I entered a no inservice command in the rserver config and all the connections on the serverfarm disappeared. I thought the no inservice should allow existing connections to finish. Is there another way of taking a server out of service?
  We are running on an ACE 4710 version A3(2.5). We offload SSL on the ACE and use sticky connections using cookie insert
  Thanks for your help

  Hi,
  To gracefully shutdown use the "no inservice" on the rserver within the serverfarm rather than on the rserver definition.
  HTH
  Cathy

• ACE 4710 - Parameters Lost in URL

  Hi Everyone,
  I have configured SSL offloading and redirection on a 4710 appliance. Everything works fine. The issue I am facing is that some parameters in url are getting lost.
  I have https://%h/%p configured as a redirect server which works fine as far as hostname and path is concerned. i.e. full hostname and path are preserved, but that there are some parameters after the full path in encrypted format which are getting lost. I think 307 redirect can resolve this issue but ACE does not support that.
  Has anyone faced something similar? Any suggestions would be helpful.
  Thanks.
  Rehan

  Hi,
  See the snip of the config
  parameter-map type ssl SSL-MAP
    session-cache timeout 600
  parameter-map type http HTTP-MAP
    persistence-rebalance
  rserver host E-SERVER01
    ip address X.X.X.Y
    inservice
  rserver host E-SERVER02
    ip address X.X.X.Z
    inservice
  rserver redirect E-SERVICE
    webhost-redirection https://%h/%p 302
    inservice
  serverfarm host E-SERVERS
    rserver E-SERVER01 80
      inservice
    rserver E-SERVER02 80
      inservice
  serverfarm redirect SF-RE-DIRECT
    rserver E-SERVICE
      inservice
  class-map match-any E-WEB-HTTP
    2 match virtual-address X.X.X.15 tcp eq www
  class-map match-any E-WEB-HTTPS
    3 match virtual-address X.X.X.15 tcp eq https
  sticky ip-netmask 255.255.255.255 address source WEB-STICKY
    replicate sticky
    serverfarm E-SERVERS
  policy-map type loadbalance first-match PM-E-WEB
    class class-default
      sticky-serverfarm WEB-STICKY
      insert-http ClientProtocol header-value "https"
  policy-map type loadbalance first-match PM-REDIRECT
    class class-default
      serverfarm SF-RE-DIRECT
  policy-map multi-match SLB-POLICY
    class E-WEB-HTTPS
      loadbalance vip inservice
      loadbalance policy PM-E-WEB
      loadbalance vip icmp-reply
      appl-parameter http advanced-options HTTP-MAP
      ssl-proxy server SSL-MAP
    class E-WEB-HTTP
      loadbalance vip inservice
      loadbalance policy PM-REDIRECT
      loadbalance vip icmp-reply
      appl-parameter http advanced-options HTTP-MAP
  @Jorge: The device has many policies and has been running for a few years, therefore the show stats http command will not be of much help as we may see other traffic statistics/errors. If your looking for max parse len errors then thats not happening. The url length is not that long. Let me know if anything specific you want me to check.
  @Cesar: I will check but as per the information I have there are some parameters after the complete path "/" which are hash value of an authentication request. Basically what is happening when the user goes to the page, user needs to enter credentials. Once the user clicks submit the page just reloads, instead of going to the requested url.
  Thanks for your support,
  Rehan