ACE ssl initiation
Have done ssl init on the CSS before.
It can be easily configured to present a client cert to the remote end like a browser would.
I can't see how this is done on the ACE.
Do I just apply an authgroup referring to the client cert in the ssl proxy configuration ?
Hi,
For SSL intiation ACE shall act as a client. So you will define a SSL-Proxy and just bind it with the policy map.
Below config is for end-to-end SSL but look at bold part that is for SSL initiation and here is the link for your reference.
access-list allow_all line 10 extended permit ip any any
probe http KEEPALIVE-WEBS
description Test for Webs Servers
interval 15
passdetect interval 30
request method head url /ping.jsp
expect status 200 200
parameter-map type ssl ssl_ciphers
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_DES_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
rserver host WEB001
description Web Servers
ip address 10.0.130.253
probe KEEPALIVE-WEBS
inservice
rserver host WEB002
description Web Servers
ip address 10.0.130.252
probe KEEPALIVE-WEBS
inservice
rserver host WEB003
description Web Servers
ip address 10.0.130.254
probe KEEPALIVE-WEBS
inservice
rserver redirect OLD_SITE_REDIR
webhost-redirection
https://www.newsite.com 301
inservice
ssl-proxy service SERVER_SSL
key www-server.key
cert www-server.crt
ssl advanced-options ssl_ciphers
ssl-proxy service CLIENT_SSL
ssl advanced-options ssl_ciphers
serverfarm redirect REDIRECT
rserver OLD_SITE_REDIR
inservice
serverfarm host VIP-WWW-443
description servers-for-https
rserver WEB001 443
inservice
rserver WEB002 443
inservice
rserver WEB003 443
inservice
serverfarm host VIP-WWW-80
description servers-for-www
rserver WEB001 80
inservice
rserver WEB002 80
inservice
rserver WEB003 80
inservice
sticky http-cookie wwwservers WWW-P80
cookie insert
timeout 720
replicate sticky
serverfarm VIP-WWW-80
sticky http-cookie wwwservers WWW-P443
cookie insert
timeout 720
replicate sticky
serverfarm VIP-WWW-443
class-map type http loadbalance match-all CLA7REDIR
2 match http url http://www.oldsite.com/.*
class-map type http loadbalance match-all CLA7WWW
2 match http url http://www.newsite.com/.*
class-map match-any VIP-P443
2 match virtual-address 10.0.128.211 tcp eq https
class-map match-any VIP-P80
2 match virtual-address 10.0.128.211 tcp eq www
policy-map type loadbalance first-match VIP_SERVER_P443
class CLA7REDIR
serverfarm REDIRECT
class CLA7WWW
sticky-serverfarm WWW-P443
ssl-proxy client CLIENT_SSL
policy-map type loadbalance first-match VIP_SERVER_P80
class class-default
sticky-serverfarm WWW-P80
policy-map multi-match WWW_LB
class VIP-P80
loadbalance vip inservice
loadbalance policy VIP_SERVER_P80
loadbalance vip icmp-reply active
loadbalance vip advertise active
class VIP-P443
loadbalance vip inservice
loadbalance policy VIP_SERVER_P443
loadbalance vip icmp-reply active
loadbalance vip advertise active
ssl-proxy server SERVER_SSL
interface vlan 128
ip address 10.0.128.15 255.255.255.0
access-group input allow_all
service-policy input WWW_LB
no shutdown
interface vlan 130
ip address 10.0.130.15 255.255.255.0
access-group input allow_all
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.128.1
Regards,
Kanwal
Similar Messages
-
ACE SSL Initiation - no check of server cert?
SW 3.0(0)A1(4)
I've configured SSL initiation and noticed that a successful session is established despite no valid root CA cert installed on the ACE.
Does client SSL just work regardless without any cert validation?this is currently how it works.
It will change in version 2.0
Gilles. -
ACE SSL initiation via Proxy server (squid)
Hi,
is it possible to configure ACE with SSL initiation if the connection goes via http/https proxy (squid) ?
I mean local host is requesting http://xyz.com, ACE doing SSL and requesting https://xyz.com, not directly but via http/https proxy server (squid).
ThanksHi Ryszard,
Yes, ACE can initiate SSL traffic and maintain SSL connection. So in SSL initiation ACE will act as a CLIENT receiving clear text HTTP traffic at the front end and sending traffic encrypted over the backend.
For more details please visit the below link and let me know if you have any questions.
http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/sslgd/initiate.html#wp1010343
Regards,
Kanwal -
ACE issue with compression when SSL Initiation is turned on?
We currently doing an evaluation of the Cisco ACE 4710 and have some sites where the backend is Tomcat and SSL is turned on. When we set Default L7 Load-Balancing Action to Load Balance with Compression Method Deflate (I haven't tried gzip yet), requests to these sites return badly mangled stuff. Like a gif image at 7,700 bytes comes back as a 7 bytes file, even default should only try compression on text/*.
Has anyone seen a similar issue?It turned out the problem was a configuration issue and my understanding of the ACE works with compression, policies, etc.
In conjunction with this I seemed to have found a bug in the GUI, which is also still present in A3 (2.3). I now have a default L7 policy which just set SSL Initiation to ssl client. Added another L7 policy but when looking at the virtual server afterwards the GUI doesn't show that policy.
switch/Development# show running-config policy-map FORD-APP.PERF.AUTC.COM-l7slb
Generating configuration....
policy-map type loadbalance first-match F-APP.PERF.AUTC.COM-l7slb
class default-compression-exclusion-mime-type
serverfarm F-APP.PERF.AUTC.COM
compress default-method deflate
insert-http rl_client_ip header-value "%is"
ssl-proxy client Backend
class class-default
serverfarm F-APP.PERF.AUTC.COM
insert-http rl_client_ip header-value "%is"
ssl-proxy client Backend
See attachment with screen shot of GUI -
SSL initiation for SMPP on ACE module
Hi Community,
we have a new requirement to enable a connection to a server with SMPP protocol wrapped inside a SSL channel for transport over internet. Can any one suggest if the ACE module support to do SSL initiation to secure standard SMPP (3.4) servers?
Kind regardsHi,
ACE does support SSL initiation. Please visit the below link for details. Ace also supports SSL termination and End-to-End SSL.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/initiate.html
Regards,
Kanwal -
ACE SSL offloading troubleshooting
Hi All,
I need a help on trobleshooting ACE SSL offloading. Can anybody post the link to know about the commands for troubleshooting?
Regards,
ThiyaguHi Thiyagu
Have a read on the following link, what is the issue you are seeing?
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Troubleshooting_SSL#Troubleshooting_ACE_SSL
Regards Craig -
Have two internal clients wanting to initiate to an remote external ssl server.
Tried the sample configs for ssl initiation and they don't work in our environment. However the sample has the backend servers on addresses local to the CSS. So I'm not sure what has to be done for a far-distant server.
Here is a sample of the config elements. The important thing is that we have made the services/internal server address the same as the remote server like the sample config.
We get no traffic out to the backend.
I'm thinking that the front end of the ssl init server needs to have an ip address local to the CSS which we are trying but is this definite or is there something else missing.
ssl-proxy-list ssl-list
backend-server 1
backend-server 1 ip address 10.129.66.132
backend-server 1 port 1414
backend-server 1 server-ip 10.129.66.132
backend-server 1 version ssl3
backend-server 1 cipher all-cipher-suites
backend-server 1 tcp virtual inactivity-timeout 3600
backend-server 1 tcp server inactivity-timeout 3600
backend-server 1 type initiation
service abc1-s1-ac.abc.ota
type ssl-init
ip address 10.129.66.132
protocol tcp
port 1414
slot 3
keepalive type none
active
owner siteX
content abcv1-abc-http.vipac.ota
protocol tcp
vip address 155.231.49.50
port 1414
add service abc1-s1-ac.abc.ota
activeUnfortunately not - we just tried that by making the local address one that is on the CSS local interfaces.
We also swopped the vip to make sure that it was definitely on the inbound side in case that makes a difference.
The symptoms are that the client gets a connection to the port/1414 of the service which immediately gets terminated without an attempt to set up the ssl backend connection.
So now we have
Client-->tcp/1414-->vip on the client side-tcp/1414->service ip on the outbound side-->backend server on the outbound side-tcp/443->out from CSS to remote
ssl-proxy-list ssl-list
backend-server 1
backend-server 1 ip address 155.231.49.50 (on the CSS outside i/face)
backend-server 1 port 1414
backend-server 1 server-ip 10.129.66.132 (the remote machine)
backend-server 1 version ssl
backend-server 1 cipher all-cipher-suites
backend-server 1 tcp virtual inactivity-timeout 3600
backend-server 1 tcp server inactivity-timeout 3600
backend-server 1 type initiation
service pabc-s1-ac.abc.sitex
type ssl-init
ip address 155.231.49.50
add ssl-proxy-list ssl-list
protocol tcp
port 1414
slot 3
keepalive type none
active
owner siteX
content pabc-abc-http.vipac.ota
protocol tcp
vip address 155.231.50.57 (on the CSS inside i/face)
port 1414
add service pabc-s1-ac.abc.sitex
active
circuit VLAN322
description "vACCESSa01"
ip redundant-vip 1 155.231.50.57 (because we have redundant css) -
Hello Friends,
Need ur help on cisco ACE SSL termination.
If i import the certificate and key (.PEM), where this files will be saved ?
can we able to download the .PEM file any time as we need(back-up)?
suppose if my .PEM is got hacked, hacker is sniffing the data packet which going through the web server, can it be possiable to deencrypt the packet and see the exact packet ?
Regards,
NarenNaren,
1. In order to import certs and keys, please see the following link to the command reference. To summarize, any time you import/export/delete keys/certs, you are doing so via commands in exec mode. Regarding how and where the ACE actually saves this information, I do not know this answer.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/execmds.html#wp1616651
2. You can import a key as non-exportable if you do not want it to be able to be exported. If you import it as exportable, you can always export it later for backups or what not.
3. You can decrypt captured HTTPS traffic if you have the private key. It is important to limit access to it. Please see this link for more info on using Wireshark to view decrypted HTTPS traffic: http://wiki.wireshark.org/SSL
Hope this helps!
Regards,
Matt -
How to install a root certificate of private CA for SSL initiation in ACE 4710 ?
Hello ACE Gurus,
We have to deploy end-to-end SSL for one of our application, but of course we won't be buying Entrust or other big name certificates for each web server : we want to use self-issued certs signed by our private CA.The topology looks like this :
Internet Client ----HTTPs_Entrust_Cert----> ACE ------HTTPs_Private_Cert------> WebServers
Maybe my search skills are soft, but I haven't found how to import a private CA certificate in the ACE, so that when the ACE initiates an SSL session with the webserver (as a client), it will recognize the Web Server's SSL Cert as valid, because he already has it in it's root store.
The only thing I've found, is how to configure the ACE to ignore the SSL authentification/validation errors, like this :
host1/Admin(config)# parameter-map type ssl SSL_PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# authentication-failure ignore
Thanks for the help!
Alex.Hi Alex,
From ACE perspective, it doesn't make differences if you are using certificates issued by your local or a "well known" CA. Moreover, if not mistaken, you have to configure authentication group whatever you are doing client or server authentication.
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp1043643
Thanks,
Olivier -
ACE SSL terminate not working ... please help
Hello, I configured cisco ace 4710 with ssl-proxy and it is not working, but http://10.1.40.2 and http://10.1.40.3 is OK. When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage".
The configuration:
ace-demo/Admin# sh run
Generating configuration....
boot system image:c4710ace-mz.A3_2_4.bin
boot system image:c4710ace-mz.A3_2_1.bin
login timeout 0
hostname ace-demo
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 400-401,450
no shutdown
crypto csr-params testparams
country PE
state Lima
locality Lima
organization-name TI
organization-unit TI
common-name www.yyy.com
serial-number 1000
access-list anyone line 8 extended permit ip any any
access-list anyone line 16 extended permit icmp any any
parameter-map type ssl sslparams
cipher RSA_WITH_RC4_128_MD5
version SSL3
rserver host rsrv1
ip address 10.1.40.2
inservice
rserver host rsrv2
ip address 10.1.40.3
inservice
serverfarm host farm-demo
rserver rsrv1
inservice
rserver rsrv2
inservice
serverfarm host site-A
rserver rsrv1
inservice
serverfarm host site-B
rserver rsrv2
inservice
ssl-proxy service testssl
key testkey.key
cert testcert.pem
ssl advanced-options sslparams
class-map type management match-any MGMT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol snmp any
6 match protocol telnet any
7 match protocol ssh any
class-map match-any VIP
6 match virtual-address 10.1.41.10 any
class-map type generic match-any WAN-site-A
2 match source-address 192.168.10.106 255.255.255.255
3 match source-address 192.168.10.125 255.255.255.255
class-map type generic match-any WAN-site-B
2 match source-address 192.168.10.96 255.255.255.255
3 match source-address 192.168.10.93 255.255.255.255
class-map type management match-any icmp
2 match protocol icmp any
class-map match-any vip-ssl-10.1.41.20
2 match virtual-address 10.1.41.20 tcp eq https
policy-map type management first-match ICMP
class icmp
permit
policy-map type management first-match MGMT
class MGMT
permit
policy-map type loadbalance first-match vip-ssl-10.1.41.20
class class-default
serverfarm farm-demo
policy-map type loadbalance generic first-match lb-server
class WAN-site-A
serverfarm site-A
class WAN-site-B
serverfarm site-B
class class-default
serverfarm farm-demo
policy-map multi-match client-side
class VIP
loadbalance vip inservice
loadbalance policy lb-server
policy-map multi-match lb-vip
class vip-ssl-10.1.41.20
loadbalance vip inservice
loadbalance policy vip-ssl-10.1.41.20
loadbalance vip icmp-reply
ssl-proxy server testssl
interface vlan 400
description side-server
ip address 10.1.40.1 255.255.255.0
access-group input anyone
service-policy input ICMP
no shutdown
interface vlan 401
description side-client
ip address 10.1.41.1 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ICMP
service-policy input client-side
service-policy input lb-vip
no shutdown
interface vlan 450
description mgmt
ip address 10.1.45.1 255.255.255.0
access-group input anyone
service-policy input MGMT
no shutdown
ip route 192.168.10.0 255.255.255.0 10.1.45.10
And the proof:
ace-demo/Admin# sh serverfarm farm-demo
serverfarm : farm-demo, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: rsrv1
10.1.40.2:0 8 OPERATIONAL 0 25 19
rserver: rsrv2
10.1.40.3:0 8 OPERATIONAL 0 23 18
ace-demo/Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
admin 887 PEM Yes KEY
testcert.pem 709 PEM Yes CERT
testkey.key 497 PEM Yes KEY
ace-demo/Admin#
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 38
dropped conns : 18
client pkt count : 159 , client byte count: 12576
server pkt count : 16 , server byte count: 640
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
in other time:
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 170
dropped conns : 89
client pkt count : 703 , client byte count: 60089
server pkt count : 85 , server byte count: 3400
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
ace-demo/Admin#
ace-demo/Admin# sh stats crypto server
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 43
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 37
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 6
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto server alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 6
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 47
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 43
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
ace-demo/Admin# crypto verify testkey.key testcert.pem
Keypair in testkey.key matches certificate in testcert.pem.
ace-demo/Admin#
ace-demo/Admin# sh conn
total current connections : 0
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+Hello Alvaro,
The issue here is that your config is missing the clear text port the ACE should use to send the traffic to the backend servers; in this case port 80.
Remove the rservers from the SF "farm-demo" and then configure them back like this:
serverfarm host farm-demo
rserver rsrv1 80
inservice
rserver rsrv2 80
inservice
That should do the trick =)
HTH
Pablo -
ACE SSL Sticky class-map generic vs class default differences.
There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.
Can anyone explain the benefits and differences of using a specific class-map generic such as this:
class-map type generic match-any SSL-v3-32
2 match layer4-payload regex "\x16\x03\x00..\x01.*"
3 match layer4-payload regex "\x16\x03\x01..\x01.*"
Versus just matching class default?
So if I have a configuration such as this:
policy-map type loadbalance generic first-match SSL-v3-Sticky
class SSL-v3-32
sticky-serverfarm ssl-v3
vs
policy-map type loadbalance generic first-match SSL-v3-Sticky
class class-default
sticky-serverfarm ssl-v3
What's the benefit or drawback?The SSL session id is only available in version 3.0.1 and 3.1.1
So you can match this particular version and then attempt to do stickyness.
You are guaranteed to find what you're looking for.
If you match a class-default it means you apply stickyness to any version of ssl packet.
So there is a risk to misinterpret the content of the packet and stick on something else than the session id.
Gilles. -
Ace ssl-proxy problem, Online store.
Hello!
I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.
The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.
The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.
If i have missed something in the config or if someone have any other idea why this dont work for me..
Appreciate any help!
My config:
(at the moment only web5 is in use)
ACE-1/CO-WEB1# show run
access-list ANY line 10 extended permit ip any any
access-list icmp line 8 extended permit icmp any any
probe http PROBE-HTTP
interval 3
passdetect interval 10
passdetect count 2
expect status 200 200
expect status 300 323
parameter-map type ssl SSLPARAMS
cipher RSA_WITH_RC4_128_MD5
rserver host vmware-server1
description testserver1
ip address 219.222.4.180
probe PROBE-HTTP
inservice
rserver host vmware-server2
description testserver 2
ip address 219.222.4.181
probe PROBE-HTTP
inservice
rserver host web5
description testserver from windows nlb
ip address 219.222.4.185
probe PROBE-HTTP
inservice
ssl-proxy service SSL-PROXY-SE
key cert-se.key
cert cert-se.pem
ssl advanced-options SSLPARAMS
serverfarm host WM-ware_servers
rserver vmware-server1
inservice
serverfarm host webtest
description testserver-farm
predictor leastconns
rserver vmware-server1 80
rserver vmware-server2 80
rserver web5
inservice
sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1
timeout 60
serverfarm webtest
class-map match-all VIP-HTTP
2 match virtual-address 219.222.4.178 tcp eq www
class-map match-all VIP-HTTPS
2 match virtual-address 219.222.4.178 tcp eq https
class-map type management match-any icmp
description for icmp reply
2 match protocol icmp any
policy-map type management first-match icmp
class icmp
permit
policy-map type loadbalance first-match VIP-HTTP
class class-default
sticky-serverfarm STICKY-GROUP1
policy-map type loadbalance first-match VIP-SSL
class class-default
serverfarm webtest
policy-map multi-match SLB-VIP-HTTP
class VIP-HTTP
loadbalance vip inservice
loadbalance policy VIP-HTTP
loadbalance vip icmp-reply
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy VIP-SSL
loadbalance vip icmp-reply
ssl-proxy server SSL-PROXY-SE
interface vlan 21
description ### ACE OUTSIDE mot FW ###
ip address 219.222.4.171 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
service-policy input SLB-VIP-HTTP
no shutdown
interface vlan 22
description ### ACE INSIDE Gateway for Web-servers ###
ip address 219.222.4.177 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
no shutdown
ip route 0.0.0.0 0.0.0.0 219.222.4.161
ACE-1/CO-WEB1#
as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):
ACE-1/CO-WEB1# show conn
total current connections : 4
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB
14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB
11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB
3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB
ACE-1/CO-WEB1#Hello Krille
i had the same problem.
The HTT Probe you define will do a check if
the return code is
expect status 200 200
expect status 300 323
Now if a user is accessing the hppts site, in the flow there will be an expect status like 404, the ACE now is not establish an sticky connection, cause it think that the flow is not ok.
The only output after ther Certificates is a blank site.
If you change the Probing to ICMP you will be able to access the https site and the connection is sticky. With a litte tool like IE Watch you will be able to see the wrong Status codes.
regards
eberhard -
ACE SSL Terminator doesn't work
Hi,
I should implement a balancing HTTP and for HTTPS an SSL terminator on my ACE.
Public IP 22.235.121.6 port 80 --> balanced on 192.168.250.165-166 on port 8889
Public IP 22.235.121.6 port 443 --> my ace terminate ssl and balance the traffic in clear text to 192.168.250.165-166 on port 8889
This is the configuration:
probe http EXAMPLE_IT_HTTP
port 8889
interval 5
faildetect 2
passdetect interval 10
passdetect count 2
request method get url /probe/probe.html
expect status 200 206
expect status 300 307
open 1
serverfarm host example_IT_HTTP
failaction reassign across-interface
predictor leastconns
probe example_IT_HTTP
fail-on-all
rserver H-192.168.250.165 8889
inservice
rserver H-192.168.250.166 8889
inservice
serverfarm host example_IT_HTTPS-HTTP
failaction reassign across-interface
predictor leastconns
probe example_IT_HTTP
fail-on-all
rserver H-192.168.250.165 8889
inservice
rserver H-192.168.250.166 8889
inservice
sticky ip-netmask 255.255.255.255 address both example-IT-HTTPS-HTTP
timeout 60
replicate sticky
serverfarm example_IT_HTTPS-HTTP
ssl-proxy service SSL_example_IT
key example_it.key
cert example_it.cert
chaingroup SSL_CHAIN_example_IT
crypto chaingroup SSL_CHAIN_example_IT
cert example_it.ca
class-map match-all example_IT_HTTP
2 match virtual-address 22.235.121.6 tcp eq www
class-map match-all example_IT_HTTPS-HTTP
2 match virtual-address 22.235.121.6 tcp eq www
policy-map type loadbalance first-match example_IT_HTTP-l7slb
class class-default
serverfarm example_IT_HTTP
policy-map type loadbalance first-match example_IT_HTTPS-HTTP-l7slb
class class-default
sticky-serverfarm example-IT-HTTPS-HTTP
policy-map multi-match int41
class example_IT_HTTP
loadbalance vip inservice
loadbalance policy example_IT_HTTP-l7slb
loadbalance vip icmp-reply active primary-inservice
class example_IT_HTTPS-HTTP
loadbalance vip inservice
loadbalance policy example_IT_HTTPS-HTTP-l7slb
loadbalance vip icmp-reply active primary-inservice
ssl-proxy server SSL_example_IT
the balancing on http work properly, but doesn't work the ssl termination, when I try to connect from my client in https I don't see request on the server 192.168.250.165-166 coming.
Some show:
balancer# sh crypto certificate all
example_it.cert:
Subject: /C=GB/ST=United Kingdom/L=London/O=XXXXXXXX/OU=XXXXXXXXX/CN=*.xxxx.com
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
Not Before: Apr 11 00:00:00 2014 GMT
Not After: Apr 12 23:59:59 2015 GMT
CA Cert: FALSE
example_it.ca:
Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Not Before: Nov 8 00:00:00 2006 GMT
Not After: Jul 16 23:59:59 2036 GMT
CA Cert: TRUE
balancer# sh crypto session
SSL Session Cache Stats for Context
Number of Client Sessions: 0
Number of Server Sessions: 0
balancer#
balancer# sh crypto files
Filename File File Expor Key/
Size Type table Cert
cisco-sample-cert 1082 PEM Yes CERT
cisco-sample-key 887 PEM Yes KEY
example_it.ca 7444 PEM Yes CERT
example_it.cert 1812 PEM Yes CERT
example_it.key 1675 PEM Yes KEY
balancer#
balancer# crypto verify example_it.key example_it.cert
Keypair in example_it.key matches certificate in example_it.cert.
balancer#
the show stats crypto client/server give me all 0
Someone can help me to understand why is not working ?
for further information please ask me
Thanks a lotHi,
The problem is here:
class-map match-all example_IT_HTTPS-HTTP
2 match virtual-address 22.235.121.6 tcp eq www
You should change it to 443 instead of WWW which means port 80.
You will never match this class "example_IT_HTTPS-HTTP".
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
ACE - SSL Termination is not working
HTTPS is not working from official IE browser but it is working from test Firefox browser. However HTTP is working with both IE and Firefox browsers. This is true for multiple implementations on the ACE service module with SSL termination.
ACE software 3.0(0)A1(4a)
IE v6 SP3 Cipher 128
Firefox v3.6.3
Sample configuration:
access-list FT ethertype permit bpdu
access-list ALL-ACCESS extended permit icmp any any
access-list ALL-ACCESS extended permit ip any any
crypto chaingroup ROOT-CERT
cert abc.PEM
cert xyz.PEM
parameter-map type ssl SSL-PARAMETER-1
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_AES_128_CBC_SHA priority 2
cipher RSA_WITH_AES_256_CBC_SHA
cipher RSA_EXPORT1024_WITH_DES_CBC_SHA
parameter-map type ssl SSL-PARAMETER-2
cipher RSA_WITH_AES_128_CBC_SHA priority 2
ssl-proxy service SSL-1
key KEY-1.PEM
cert CERT-1.PEM
chaingroup ROOT-CERT
ssl advanced-options SSL-PARAMETER-1
ssl-proxy service SSL-2
key KEY-1.PEM
cert CERT-1.PEM
chaingroup ROOT-CERT
ssl advanced-options SSL-PARAMETER-2
ssl-proxy service SSL-3
key KEY-1.PEM
cert CERT-1.PEM
chaingroup ROOT-CERT
rserver host server1
ip address 10.100.15.89
inservice
rserver host server2
ip address 10.100.15.121
inservice
probe http PROBE-1
interval 30
faildetect 2
request method get url /keepalive.htm
expect status 200 200
serverfarm host SERVERFARM-1
probe PROBE-1
rserver server1 80
inservice
rserver server2 80
inservice
sticky ip-netmask 255.255.255.255 address both STICKY-1
timeout 30
replicate sticky
serverfarm SERVERFARM-1
class-map type management match-any REMOTE-ACCESS
match protocol icmp any
match protocol snmp any
match protocol ssh any
match protocol https any
class-map match-all VIP-1
match virtual-address 10.100.15.140 tcp eq https
class-map match-all VIP-2
match virtual-address 10.100.15.140 tcp eq www
policy-map type management first-match REMOTE-ACCESS
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match POLICY-1
class class-default
sticky-serverfarm STICKY-1
policy-map multi-match LB-1
class VIP-1
loadbalance vip inservice
loadbalance vip icmp-reply active
loadbalance policy POLICY-1
ssl-proxy server SSL-1
(i have tried with ssl-proxy server SSL-2 and ssl-proxy server SSL-3 but did not helP)
policy-map multi-match LB-2
class VIP-2
loadbalance vip inservice
loadbalance vip icmp-reply active
loadbalance policy POLICY-1
interface vlan 15
description client vlan
bridge-group 15
mac-sticky enable
access-group input FT
access-group input ALL-ACCESS
access-group output ALL-ACCESS
service-policy input REMOTE-ACCESS
service-policy input LB-1
service-policy input LB-2
no shutdown
interface vlan 2015
description server vlan
bridge-group 15
mac-sticky enable
access-group input FT
access-group input ALL-ACCESS
access-group output ALL-ACCESS
service-policy input REMOTE-ACCESS
no shutdown
interface bvi 15
description bridge group
ip address 10.100.15.5 255.255.255.0
peer ip address 10.100.15.6 255.255.255.0
alias 10.100.15.4 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.100.15.1
note: Subnet, Server Name, Certificate Name and Key Name are modified for security reason.Hello,
We will not be able to determine why your SSL terminated connections fail with only your config. You may want to take a look at a similar thread where someone else was having problems with IE and SSL termination, but Firefox worked fine. It also includes a solid action plan you can use to gather data needed to diagnose root cause. That thread can be viewed at the following link:
https://supportforums.cisco.com/thread/2025417?tstart=0
Also, the ACE software you are running is extremely old now and very buggy. I would strongly urge you to upgrade to A2(2.4) as soon as possible. It will help you avoid some headaches as you move forward.
Hope this helps,
Sean -
We have a new secure site where we are using the ACE as a ssl-proxy. I see connections make it all the way to the servers, but the session eventually times out (Browser responds with "The connection has timed out"). I haven't been able to grab a packet capture yet, but I am looking for some input since I am new to the ACE. We are also set up for sticky connections using cookies.
I see connections to the server but no response back. I also see the cookie places in my browser. Once I close the browser window, the current connection drops.
sh serverfarm SECUREMAIL
serverfarm : SECUREMAIL, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: E01
10.0.0.95:8080 8 OPERATIONAL 1 4 0
rserver: E02
10.0.0.98:8080 8 OPERATIONAL 0 1
I verified the cert and keys match with the verify cryto command. If I bypass https and connect via http, I am able to hit the server test page. I attached the scrubbed config.
Any info is appreciated.Make sure clock on supervisor/device has correct date to avoid not before not after check of cert.
Once the configuration is complete, check to make sure the VIP address can be accessed via HTTPS in a web browser. If any certificate errors are shown, this indicates a problem with the certificate, not with the Cisco ACE configuration. The above commands can be used to verify that SSL sessions are being terminated successfully.
When a client’s web browser connects to an SSL server on any device, the browser and server negotiate which encryption cipher to use for the session. The list and order of ciphers presented by the ACE in a default configuration are as follows.
1. CM_SSL_RSA_WITH_RC4_128_MD5
2. CM_SSL_RSA_WITH_RC4_128_SHA
3. CM_SSL_RSA_WITH_DES_CBC_SHA
4. CM_SSL_RSA_WITH_3DES_EDE_CBC_SHA
5. CM_SSL_RSA_WITH_AES_128_CBC_SHA
6. CM_SSL_RSA_WITH_AES_256_CBC_SHA
7. CM_SSL_RSA_EXPORT_WITH_RC4_40_MD5
8. CM_SSL_RSA_EXPORT1024_WITH_RC4_56_MD5
9. CM_SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
10. CM_SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
11. CM_SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
If this list is not desirable or the order needs to be changed, an SSL parameter map can be configured to make such changes.
Can you send the output of the following commands to suggest more on your config
ACE-1/routed#show crypto authgroup all
ACE-1/routed# show conn display 1000 detail
ACE-1/routed# show crypto files
ACE-1/routed# show crypto certificate all
ACE-1/routed# show crypto key all
ACE-1/routed# show crypto session
ACE-1/routed# show crypto hardware
ACE-1/routed# show service-policy detail
Please Display client SSL statistics by entering the the following command and also attach it here so that I can also see what is happening in your ace device:
ACE_module5/Admin# show stats crypto client
+----------------------------------------------+
+---- Crypto client termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 0
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto client alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto client authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto client cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
To Display SSL server statistics by entering the following command and send the results to us for further suggestions:
ACE_module5/Admin# show stats crypto server
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 0
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto server alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
Also you can Display the number of SSL data messages sent and SSL FIN/RST messages sent by entering the following command and send the output from your ACE devices:
ACE_module5/Admin# show stats http
+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 0 , TCP data msgs sent : 0
Inspect parse result msgs : 0 , SSL data msgs sent : 0 <-------
sent
TCP fin/rst msgs sent : 0 , Bounced fin/rst msgs sent: 0
SSL fin/rst msgs sent : 0 , Unproxy msgs sent : 0 <-------
Drain msgs sent : 0 , Particles read : 0
Reuse msgs sent : 0 , HTTP requests : 0
Reproxied requests : 0 , Headers removed : 0
Headers inserted : 0 , HTTP redirects : 0
HTTP chunks : 0 , Pipelined requests : 0
HTTP unproxy conns : 0 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 0 , Analysis errors : 0
Header insert errors : 0 , Max parselen errors : 0
Static parse errors : 0 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Headers rewritten : 0 , Header rewrite errors : 0
Lastly to Display session cache statistics for the current context by entering the following command:
switch/Admin# show crypto session
SSL Session Cache Stats for Context
Number of Client Sessions: 0
Number of Server Sessions: 0
Please send the output of all the commands requested to see in more detail for your issue.
HTH
Sachin
Maybe you are looking for
-
Can i move iTunes app purchases from one account to another?
My daughter has an itues account and she uses it for her purchases from the itunes store. She purchased an iPod Touch for her son and used her account with the iPod to purchase apps for him. She just purchased an iPad for him and obviously all the
-
"Class Formatting Error" in a java applet? (Solved)
(This problem is completely my fault and it would be hard to provide enough information to request and answer. Disregard this message.) I've been developing a java applet to go on my website, but when running it tosses a "java.lang.ClassFormatError:
-
IPhoto events appear empty but only when I click on them...
After reaching 56,000 photos in my iphoto library, I decided to upgrade to Aperture 3.3 I have tried sharing the iphoto library between both programs but in iPhoto there is a strange problem... If I click on "Photos" all my photos are there. If I cli
-
I am trying to use DV Kitchen to encode an HD movie from FCP. In all their glossy advertising and their "Hey guys it's all so simple blurb" they don't seem to mention exactly how you get the movie from FCP into DV Kitchen to start with. Anyone got an
-
Where does iphone 4 store files
I was looking for a free ebook file which I found through Safari on my iPhone 4 but accidentally clicked the link to download the file which I meant to do at home on my iMac. I don't know if the download even worked but if it did, does anyone know wh