ACE LB SSL Session ID in onearm mode

Similar Messages

• CSS11503/ACE 4710 - SSL session id cache

  I have a couple of questions.
  1. I'd like to know what happens when the SSL session id cache (def 10k) gets filled on a CSS11503. Do new connections get dropped or do they still work but are they less efficient?
  2. What is the cache size on an ACE4710?

  The problem was caused by an incorrect nat pool.   Correct Mask was 255.255.255.0.

• ACE 3.0(0) SW / LB with SSL Session-ID

  Hello!
  I want to use "SSL Session-ID" sticky method in load-balancing, but can't find any info about it in 3.0(0)A1(2) sw configuration guides. Where i can find info about it? Or this method is supported only in old A2(1.0) release?
  Thanks.

  SSL Session ID Sticky to ensure Client Persistence
  1. Demonstrate the ability to provide stickiness using SSL
  Session ID. To do this you will need to the Generic Protocol Parsing
  framework on ACE. With the right regular expression you will be successful!!
  2. Before you begin to configure the SSL Sticky group, be sure that
  you have allocated resources to the sticky group. Note this done in the
  Admin context.
  resource-class cart
  limit-resource all minimum 0.00 maximum unlimited
  limit-resource sticky minimum 1.00 maximum equal-to-min
  context Lab-Cart-11
  allocate-interface vlan 211
  allocate-interface vlan 411
  member cart
  3. Create an SSL-v3 sticky group and associate the serverfarm. Good
  idea to configure a sticky timeout value. This specifies the period of time
  that the ACE keeps the sticky information in the sticky table. Note the ACE
  resets the timer each time ACE opens connections matching that entry. Also
  configure the Layer 4 sticky parameters for 32 bytes session ID.
  sticky layer4-payload ssl-v3
  timeout 600
  serverfarm HTTPS-FARM
  response sticky
  layer4-payload offset 43 length 32 begin-pattern "\x20"
  When a new session is established between client and server, the server
  generates a session id. The session id is an arbitrary sequence of bytes.
  The length of the session id is 16 bytes for SSLv2 sessions and between 1
  and 32 bytes for SSLv3/TLSv1. The session id is not security critical but
  must be unique for the server. Additionally, the session id is transmitted
  in the clear when reusing the session so it must not contain sensitive
  information.
  4. Create a class-map to match the layer 4 payload.
  class-map type generic match-any SSL-v3-32
  2 match layer4-payload regex "\x16\x03\x00..\x01.*"
  3 match layer4-payload regex "\x16\x03\x01..\x01.*"
  5. Create a new generic load balance policy map and assoiciate the
  sticky-serverfarm understand the class.
  policy-map type loadbalance generic first-match SSL-v3-Sticky
  class SSL-v3-32
  sticky-serverfarm ssl-v3
  6. Change to the client-vips policy map to represent the new
  SSL-v3-Sticky policy you just created
  policy-map multi-match client-vips
  class VIP-HTTPS
  loadbalance vip inservice
  loadbalance policy SSL-v3-Sticky
  loadbalance vip icmp-reply active
  7. Verify the VIP is accessible by trying to hit the VIP.
  8. View the connection using the show cons command.
  Pod1-ACE/Lab-Cart-11# show conn
  total current connections : 1
  conn-id np dir proto vlan source destination
  state
  ----------+--+---+-----+----+---------------------+---------------------+---
  ---+
  10 1 in TCP 211 209.165.201.11:1115 172.16.11.190:443
  ESTAB
  9. Interesting I can see that the first connection has been setup. Why
  is ACE not load balancing the connection to the server?
  10. Great I need to configure a L7 parameter map with a max parse-length
  parameter-map type generic SSL-v3
  set max-parse-length 70
  11. Associate the parameter map to the client-vips policy map
  policy-map multi-match client-vips
  class VIP-HTTPS
  loadbalance vip inservice
  loadbalance policy SSL-v3-Sticky
  loadbalance vip icmp-reply active
  appl-parameter generic advanced-options SSL-v3
  12. Verify the VIP is now accessible by trying to hit the VIP.

• ACE 4710 & SSL Offloading

  I testing the 4710 for load balancing between 2 web servers. I have the http portion working just fine but would like to get some input on the SSL portion.
  We have a section of our site that requires user login and the whole session is https from when they login and when they are browsing through our site.
  My questions are within the design aspects. Would this best be designed using SSL offloading and then using clear text from the ACE to the web servers? Also, what would the differences be with configuring ssl offloading with stickiness if configured with http server load balancing on the same server farm versus creating a new server farm just for https? Would end-to-end ssl be best in this scenario?
  Description of the web application usage:
  Users log in and their whole session is https. Users will be filling out forms, inputting data, registering for events and uploading some files.

  Okay so that makes sense to me now. When the client requests an HTTPS page and the ACE terminates the connection, the ACE uses SSL rewrite/redirect to send the request back to the client so that the client still maintains the SSL connection. Otherwise it will request an HTTP page instead of the HTTPS page.
  Am I correct?

• ACE not creating session to rserver (sending a RST)

  Having a ACE-Deployed for loadbalancing web-requests which are coming from a reverse-proxy. The session persistency is based on the x-forwarded-for HTTP-header entry.
  The situation works fine but in certain situations it looks like the ACE (172.16.3.200) is sending a RST shortly after an ACK in direction of the reverse-proxy (172.16.2.10).
  Investigating this RST shows me that ACE is not creating a session towards to the real-server, meaning session from reverse-proxy to ACE is there but session from ACE to real-server doesn’t get created (no SYN sent from ACE).
  Example:
  (1) 11:20:07.677541     src:172.16.2.10    dst:172.16.3.200     proto:TCP     info: 38776 > http (SYN)
  (2) 11:20:07.677891     src:172.16.3.200  dst:172.16.2.10       proto:TCP     info: http > 38776 (SYN, ACK)
  (3) 11:20:07.677920     src:172.16.2.10    dst:172.16.3.200     proto:TCP     info: 38776 > http (ACK)
  (4) 11:20:07.677979     src:172.16.2.10    dst:172.16.3.200     proto:HTTP   info: GET /media/global/stylesheets/class.css?v=0.20 HTTP/1.1
  (5) 11:20:07.678553     src:172.16.3.200  dst:172.16.2.10       proto:TCP     info: http > 38776 (ACK)
  (6) 11:20:07.678553     src:172.16.3.200  dst:172.16.2.10       proto:TCP     info: http > 38776 (RST, ACK)
  Normally, for every session from the reverse-proxy to ACE, ACE creates a session to the real-server. In this particular trace, ACE only creates the incoming one but not the outgoing to the real-server. The real-server is alive at this time, requests just some milliseconds before and after packet four (4) are processed to the same real-server correctly.
  Normalization is disabled and we’re running in routed mode.
  Any idea why ACE itself doesn’t creates this new session ?

  I just verified "show stats http" and there is a zero (0) for max parslen errors and static parse errros, so we should be fine on the length and on the value we're expecting.
  Here the relevant snippets from the configuration.
  sticky http-header X-Forwarded-For STICKY_HTTP-HEADER
     timeout 180
     serverfarm SF_FRONTEND
  class-map type http loadbalance match-all CM_STICKY_HTTP-HEADER
     2 match http header X-Forwarded-For header-value ".*"
  class-map match-any CM_VIP_FRONTEND
     description VIP for FRONTEND
     5 match virtual-address 172.16.3.200 tcp eq www
  policy-map type loadbalance first-match PM_LB_FRONTEND
     class CM_STICKY_HTTP-HEADER
       sticky-serverfarm STICKY_HTTP-HEADER
     class class-default
       serverfarm SF_FRONTEND
  I would love to share the broken capture with you (see attached).

• ACE 4710 SSL server LB with stickiness

  I will be replacing 11500 CSS which are not doing SSL termination, just load-balancing SSL sessions terminated on servers with ACE 4710.
  On their CSS config, they were doing SSL-sticky. I understand the 4710 doesn't support SSL sticky, but can perform the same function by parsing the HTTP header. Has anyone done this config before and know where/how to parse the header to look for the SSL session# and stick connections to same server?
  THANKS!

  In Ace 2.x code GPP (Generic protocol parsing) was introduced that enables ACE to look into the Layer 4 payload.Which is how this stickiness id achieved.
  details at
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1133923
  I dont think its currently available on ACE appliance yet.
  Syed

• SSL Session resumed or not?!

  Hi
  Is there a way to "know" whether a SSL Session is resumed (SSL resumption) or built up throug the whole handshake process?
  I switched on the SSL debug mode. There I can see whether a whole handshake is done or not. But I need this information in my Java program.
  Any ideas...?
  thx in advance,
  tom

  You can get the current SSL Session id via SSLSocket.getSession().getID(), so you can compare with the previous one for equality.
  Why do you need to know?

• HTTPS persistence SSL session, ACN 4.2.1

  Customer is experiencing a problem resulting in the ACN software resolving the host.domain.com twice. Webapplication https://host.domain.com/webapp/index.jsp. The customer uses a ACN to proxy the https request. The host.domain gets resolve to 1 of 4 available application servers (webserver). At the application login page (index.jsp) the user is successfully authenticated by the application's Login servlet on webserver 1. The user is then redirected to the select application, local to the webserver 1. It appears that when the ACN receives the response from webserver 1 with the fully qualitfying URL. The redirection cause the ACN to resolve the host.domain against DNS and as a result, the user's browser is redirected to a different webserver. The users previous session is no longer valid, breaking the client/webserver trusted relationship
  If the above user uses 1 of the 4 available IP address on the DNS entry, the users successfully maintains the SSL session. The customer is migrating to a Cisco Content Engine 560 running version 4.2.1 ACN software.
  I understand there are ACN features that could effect the HTTP session persistence/SSL trust. The services/features include boomerang, Reverse Proxy, content balancing. I request information on the service or feature of the ACN that could cause the problem I speak of from above.
  I understand there are different methods of implementing session persistence, like sticky session and SSL sticky, but believe the ACN does provide this feature.

  The customer is experiencing network issues when attempting to access our application. The customer is experiencing has been seen with a previous customers that had a similar network devices.
  The customer uses a Cisco Content Engine CE-560 with Application and Content Networking Software (ACNS) version 4.2.1. The problem seems to a result of the ACNS resolving the hostname.domain.com twice. The webserver's DNS (hostname.domain.com) entry resolves to one of four available webservers (DNS round robining).
  nslookup hostname.domain.com
  webserver1 webserver2 webserver3 webserver4
  nslookup hostname.domain.com
  webserver2 webserver3 webserver4 webserver1
  and so on.
  All client/webserver communication is through SSL. When the customer uses the FQDN URL (https://hostname.domain.com/webapp/index.jsp) to access the application login page, the server portion of the URL is resolved to webserver1. At this time, the customer has an established HTTPS session with webserver1. Once a login servlet running on webserver1, receives the customer supplied login credentials, the servlet sends a server response 302 redirecting the customer to the selected application.
  This redirection response seems to cause the ACNS to resolve the hostname.domain.com and as a result, the customer's browser is redirected to a different webserver, webserver2. The users previous session is no longer valid, causing the application to generate a false inactivity timeout.
  If the customer sends a HTTPS request using anyone of the four IP address from DNS, the session is maintained and the customer does not receive the false inactivity timeout, because the session is not "broken".
  The customer is migrating off of a Netscape (iPlanet) Web Proxy solution and does not experience the problem accessing the application, using the FQDN URL.
  DNS caching is enabled on the customer CE.

• Http.keepAlive does not turn off SSL session cache?

  Hi there,
  I have a web service client that uses JSSE for making web service calls via https. In an effort to debug problems, I set http.keepAlive to false, I can see from the SSL debug output that KeepAlive timer messages no longer shows up, but I still see text such as "Cached client session" and "try to reuse cached session", etc.
  Should not turning off keepAlive disable the use of persistent sessions?
  Thanks.
  Yan

  They are unrelated features.
  HTTP Keep Alive allows the browser to maintain a Socket to the server and issue multiple HTTP requests over that same socket.
  SSL Session caching is when an SSL Session is assigned an ID, and additional SSL connects may be established with the same ID. These additional sockets then do not need to perform the full SSL handshake, since much of the data has already been negotiated previously.

• Disable non-SSL session tracking?

  Hi, all,
  I wonder if one can disable all session tracking in JSP's whenever SSL is not being used? I would like to turn off all cookie-setting and URL-rewriting and use SSL-session tracking only (if I use session-tracking at all on a given page). I also want to specify this behavior programmatically (inside my JSP's) and not in my server's config files.
  I'm basically concerned that if my user leaves one of my HTTPS pages, they will still retain a non-secure cookie with their session information. This seems to be indeed the default behavior: when I run my tests and transition from an HTTPS page to an HTTP one, the browser does store a cookie. I know I can invalidate the session as the next step, but I'd rather have the cookie not being set altogether to begin with. Imagine the situation where the user leaves my HTTPS page for a totally different (HTTP) website: in this setting I won't get a chance to invalidate the session and delete the cookie.
  Any ideas, therefore, on how to programmatically disable non-SSL session-tracking?
  Thanks,
  Dmitri.

  I don't think you can do this programatically.
  However I also don't think it is a problem.
  Cookies are related to zone names aren't they?
  http://mysite and https://mysite are two different
  zones as far as cookies are concerned. One should
  not be able to see the other.
  It issues a new cookie for the http site you are just
  navigating to. That cookie has nothing to do with
  the secure site you just came from, and shouldn't be
  able to tell them any info about the secure site.
  I think you are worrying about something that isn't
  really there.
  What is your concern? That they pick up a JSESSIONID
  from the cookie and can then pretend to be a
  different user?Yes. A cookie is transmitted and stored unencrypted, I imagine (in any case, it should be more easily crackable than SSL). I wish Sun came up with an extension to the Session API where you would be able to explicitly specify which session-tracking protocols you want used and which ones you don't. At the moment their API abstracts and manages too much detail for you.
  I mean, if my site is supposed to be secure while I'm using SSL, then you'd expect that no information about those secure sessions should leak outside the SSL protocol, wouldn't you say?

• SSL Session cache persistence

  Hello,
  I've been scratching my head for while on a problem concerning SSL session caching. Upon examining memory usage of the session cache I noticed that the number of cached sessions is reset at some point while new session are created. For example sometimes at around 300 -1500 sessions the number drops to under 10. I have set the session cache size to unlimited (via SSLSessionContext.setSessionCacheSize()) and session timeout to 24 hours (via setSessionTimeout()).
  I noticed that this has probably something to do with garbage collection. I made a server application that receives SSL connections and every few seconds prints the number sessions in the cache and the amount of consumed memory (in megs). I also enabled garbace collection information printing and ran java VM with a maximum heap size of 512M. I ran a client application against it that continuously initializes a new sessions. Here's what I got:
  Sessions: 484     Memory: 1.7913589477539062
  [GC [DefNew: 503K->4K(576K), 0.0007350 secs] 2234K->1734K(3796K), 0.0008700 secs]
  [GC [DefNew: 513K->63K(576K), 0.0009260 secs] 2243K->1793K(3796K), 0.0010680 secs]
  Sessions: 490     Memory: 1.7832870483398438
  [GC [DefNew: 569K->37K(576K), 0.0021150 secs] 2299K->1773K(3796K), 0.0022560 secs]
  Sessions: 495     Memory: 2.1244659423828125
  [GC [DefNew: 543K->37K(576K), 0.0019000 secs] 2279K->1775K(3796K), 0.0034750 secs]
  [GC [DefNew: 549K->57K(576K), 0.0009080 secs] 2287K->1796K(3796K), 0.0010290 secs]
  [Full GC [Tenured: 1739K->1635K(3220K), 0.0865340 secs] 1962K->1635K(3796K), [Perm : 3267K->3267K(8192K)], 0.0885000 secs]
  Sessions: 6     Memory: 1.7752304077148438
  [GC [DefNew: 512K->58K(576K), 0.0016310 secs] 2147K->1694K(3796K), 0.0017680 secs]
  [GC [DefNew: 568K->37K(576K), 0.0009750 secs] 2204K->1678K(3796K), 0.0011110 secs]
  Sessions: 12     Memory: 1.7010269165039062
  [GC [DefNew: 549K->56K(576K), 0.0014310 secs] 2190K->1699K(3796K), 0.0015600 secs]Notice how the number of sessions drops from 495 to 6? And in between there's a garbage collection print "[Full GC...". Why is this? Shouldn't the session cache keep the sessions until there's either too many of the them or they get too old? Here only a few minutes have elapsed and memory consumption is under control (1 to 3 megs).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

  In my implementation I avoid session renegotiation as
  much as possible to achieve high throughput. My goal
  is to preserve sessions for the entire session
  timeout time. This raises a few questions:Understood, but you also have to protect the server against resource exhaustion. It's in the client's interest to cache lots of sessions for a long time; the server's interest is to conserve resources so it can keep itself running.
  You actually don't want to cache all the sessions, just the 'hot' ones, so you're better off having the SessionContext remove sessions on an LRU basis by having a finite limit, rather than just letting them be GC'd. The fact that so many sessions were collected in your runs indicates pretty severe memory usage.
  (1) Is there any way to tweak this behavior? For
  example can make the sessions live longer by using
  some GC flags for the VM? Allocate more heap space, or cache fewer sessions.
  (2) How about keeping regular references to all the
  sessions in my application?That would save them from GC of course. But then you'll quickly discover that you really do need a finite limit.
  (3) Is the behavior of the session cache or the inner
  workings of the SSL API in general documented
  somewhere?Only in the source code of JSSE, and that's only a property of Sun's JRE implementation. Session caching is not even a required feature, and J2ME implementations for example generally don't do it at all.

• ACE 4700 ssl probe failure

  We recently updated one of our servers to a new SSL certificate using the 4096 bit cipher key. Now the ACE probe to that server fails.
  We have SSL version set to any and SSL cipher set to any. Id there a problem with a ACE https probe not supporting cipher keyes longer then 1024 bit ?

  Hello DLance,
  The ACE supports ssl certs upto 2048bits..
  If you refer to the following guide, there is mention of the 2048 limit:
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html
  HTH. Regards.

• Proxyless clustering and SSL session state

  The current 6.0 docs are a bit quiet on SSL and clustering, so can I check
            whether it is the case that when proxy-less clustering is used with SSL, a
            failover results in a new certificate exchange and crypto session
            establishment? In other words, the clustering isn't attempting to replicate
            the SSL session state or similar super-subtle strategy.
            Thanks!
            Alex Thomas
            Lehman Brothers
            London
            

            "Alex Thomas" <[email protected]> wrote in message
            news:[email protected]..
            > The current 6.0 docs are a bit quiet on SSL and clustering, so can I check
            > whether it is the case that when proxy-less clustering is used with SSL, a
            > failover results in a new certificate exchange and crypto session
            > establishment? In other words, the clustering isn't attempting to
            replicate
            > the SSL session state or similar super-subtle strategy.
            Alex,
            A failover will result in a new SSL connection being started. As you say
            this will mean that certificate exchange and session key exchange will occur
            again. All of the replicated state is kept at a higher level in the server
            so that we can use different SSL implementations including hardware
            accelerators.
            Regards,
            Adam
            

• Monitoring SSL sessions/sec on CSS

  Hello,
  I have been trying to find the right parameter via CLI or SNMP to monitor the number of SSL sessions/sec. We are using CSS 11503 with a SSL module supporting in theory 800 to 1000 SSL sessions/sec and I'd like to know what the current load is. I am graphing already the flows/sec but this too generic.
  Any help is appreciated.
  Thanks,
  Fabrice

  Fabrice,
  there might not be an exact counter for connection per seconds, but what most people do [with CSS or other devices] is capture the total number of connections every X seconds, make the difference and divide by X to get the average connection per seconds.
  You could use one or combination of the following counters
  CSS11503-2(debug)# sho ssl statistics | grep conn
  0 Handshake started for incoming SSL connections
  0 Handshake completed for incoming SSL connections
  0 Handshake started for outgoing SSL connections
  0 Handshake completed for outgoing SSL connections
  0 TCP connections failed
  0 TCP connections established
  0 TCP connections originated
  0 TCP connections terminated
  Gilles.

• SSL Session and Connection

  What is the difference between SSL Session and Connection. I understand, that session is negotiation of parameters and connections are built upon the sessions. But please help me understand, how it works in practicaly as in when using a Any connect client or browser, how does it function.

  How about something like:
  // It appears there may be issues with TLS...
  // so to prevent it from being used, we'll be
  // specific...SSLv3
  SSLContext context = SSLContext.getInstance("SSLv3");
  context.init(kmFactory.getKeyManagers(), null, null);
  SSLSocketFactory ssf = context.getSocketFactory();
  com.sun.net.ssl.HttpsURLConnectionHttpsURLConnection.setDefaultSSLSocketFactory(ssf);
  That do ya?
  -michael