ACE HTTPS Termination

Similar Messages

• ACE: HTTP followed by HTTPs/SSL termination, stickiness

  Dear Helpers,
  I'm trying to figure out the best sticky/persistence method for the following for ACE,
  Client X ----(HTTP)--------------------------------------------ACE LB ---to----Server 1
  Client X -----(HTTPs)---ACE/SSL termination ------ACE LB ---to---- Server1
  Both HTTP and HTTPs use the same VIP for HTTP and HTTPs)
  The same client to stick/persist to the same server using both HTTP and HTTPs. HTTPs/SSL is terminated by ACE.
  Could you point me to sample configurations for this requirement, please.
  Thank you
  SS

  HI Gilles,
  thanks for the response. Sorry had gotten distracted with a bunch of other things, didn't get a chance to get back to this. Anyway, so, I can generate the 302 response in my web-servers except I need to turn it around to a different domain name. Now assuming I use URL re-write when I see this coming back from the web-server, I can rewrite this to https and send to the client? A few questions about this and the links you sent above with using redirect service.
  a) can I do a a redirect to an https address or does it only do http (considering I only saw examples configs only using www.domain.com/index.html type redirects without specifying the protocol to use)?
  b) If not, then I use URL rewrite in conjunction with the 302 from the web-servers. But for my SSL off-load in a pair of CSS using VIP and Virtul Interface redundancy, do I buy 2xSSL Certs for the same domain-name or do I buy ONE (i.e. generate the key-pair/CSR in Master CSS) and import the same rsakey and SSL Cert recd. from CA into both CSSs?
  c) Does the CSS handle a wildcard SSL Cert without problems?
  Thanks again,
  \R

• Cisco ACE SSL termination

  Hello Friends,
  Need ur help on cisco ACE SSL termination.
  If i import the certificate and key (.PEM), where this files will be saved ?
  can we able to download the .PEM file any time as we need(back-up)?
  suppose if my .PEM is got hacked, hacker is sniffing the data packet which going through the web server, can it be possiable to deencrypt the packet and see the exact packet ?
  Regards,
  Naren

  Naren,
  1. In order to import certs and keys, please see the following link to the command reference.  To summarize, any time you import/export/delete keys/certs, you are doing so via commands in exec mode.  Regarding how and where the ACE actually saves this information, I do not know this answer.
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/execmds.html#wp1616651
  2. You can import a key as non-exportable if you do not want it to be able to be exported. If you import it as exportable, you can always export it later for backups or what not.
  3. You can decrypt captured HTTPS traffic if you have the private key.  It is important to limit access to it.  Please see this link for more info on using Wireshark to view decrypted HTTPS traffic: http://wiki.wireshark.org/SSL
  Hope this helps!
  Regards,
  Matt

• ACE http/https redirect or rewrite

  Greetings,
  We have a setup that requires ACE http/https redirection or rewrite.
  A client connects to a secured Web portal which has its ssl termination on the ACE.
  The web portal will request from the client a redirection to another application. As the portal is unaware that the incoming client https request was terminated on the ACE,
  the client receives the redirect request for an unsecured http URL rather than for the secured https URL.
  In this case what would be best to use? ACE "rewrite" or "redirect"?
  Will the following example config for ACE "redirect" be sufficent to implement this?
  ssl-proxy service ssl-App-443-81
  key app1.test.com.key
  cert app1.test.com.cert
  rserver redirect App-secure-redirect
  webhost-redirection https://app1.test.com/Go/
  inservice
  serverfarm redirect App-secure-redirect-sf
  rserver App-secure-redirect
  inservice
  serverfarm host App-81-sf
  probe TCP81
  rserver proxy1 81
  inservice
  rserver proxy2 81
  inservice
  parameter-map type http http_param_map
  header modify per-request
  sticky http-cookie App-cookie App-sticky
  cookie insert
  replicate sticky
  serverfarm App-81-sf
  class-map match-any App-443-81-cm
  2 match virtual-address 10.10.10.112 tcp eq https
  class-map match-any App-81-cm
  2 match virtual-address 10.10.10.112 tcp eq 81
  class-map type http loadbalance App-secure-redirect-cm
  match http url http://app1.test.com:81/Go/
  policy-map type loadbalance http first-match App-rewrite-pm
  class App-secure-redirect-cm
  serverfarm App-secure-redirect-sf
  policy-map type loadbalance http first-match App-sticky-443-81-pm
  class class-default
  sticky-serverfarm App-sticky
  policy-map multi-match policy-inbound
  class App-81-cm
  loadbalance vip inservice
  loadbalance policy App-rewrite-pm
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  class App-443-81-cm
  loadbalance vip inservice
  loadbalance policy App-sticky-443-81-pm
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  appl-parameter http advanced-options http_param_map
  ssl-proxy server ssl-App-443-81

  If you are offloading www.yoursite.com on ACE and on the backend
  real servers are not ssl aware (sends URL with http://) then with
  following sample config you can instruct ACE to rewrite such urls (http->https)
  class-map match-all VIP-443
  match virtual-address x.x.x.x tcp eq https
  action-list type modify http HTTP2HTTPS-REWRITE
  ssl url rewrite location www\.yoursite\.* sslport 443 clearport 80
  policy-map type loadbalance first-match YOUR-POLICY
  class class-default
  serverfarm YOUR-SFARM
  action HTTP2HTTPS-REWRITE
  class VIP-443
  loadbalance vip inservice
  loadbalance policy YOUR-POLICY
  loadbalance vip icmp-reply active
  ssl-proxy server YOUR-SSL-SERVICE
  You need Ace2.x+ on Ace module & 3.x+ on 4710 appliance for this feature.
  Syed Iftekhar Ahmed

• CRM_UI Reporting - HTTPS Terminating at Web Dispatcher or SSL all the way

  Hi,
  We need to set up access to crm_ui reports (leads and marketing mainly) in CRM 7.0 for vendors coming from the internet. The CRM server is in the internal network. In order for this to work I plan to setup the web-dispatcher in the application dmz. The initial login is going to be via  the web dmz layer (using sun's iplanet server), which then routes the crm URL to the web dispatcher in the App dmz and then from the web dispatcher to CRM server.
  One requirement from our security team is to set up the flow as HTTPS.
  On going through SAP help I get the impression that it can be set up two ways, one, configuring web dispatcher to pass the SSL connection to backend, & two - configuring the web dispatcher to terminate SSL.
  Seems the former is quite straight forward (from SAP online help we have to set the icm/server_port_<xx>> = PROT=ROUTER) but does it also require that we setup the crm_ui_frame service as SSL and activate the HTTPS service in ICM?
  Or is it better to go via the second option (HTTPS termination) without changing the backend setup? SAP Online help lists steps to do the HTTPS termination but I have not come across any detailed documentation for the first method.
  Any thoughts, suggestions will be helpful for either scenario.
  Thanks,
  Rommel Bhan

  Thanks Martin the document helped.
  Now the web dispatcher seems to talk to the HTTPS port on the backend.
  However there is one issue I see in the dev_webdisp and was wondering if you have an insight.
  Based on webdispatcher parameters, its taling to ms_https_port 8533 of backend
  [Thr 773] Mon Feb 15 15:03:35 2010
  [Thr 773] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL
  [Thr 773] SecudeSSL_SessionStart: SSL_connect() failed --
  [Thr 773]   secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"
  [Thr 773] >> -
  Begin of Secude-SSL Errorstack -
  >>
  [Thr 773] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed
  [Thr 773] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE"
  [Thr 773] ERROR in get_path: (27/0x001b) Found root certificate of <CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot
  [Thr 773] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=sapcms02.reinternal.com, OU=I0020210975, OU=SAP Web AS, O=SAP Trust Community, C=DE> which does not fit the given PKRoot
  [Thr 773] << -
  End of Secude-SSL Errorstack -
  [Thr 773]   SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"
  [Thr 773]   SSL NI-sock: local=10.104.146.81:62579  peer=10.104.146.81:8533
  [Thr 773] <<- ERROR: SapSSLSessionStart(sssl_hdl=110acb850)==SSSLERR_SSL_CONNECT
  [Thr 773] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 1911]
  [Thr 773] *** ERROR => IcmConnClientRqCreate() failed (rc=-14) [icrxx_mt.c   5976]
  [Thr 773] *** ERROR => Could not connect to SAP Message Server at sapcms02. URL=/msgserver/text/logon?version=1.2 [icrxx_mt.c   3289]
  [Thr 773] *** ERROR => rc=-1, HTTP response code: 0 [icrxx_mt.c   3290]
  [Thr 773] *** ERROR => see also SAP note 552286 [icrxx_mt.c   3291]
  My backend is setup with SSL and web dispatcher is set to the following. Also since the backend and sapweb dispatcher are on the same host, using the same sidadm, the SSL stuff is on one location. I generated the SAPSSLS.pse in the backend using STRUST
  Accessibility of Message Servers
  rdisp/mshost = sapcms02
  ms/http_port = 8100
  ms/https_port = 8533
  wdisp/server_info_protocol = https
  SAP Web Dispatcher Ports
  icm/server_port_0 = PROT=ROUTER,PORT=60000
  icm/server_port_1 = PROT=HTTPS,PORT=0
  icm/server_port_2 = PROT=HTTP,PORT=8080 <-- web dispatcher admin port
  #SSL parameters similar to one in backend
  ssf/ssfapi_lib = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
  sec/libsapsecu = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
  ssf/name = SAPSECULIB
  ssl/ssl_lib = /usr/sap/CMS/SYS/exe/run/libsapcrypto.o
  ssl/server_pse=/usr/sap/CMS/DVEBMGS00/sec/SAPSSLS.pse
  ssl/client_pse=/usr/sap/CMS/DVEBMGS00/sec/SAPSSLC.pse

• ACE HTTP Probe with regex

  ACE HTTP Probe with regex
  Hi,
  I'm trying to setup a HTTP probe with expected string rather then a code (config below). I do a GET for the page then a search for a string in the response however it's not working, as probe appears as failed.
  I've tested the connection to the server by using telneting and then looking at the page displayed to make sure the string I want to match is in the response.
  probe http HTTP-PROBE
  port 43050
  interval 30
  passdetect interval 30
  passdetect count 1
  request method get url /action=help
  open 43050
  expect regex action=help
  Q. Is there anything wrong with this configuration and what I'm trying to achive?
  Thanks,
  Pritesh

  Use "expect status" under probe config. expect regex doesnt work if expect status is not configured.
  expect regex work flawlessly with static pages. It doesnt work all the time with dynamic pages.
  Specially if "content-length" header is missing from Server response.
  Hope it helps
  Syed Iftekhar Ahmed

• HTTPS termination on ACE

  For internet applications, Cisco ACE is ideal for SSL offloading for e.g. (https://www.ebay.com). However, one of the drawback is that the intermediate ASA IPS and Content Security do not deliver their best as they cannot scan https traffic.
  So what alternative would you suggest instead of ACE to be placed before ASA which could offload the SSL traffic and then forward traffic to ASA for scan performed by Cisco IPS and content security(anti-x) modules.

  With ASA-IPS solution the maximum throughput you get is 650Mbps (If you are using ASA 5540 with SSM-40 card in it). ACE-Appliance's throughput (1, 2, or 4 Gbps) is much more than that.
  I am not sure what are your expected throughputs but When Higher throughput is desired then ACE Appliance + ASA IPS is not a scalable/valid solution.
  With higher throughput you need ACE Module (options: 16 Gbps, 8 Gbps, and 4 Gbps) and IPS 42xx appliances that give you up to 4Gbps throughput.
  Again the problem is If the traffic is encrypted then there is no way you can analyze packets before they are decrypted. You need to decrypt it using some SSL-offloader (like ACE)and only then IPS will be able to analyze the data in the packets.
  HTH
  Syed Iftekhar Ahmed

• ACE - HTTPS CLASS MAP CONFIGURATION

  Hi,
  We have a secured web site (HTTPS) currently fronted by Cisco ACE 4170, running version A5(1.2). We are trying to use the http class map to manipulate the traffic flow in the following manner:
  https://abc.com/ABC/* -> serverfarm#1
  https://abc.com/* -> serverfarm#2           (Default)
  Tecnically this should not be difficult and below is a sample of our configuration. We have similar configuration working on our non-secured web site (HTTP) However for the secure web site, the https request https://abc.com/ABC/xxx is continued being routed to serverfarm#2 instead of serverfarm#1 which is very frustrating.
  We can easily get this working on my F5 LTM within 5 minutes but this Cisco ACE continue to frustrate me...Appreciate if any expert on Cisco ACE can help to advise on our configuration.. Thanks.
  =========================================================
  serverfarm host serverfarm#1
  predictor leastconns
  probe https_probe
  rserver rs_server#1
    inservice
  rserver rs_server#2
    inservice
  serverfarm host serverfarm#2
  predictor leastconns
  probe https_probe
  rserver rs_server#3
    inservice
  rserver rs_server#4
    inservice
  sticky http-cookie STICKY_HTTPS_serverfarm#1
  cookie insert browser-expire
  timeout 15
  replicate sticky
  serverfarm serverfarm#1
  sticky http-cookie STICKY_HTTPS_serverfarm#2
  cookie insert browser-expire
  timeout 15
  replicate sticky
  serverfarm serverfarm#2
  class-map type http loadbalance match-any class-map-serverfarm#1
  2 match http url /ABC/.*
  policy-map type loadbalance first-match vs_serverfarm_https
  class class-map-serverfarm#1
    sticky-serverfarm STICKY_HTTPS_serverfarm#1
    insert-http x-forward header-value "%is"
    ssl-proxy client ssl_serverfarm
  class class-default
    sticky-serverfarm STICKY_HTTPS_serverfarm#2
    insert-http x-forward header-value "%is"
    ssl-proxy client ssl_serverfarm
  =========================================================

  Kanwaljeet,
  Yes, we are using ACE for SSL termination i.e. front end is https and back-end is also https.
  We are doing end-to-end encryption as our IT security and audit wanted end-to-end encryption between the client and servers. ACE should be able to look at the HTTP header at the front end since the client SSL session is terminate on the ACE.
  Below is an extract of the configuration, I've leave out the remaining configuration which is not required.
  =========================================================
  serverfarm host serverfarm#1
  predictor leastconns
  probe https_probe
  rserver rs_server#1
    inservice
  rserver rs_server#2
    inservice
  serverfarm host serverfarm#2
  predictor leastconns
  probe https_probe
  rserver rs_server#3
    inservice
  rserver rs_server#4
    inservice
  sticky http-cookie STICKY_HTTPS_serverfarm#1
  cookie insert browser-expire
  timeout 15
  replicate sticky
  serverfarm serverfarm#1
  sticky http-cookie STICKY_HTTPS_serverfarm#2
  cookie insert browser-expire
  timeout 15
  replicate sticky
  serverfarm serverfarm#2
  class-map match-all vs_serverfarm
    2 match virtual-address 10.178.50.140 tcp eq https
  class-map type http loadbalance match-any class-map-serverfarm#1
  2 match http url /ABC/.*
  policy-map type loadbalance first-match vs_serverfarm_https
  class class-map-serverfarm#1
    sticky-serverfarm STICKY_HTTPS_serverfarm#1
    insert-http x-forward header-value "%is"
    ssl-proxy client ssl_serverfarm
  class class-default
    sticky-serverfarm STICKY_HTTPS_serverfarm#2
    insert-http x-forward header-value "%is"
    ssl-proxy client ssl_serverfarm
  policy-map multi-match PRODWEB_POLICY
    class vs_serverfarm
      loadbalance vip inservice
      loadbalance policy vs_serverfarm_https
      loadbalance vip icmp-reply active
      nat dynamic 100 vlan 100
      ssl-proxy server ssl_serverfarm
  =========================================================

• Issue with ACE HTTP class map

  This is what I want to achieve USING the ACE as a reverse proxy.
  User uses the url https://abc/password - gets to the destination server & the web page
  If user tries to use any thing additional then the connection is dropped at the ACE such as
  https://abc/password/test or any such variation.
  Following is the config I have to achieve this
  class-map type http loadbalance match-any L7-CLASS-TEST
    match http url /password
    match http url /password/
  class-map type http loadbalance match-any L7-CLASS-TEST-deny
    2 match http url .*.*
  policy-map type loadbalance first-match LBP-TEST
    class L7-CLASS-TEST
      serverfarm FARM-TEST
      ssl-proxy client TEST
    class L7-CLASS-TEST-deny
      drop
    class class-default
      serverfarm FARM-TEST
      ssl-proxy client TEST
  The problem with this is when the page opens I get broken links on all the images. If I use the following line
  match http url /password.*
  I get the images to work but the user can use the https://abc/password/test which is not what I want.
  Has any one faced this issue ?
  Any help will be appreciated.
  Thanks in advance
  Prasanna

  Prasanna,
  What about if you try it in HTTP and apply the following change?
  class-map type http loadbalance match-any L7-CLASS-TEST-deny
    2 match http url /.*
  This should work in HTTP but not with HTTPS
  Anyway, it should not work since everything seems to be encrypted, you may require either SSL-termination or END-TO-END SSL for this then the ACE can decrypt the request see what it needs to do and take the load balance decision.
  Jorge

• ACE SSL Terminator doesn't work

  Hi,
  I should implement a balancing HTTP and for HTTPS an  SSL terminator on my ACE.
  Public IP 22.235.121.6 port 80 --> balanced on 192.168.250.165-166 on port 8889
  Public IP 22.235.121.6 port 443 --> my ace terminate ssl and balance the traffic in clear text to 192.168.250.165-166 on port 8889
  This is the configuration:
  probe http EXAMPLE_IT_HTTP
  port 8889
  interval 5
  faildetect 2
  passdetect interval 10
  passdetect count 2
  request method get url /probe/probe.html
  expect status 200 206
  expect status 300 307
  open 1
  serverfarm host example_IT_HTTP
  failaction reassign across-interface
  predictor leastconns
  probe example_IT_HTTP
  fail-on-all
  rserver H-192.168.250.165 8889
  inservice
  rserver H-192.168.250.166 8889
  inservice
  serverfarm host example_IT_HTTPS-HTTP
  failaction reassign across-interface
  predictor leastconns
  probe example_IT_HTTP
  fail-on-all
  rserver H-192.168.250.165 8889
  inservice
  rserver H-192.168.250.166 8889
  inservice
  sticky ip-netmask 255.255.255.255 address both example-IT-HTTPS-HTTP
  timeout 60
  replicate sticky
  serverfarm example_IT_HTTPS-HTTP
  ssl-proxy service SSL_example_IT
  key example_it.key
  cert example_it.cert
  chaingroup SSL_CHAIN_example_IT
  crypto chaingroup SSL_CHAIN_example_IT
  cert example_it.ca
  class-map match-all example_IT_HTTP
  2 match virtual-address 22.235.121.6 tcp eq www
  class-map match-all example_IT_HTTPS-HTTP
  2 match virtual-address 22.235.121.6 tcp eq www
  policy-map type loadbalance first-match example_IT_HTTP-l7slb
  class class-default
  serverfarm example_IT_HTTP
  policy-map type loadbalance first-match example_IT_HTTPS-HTTP-l7slb
  class class-default
  sticky-serverfarm example-IT-HTTPS-HTTP
  policy-map multi-match int41
  class example_IT_HTTP
  loadbalance vip inservice
  loadbalance policy example_IT_HTTP-l7slb
  loadbalance vip icmp-reply active primary-inservice
  class example_IT_HTTPS-HTTP
  loadbalance vip inservice
  loadbalance policy example_IT_HTTPS-HTTP-l7slb
  loadbalance vip icmp-reply active primary-inservice
  ssl-proxy server SSL_example_IT
  the balancing on http work properly, but doesn't work the ssl termination, when I try to connect from my client in https I don't see request on the server 192.168.250.165-166 coming.
  Some show:
  balancer# sh crypto certificate all
  example_it.cert:
  Subject: /C=GB/ST=United Kingdom/L=London/O=XXXXXXXX/OU=XXXXXXXXX/CN=*.xxxx.com
  Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
  Not Before: Apr 11 00:00:00 2014 GMT
  Not After: Apr 12 23:59:59 2015 GMT
  CA Cert: FALSE
  example_it.ca:
  Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
  Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
  Not Before: Nov  8 00:00:00 2006 GMT
  Not After: Jul 16 23:59:59 2036 GMT
  CA Cert: TRUE
  balancer# sh crypto session
  SSL Session Cache Stats for Context
  Number of Client Sessions: 0
  Number of Server Sessions: 0
  balancer#
  balancer# sh crypto files
  Filename File File Expor Key/
  Size Type table Cert
  cisco-sample-cert 1082 PEM Yes CERT
  cisco-sample-key 887 PEM Yes KEY
  example_it.ca 7444 PEM Yes CERT
  example_it.cert 1812 PEM Yes CERT
  example_it.key 1675 PEM Yes KEY
  balancer#
  balancer# crypto verify example_it.key example_it.cert
  Keypair in example_it.key matches certificate in example_it.cert.
  balancer#
  the show stats crypto client/server give me all 0
  Someone can help me to understand why is not working ?
  for further information please ask me
  Thanks a lot

  Hi,
  The problem is here:
  class-map match-all example_IT_HTTPS-HTTP
    2 match virtual-address 22.235.121.6 tcp eq www
  You should change it to 443 instead of WWW which means port 80.
  You will never match this class "example_IT_HTTPS-HTTP".
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• ACE - SSL Termination is not working

  HTTPS is not working from official IE browser but it is working from test Firefox browser. However HTTP is working with both IE and Firefox browsers. This is true for multiple implementations on the ACE service module with SSL termination.
  ACE software 3.0(0)A1(4a)
  IE v6 SP3 Cipher 128
  Firefox v3.6.3
  Sample configuration:
  access-list FT ethertype permit bpdu
  access-list ALL-ACCESS extended permit icmp any any
  access-list ALL-ACCESS extended permit ip any any
  crypto chaingroup ROOT-CERT
    cert abc.PEM
    cert xyz.PEM
  parameter-map type ssl SSL-PARAMETER-1
    cipher RSA_WITH_RC4_128_MD5
    cipher RSA_WITH_RC4_128_SHA
    cipher RSA_WITH_AES_128_CBC_SHA priority 2
    cipher RSA_WITH_AES_256_CBC_SHA
    cipher RSA_EXPORT1024_WITH_DES_CBC_SHA
  parameter-map type ssl SSL-PARAMETER-2
    cipher RSA_WITH_AES_128_CBC_SHA priority 2
  ssl-proxy service SSL-1
    key KEY-1.PEM
    cert CERT-1.PEM
    chaingroup ROOT-CERT
    ssl advanced-options SSL-PARAMETER-1
  ssl-proxy service SSL-2
    key KEY-1.PEM
    cert CERT-1.PEM
    chaingroup ROOT-CERT
    ssl advanced-options SSL-PARAMETER-2
  ssl-proxy service SSL-3
    key KEY-1.PEM
    cert CERT-1.PEM
    chaingroup ROOT-CERT
  rserver host server1
    ip address 10.100.15.89
    inservice
  rserver host server2
    ip address 10.100.15.121
    inservice
  probe http PROBE-1
    interval 30
    faildetect 2
    request method get url /keepalive.htm
    expect status 200 200
  serverfarm host SERVERFARM-1
    probe PROBE-1
    rserver server1 80
      inservice
    rserver server2 80
      inservice
  sticky ip-netmask 255.255.255.255 address both STICKY-1
    timeout 30
    replicate sticky
    serverfarm SERVERFARM-1
  class-map type management match-any REMOTE-ACCESS
    match protocol icmp any
    match protocol snmp any
    match protocol ssh any
    match protocol https any
  class-map match-all VIP-1
    match virtual-address 10.100.15.140 tcp eq https
  class-map match-all VIP-2
  match virtual-address 10.100.15.140 tcp eq www
  policy-map type management first-match REMOTE-ACCESS
    class REMOTE-ACCESS
      permit
  policy-map type loadbalance first-match POLICY-1
    class class-default
      sticky-serverfarm STICKY-1
  policy-map multi-match LB-1
    class VIP-1
      loadbalance vip inservice
      loadbalance vip icmp-reply active
      loadbalance policy POLICY-1   
      ssl-proxy server SSL-1
  (i have tried with ssl-proxy server SSL-2 and ssl-proxy server SSL-3 but did not helP)
  policy-map multi-match LB-2
    class VIP-2
      loadbalance vip inservice
      loadbalance vip icmp-reply active
      loadbalance policy POLICY-1
  interface vlan 15
    description client vlan
    bridge-group 15
    mac-sticky enable
    access-group input FT
    access-group input ALL-ACCESS
    access-group output ALL-ACCESS
    service-policy input REMOTE-ACCESS
    service-policy input LB-1
    service-policy input LB-2
    no shutdown
  interface vlan 2015
    description server vlan
    bridge-group 15
    mac-sticky enable
    access-group input FT
    access-group input ALL-ACCESS
    access-group output ALL-ACCESS
    service-policy input REMOTE-ACCESS
    no shutdown
  interface bvi 15
    description bridge group
    ip address 10.100.15.5 255.255.255.0
    peer ip address 10.100.15.6 255.255.255.0
    alias 10.100.15.4 255.255.255.0 
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.100.15.1
  note: Subnet, Server Name, Certificate Name and Key Name are modified for security reason.

  Hello,
  We will not be able to determine why your SSL terminated connections fail with only your config.  You may want to take a look at a similar thread where someone else was having problems with IE and SSL termination, but Firefox worked fine.  It also includes a solid action plan you can use to gather data needed to diagnose root cause.  That thread can be viewed at the following link:
  https://supportforums.cisco.com/thread/2025417?tstart=0
  Also, the ACE software you are running is extremely old now and very buggy.  I would strongly urge you to upgrade to A2(2.4) as soon as possible.  It will help you avoid some headaches as you move forward.
  Hope this helps,
  Sean

• Ace HTTP Probe expect regex

  Hi,
  I have a question about the config of the ACe probe.
  I have the following probe defined :
  probe http P_HTTP_TEST
  interval 5
  passdetect interval 2
  passdetect count 2
  request method get url /test
  expect status 200 200
  expect regex trululu
  I would like to use the regex just like the expect string on the csm probe...
  The regex doesn't seem to work as the strin trululu is not on the page tested.
  I guess the expect status override the regex but without the expect status it doesn't work either.
  Anyone know how exactly the probe expect works for http ?
  Another question, on the CSM module, the tcp probe by default use the real port for the probe, not the default port of the probe type, is it possible to change that so it mimmicks the CSM way of working ?
  Thanks a lot ;-)

  This seems to be bug related to some version of ACE software as HTTP return code overrides missing regexp. For sure this bug is present in:
  system:    Version A2(2.0) [build 3.0(0)A2(2.0)]
  Notice the difference between 192.168.1.1 (is missing regex in HTTP response) and 192.168.1.2 (sends regexp in HTTP response). Both are successful and as addition 192.168.1.1 (missing regexp) is showing last status code 200 which seems to be sufficient for probe to pass. 192.168.1.2 (which sends expected regexp) doesn't show last status code.
  probe       : tw2_http_81
  type        : HTTP
  state       : ACTIVE
  description :
     port      : 81      address     : 0.0.0.0         addr type  : -
     interval  : 30      pass intvl  : 30              pass count : 1
     fail count: 1       recv timeout: 10
     http method      : GET
     http url         : /knowtw2-f/livelink.exe?func=ll&objtype=142&bypass
     conn termination : GRACEFUL
     expect offset    : 0         , open timeout     : 10
     expect regex     : lbmonitor
     send data        : -
                         --------------------- probe results --------------------
     probe association   probed-address  probes     failed     passed     health
     ------------------- ---------------+----------+----------+----------+-------
       real      : 192.168.1.1[81]
                         192.168.1.1    2          0          2          SUCCESS
     Socket state        : CLOSED
     No. Passed states   : 1         No. Failed states : 0
     No. Probes skipped  : 0         Last status code  : 200
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err :  -
     Last probe time     : Mon Nov  7 12:38:42 2011
     Last fail time      : Never
     Last active time    : Mon Nov  7 12:38:22 2011
       real      : 192.168.1.2[81]
                         192.168.1.2    2          0          2          SUCCESS
     Socket state        : CLOSED
     No. Passed states   : 1         No. Failed states : 0
     No. Probes skipped  : 0         Last status code  : 0
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err :  -
     Last probe time     : Mon Nov  7 12:38:27 2011
     Last fail time      : Never
     Last active time    : Mon Nov  7 12:37:58 2011

• ACE HTTP probe hash md5 value

  Hi,
  We would like to see the hash value calculated by the ACE when the HTTP probe hash command configured.
  This is possible on CSS via the "sh service" command. We have tried to get it from sh rserver , sh probe XXX detail sh serverfarm XXX det but we do not get it.
  Is this possible to get it on the ACE as we do on the CSS?
  We need this to manually configure it via the hash <value> command because if the ACE probe is reseted for any reason, the probe http hash will be re-calculated based on the first http response of the server and we can not predict that the server will give the expected web page at this time.
  A // question is: on what the md5 value is calculated? HTTP header + payload or only http object payload? We have calculated the md5 hash value by ourselves but the probe is still failing whatever the http portion used for the calculation is.
  Many thanks for your help.
  Regards/ludovic.

  probe http MD5-HTTP
  interval 15
  passdetect interval 15
  request method get url /index.html
  expect status 200 200
  hash 2441DA7F68A265F8CFB4426B6897CE33
  And here is how I computed the hash on the server itself [linux machine]
  md5sum /var/www/HTML/index.html
  2441da7f68a265f8cfb4426b6897ce33 /var/www/HTML/index.html
  [root@linux-1 tftpboot]#
  The probe is UP
  switch/Admin# sho probe MD5-HTTP detail
  probe : MD5-HTTP
  type : HTTP
  state : ACTIVE
  description :
  port : 80 address : 0.0.0.0 addr type : -
  interval : 15 pass intvl : 15 pass count : 3
  fail count: 3 recv timeout: 10
  http method : GET
  http url : /index.html
  Hash-value : 2441da7f68a265f8cfb4426b6897ce33
  conn termination : GRACEFUL
  expect offset : 0 , open timeout : 10
  expect regex : -
  send data : -
  --------------------- probe results --------------------
  probe association probed-address probes failed passed health
  ------------------- ---------------+----------+----------+----------+-------
  serverfarm : linux1
  real : linux1[0]
  192.168.30.27 13 4 9 SUCCESS
  md5sum is a standard tool.
  Nothing fancy about it.
  Gilles.

• ACE:HTTPS rewrite issue

  Hi There,
  Client is working in front of 2 server farms behind the same ACE. Client is initiating HTTPS session in front of server farm #1 while ACE functioning as SSL termination. Client is cliking on one of the links in the web page and start HTTP or HTTPS session in from of server farm #2 to get some images. Server farm #2 does not know if to get images to HTTP or HTTPS session. Our developers ask me if I can Insert any string when client is initiating a HTTPS session in from of server farm #2. What is the best to do it (if it is possible with Action-list) ? and if it is possible to insert it in the header ?
  I hope this is clear. :-)
  Thanks,
  Reuven

  Yes, you just have to add a new field in the HTTP headers, be sure to configure the rewrite to be performed on all headers if you're not using persistence rebalance.
  Then application guys just have to parse the tag and the job is done

• ACE http health probes - best practice for interval and passdetect interval?

  Hi,
  Is there a recommended standard for http health probes in terms of interval and passdetect interval timings, i.e. should the passdetect interval always be less than the interval or visa versa? Can a http probe be 'mis-configured', i.e. return a 'false positive' by configuring an interval timeout thats 'incompatible' with the device it's polling?
  I have a http probe for a serverfarm consisting of two Apache http servers and get intermittent 'server reply timeout' probe failures. I'm keen to ensure that the configuration of the probe isn't at fault so I can be confident that a failed probe indicates a problem with the server and not my configuration.
  The probe is currently configured as below:-
  probe http http-apache
    interval 30
    passdetect interval 15
    passdetect count 6
    request method get url /cs/images/ACE.html
    expect status 200 304
  Any advice on the subject woud be gratefully received.
  thanks
  Matthew

  Hi Gilles,
  Thanks for the advice. In another dicussion (found here https://supportforums.cisco.com/message/462397#462397) a poster has stated that:-
  "(The) "Probe interval" should always be less then (open+recieve) timeout  value. Default open & receive timeouts are 10 seconds."
  Are you able to advise on whether the above is correct and if so, why? I currently have an interval value of 30 that obviously goes against the advice above (which I've interpretted to mean that if you leave the open & receive timeouts at their default settings your probe interval should be less than 20 seconds?).
  thanks
  Matthew