ACE SSL Proxy performance issue
Hi I've got an ACE module in a 6500 that is being used as an SSL Proxy For a web service.
So the configuration is fairly basic, matches a VIP which has been Nat'ed from the public IP address port 443 and load balances over a number of reservers with the server ports being set to 80.
The problem is the main web site is hosted elsewhere and so when they switch to checkout on a secure port the browser page requests multiple https:// files .
The users are seeing very slow page loads a considerable amount longer than equivalent on http and more than you'd expect. The ACE is no where near any throughout or transaction limits.
My concern is on how the session is tracked, would the ACE attempt to renegotiate with every https:// get? I've seen example configs for stickiness inserting cookies for normal end-end load balancing but not with an SSL proxy configuration.
Sent from Cisco Technical Support iPad App
Hi Craig,
The SSL negotiation/handshake will happen everytime a client opens a new TCP connection i.e comes with a different source port.
To make sure that ACE doesn't renegotiate you can try and use this command:
(config-parammap-ssl)# session-cache timeout . You can use 24 hours or anytime you think is suitable.
This is basically to enable SSL session reuse. A little explanation below for your reference:
When client connects to a server over SSL, the server creates a session for that connection. This session ID is sent as a part of the Server Hello message. This is to make things efficient, in case the client has any plans of closing the current connection and reconnect in the near future. Most of the servers have a time out for these sessions (I think 24 hours is a common value, unless pressed for space).
When the client connects to the same server again, it can send the same session ID as a part of the Client Hello. The server will first look up if it can find any sessions with that ID. If found, the same session will be reused. Thus the time spent in verifying the certs and negotiating the keys is saved. If the server cannot find a matching session, then it responds with a new session ID and its certificate in Server Hello message. The client knows that it has to verity the cert and negotiate the key again.
Considerable amount of time is spent in validating server certs. Reusing SSL session will save this time.
Having said that you need to check if the client is coming with a session ID which it got in previous handshake or not. If it doesn't and it is a new TCP connection then SSL handshake will happen. Please enable that command before testing.
Also, ensure that you have allocated proper SSL resources to your context. Lack of resources can also cause dropped connections and sluggish performance.
Regards,
Kanwal
Similar Messages
-
ACE behind Reverse Proxy - performance issue
Hi,
I've got a config working to accommodate the required use of reverse proxy servers infront of my application servers. Traffic comes into the Front ACE and I insert a header "SRCIP" with the original client IP address which is preserved through the Rev Proxy servers and is then inspected on the Back ACE to create a sticky to a given application server/SRCIP pairing. The use of the RP's appears to require using the persistence-rebalance option otherwise the traffic get stuck to the wrong app server. The app functions perfectly with this config; however, there is a severe performance impact. Using load-runner, we see response times go from 1.5 seconds to 16 seconds for the same transactions comparing this config to a previous config which used static sticky to bind the RP to the app servers..
Question: Is there a better way to do this and remain dynamic, or some way to optimize this approach to reduce the performance impact.
Relevant Config for both ACE's here:
!!Front ACE
parameter-map type http HTTP_REBAL
persistence-rebalance
length-exceed continue
sticky ip-netmask 255.255.255.255 address source ALPHA-SRCIP-sticky
timeout 60
replicate sticky
serverfarm ALPHA
policy-map type loadbalance first-match vip-R1A-ALPHA
class class-default
sticky-serverfarm ALPHA-SRCIP-sticky
insert-http SRCIP header-value "%is"
policy-map multi-match PREP-VIP
class VIP-ALPHA-R1A
loadbalance vip inservice
loadbalance policy vip-R1A-ALPHA
appl-parameter http advanced-options HTTP_REBAL
ssl-proxy server SSL_ALPHA_R1A
!!Back ACE
parameter-map type http HTTP_REBAL
persistence-rebalance
length-exceed continue
sticky http-header SRCIP ALPHA-SRCIP-sticky
timeout 60
replicate sticky
serverfarm coresoms-ALPHAfarm
class-map type http loadbalance match-all SRCIP-MAP
2 match http header SRCIP header-value ".*"
policy-map type loadbalance first-match vip-lb-ALPHA
class SRCIP-MAP
sticky-serverfarm ALPHA-SRCIP-sticky
policy-map multi-match lb-vip
class VIP-ALPHA
loadbalance vip inservice
loadbalance policy vip-lb-ALPHA
appl-parameter http advanced-options HTTP_REBALHi Joseph,
To achieve this you need to do stickiness based on some L7 parameter (either the header you are currently using or some cookie), so, whatever you do you will have to use persistence rebalance.
I have one possible theory for your issue.
The ACE has two different ways of treating the L7 connections internally, that we call "proxied" and "unproxied". In essence, the proxied mode means that the traffic will be processed by one of the CPU (normally to inspect/modify the L7 data), while, on the unproxied mode, the ACE sets up a hardware shortcut that allows forwarding traffic without the need to do any processing on it.
For a L7 connection, the ACE will proxy it at the beginning, and, once all the L7 processing has been done it will unproxy the connection to save resources. Before it goes ahead with the unproxying, it needs to see the ACK for the last L7 data sent. This wait, on a Internet environment can introduce around 100-200ms of delay for each HTTP request, which can end up adding into a very big delay. By default, if the ACE sees that the RTT to the client is more than 200ms, the connection will never be unproxied to avoid these delays, so I think we could fix your issue by tweaking this threshold.
From what you described, I asssume you don't have many connections (because they all come through a proxy) and that the connections will have a lot of HTTP requests inside. With that in mind, I would suggest setting the threshold to 0 to ensure to keep connections always proxied. To do this, you would nee to configure a parameter map like the one below and add it to your VIP
parameter-map type connection
set tcp wan-optimization rtt 0
Even though this setting may avoid your issue, it also has some drawbacks. The main one is that the ACE20 only supports up to 512K simultaneous L7 connections in proxied state (which includes also the connections towards the servers, so, it would be 250K for client connections), so, if the amount of simultaneous connections reaches that limit, new connections would be dropped. The second issue, although not so impacting, would be that the maximum number of connections per second supported would also go down slightly due to the increased processing needed.
I hope this helps
Daniel -
Ace ssl-proxy problem, Online store.
Hello!
I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.
The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.
The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.
If i have missed something in the config or if someone have any other idea why this dont work for me..
Appreciate any help!
My config:
(at the moment only web5 is in use)
ACE-1/CO-WEB1# show run
access-list ANY line 10 extended permit ip any any
access-list icmp line 8 extended permit icmp any any
probe http PROBE-HTTP
interval 3
passdetect interval 10
passdetect count 2
expect status 200 200
expect status 300 323
parameter-map type ssl SSLPARAMS
cipher RSA_WITH_RC4_128_MD5
rserver host vmware-server1
description testserver1
ip address 219.222.4.180
probe PROBE-HTTP
inservice
rserver host vmware-server2
description testserver 2
ip address 219.222.4.181
probe PROBE-HTTP
inservice
rserver host web5
description testserver from windows nlb
ip address 219.222.4.185
probe PROBE-HTTP
inservice
ssl-proxy service SSL-PROXY-SE
key cert-se.key
cert cert-se.pem
ssl advanced-options SSLPARAMS
serverfarm host WM-ware_servers
rserver vmware-server1
inservice
serverfarm host webtest
description testserver-farm
predictor leastconns
rserver vmware-server1 80
rserver vmware-server2 80
rserver web5
inservice
sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1
timeout 60
serverfarm webtest
class-map match-all VIP-HTTP
2 match virtual-address 219.222.4.178 tcp eq www
class-map match-all VIP-HTTPS
2 match virtual-address 219.222.4.178 tcp eq https
class-map type management match-any icmp
description for icmp reply
2 match protocol icmp any
policy-map type management first-match icmp
class icmp
permit
policy-map type loadbalance first-match VIP-HTTP
class class-default
sticky-serverfarm STICKY-GROUP1
policy-map type loadbalance first-match VIP-SSL
class class-default
serverfarm webtest
policy-map multi-match SLB-VIP-HTTP
class VIP-HTTP
loadbalance vip inservice
loadbalance policy VIP-HTTP
loadbalance vip icmp-reply
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy VIP-SSL
loadbalance vip icmp-reply
ssl-proxy server SSL-PROXY-SE
interface vlan 21
description ### ACE OUTSIDE mot FW ###
ip address 219.222.4.171 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
service-policy input SLB-VIP-HTTP
no shutdown
interface vlan 22
description ### ACE INSIDE Gateway for Web-servers ###
ip address 219.222.4.177 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
no shutdown
ip route 0.0.0.0 0.0.0.0 219.222.4.161
ACE-1/CO-WEB1#
as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):
ACE-1/CO-WEB1# show conn
total current connections : 4
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB
14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB
11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB
3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB
ACE-1/CO-WEB1#Hello Krille
i had the same problem.
The HTT Probe you define will do a check if
the return code is
expect status 200 200
expect status 300 323
Now if a user is accessing the hppts site, in the flow there will be an expect status like 404, the ACE now is not establish an sticky connection, cause it think that the flow is not ok.
The only output after ther Certificates is a blank site.
If you change the Probing to ICMP you will be able to access the https site and the connection is sticky. With a litte tool like IE Watch you will be able to see the wrong Status codes.
regards
eberhard -
Help Required - File to Proxy (Performance Issue)
Hi All,
One of my file to proxy scenario is taking 3 to 4 days to execute.
Basically XI picks up a file of 2-3 lakh records and pushing it to SAP via ABAP proxy. On the ABAP side, a BDC call is made to process the data. But the whole scenario takes 3 to 4 days for execution.
The scenario is an Asynch scenario and BPM is not used as its a very straight forward scenario.. Also the file can't be splitted as say each 10,000 records bcoz all of these records are interrelated and has to go to SAP end in a single shot.
Is there anything which can be done on either XI or ABAP side to optimize the scenario?.
Thanks,
Joe.Joe,
Can you give more details?
Is this an Asynch call or a synch call?
Are you using a BPM, etc, maybe there is something wrong in the way you have designed your interface.
Proxies are supposed to provide the best perfromance and the fact that it is taking such a long time is really strange, and so maybe if you can give us details on your interface , some reason for this issue can be found out.
Meanwhile also look into this guide,
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/70ada5ef-0201-0010-1f8b-c935e444b0ad
Regards
Bhavesh -
Performance issues in Proxy-XI-Jdbc scenario
Hello,
I have developed a proxy to JDBC synchronous scenario.
My scenario works like this.
*i run an abap program which calls a client proxy,
the proxy fetches the data from database table and returns the data in the ABAP program.(select query)
there are serious performance issues when we are running the report
it is taking around 2-5 minutes and at times multiple users are logged in , it takes around 5-20 minutes.
it seems that most of the time is consumed in the data fetching.
please help me to find some solution so that we can fine tune the performance on the PI side.
Are there any options on JDBC CC which can help us in making the queries faster
thanks
kannu.Kanu16 ,
Issue seems to be at r/3 end..
1. Make sur ethat report program is using select query in proper fashion .
2. avoid using nested loops.
3. Hope not much validations are being done on selected data .
Abaper can help you optimizing this .
By debugging you can find out the exact reason behind.
Regards , -
Hi all,
herei is my conf/version :
Software
loader: Version 12.2[123]
system: Version A2(3.2) [build 3.0(0)A2(3.2)]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_3_2.bin
installed license: no feature license is installed
crypto chaingroup myurl.chain
cert myurl.chain
ssl-proxy service MYURL
key myurl.key
cert myurl.cert
chaingroup myurl.chain
yesterday :
# sh crypto files
Filename File File Expor Key/
Size Type table Cert
myurl.cert 16346 PEM Yes CERT
myurl.key 1679 PEM Yes KEY
myurl.chain 4972 PEM Yes CERT
$ curl https://myurl.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
today, no problem with curl :
# sh crypto files
Filename File File Expor Key/
Size Type table Cert
myurl.cert 16253 PEM Yes CERT
myurl.key 1675 PEM Yes KEY
myurl.chain 4972 PEM Yes CERT
Is there an issue with cert or key size ?Sorry, the question was "how did you fix it the first time ?"
Or are you talking about different devices ?
Also, be aware that ACE loads your key/cert in memory and stops using the one in flash.
Even if you modify the files in flash, that does not mean ACE update the info it has in memory.
So if the files got corrupted and you upload new ones using the same name, it is possible that ACE kept using the old ones it has in memory.
I usually recommend to use different names and update the ssl-proxy config with the new names in order to force to reload the new info.
Or remove completely the ssl-proxy config, upload new files and reconfigure the proxy.
Gilles. -
Is it possible to view individual SSL-proxy service usage (TPS)?
Hi,
Can the ACE provide any detail above and beyond just the overall ssl-connection rate for a particular context?
I have an ACE with two contexts and multiple ssl-proxy services configured within each and it would be really helpful to know the ssl-connection rate associated with each service (current, average, peak, etc) as I've got the issue where the SSL resource limit for one of the contexts has been reached and I don't know which service has jumped up in usage;-
Allocation
Resource Current Peak Min Max Denied
ssl-connections rate 0 250 250 250 351
I can set up custom MIB pollers based on OID values within our SolarWinds network monitoring system so even if the information isn't directly available through the ACE CLI but has an associated OID I'd be grateful for the info if any one knows it (or even just the OIDs that contain the connection rate values from the 'sh resource usage' command so I can graph the overall usage against date/time within SolarWinds).
Thanks
MatthewMatthew,
I do not know the OID to poll the service-policy info.
But if you do a 'show service-policy ' at regular interval and compare the hitcon, you can compute the connection rate for each service policy individually.
Gilles. -
ACE SSL terminate not working ... please help
Hello, I configured cisco ace 4710 with ssl-proxy and it is not working, but http://10.1.40.2 and http://10.1.40.3 is OK. When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage".
The configuration:
ace-demo/Admin# sh run
Generating configuration....
boot system image:c4710ace-mz.A3_2_4.bin
boot system image:c4710ace-mz.A3_2_1.bin
login timeout 0
hostname ace-demo
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 400-401,450
no shutdown
crypto csr-params testparams
country PE
state Lima
locality Lima
organization-name TI
organization-unit TI
common-name www.yyy.com
serial-number 1000
access-list anyone line 8 extended permit ip any any
access-list anyone line 16 extended permit icmp any any
parameter-map type ssl sslparams
cipher RSA_WITH_RC4_128_MD5
version SSL3
rserver host rsrv1
ip address 10.1.40.2
inservice
rserver host rsrv2
ip address 10.1.40.3
inservice
serverfarm host farm-demo
rserver rsrv1
inservice
rserver rsrv2
inservice
serverfarm host site-A
rserver rsrv1
inservice
serverfarm host site-B
rserver rsrv2
inservice
ssl-proxy service testssl
key testkey.key
cert testcert.pem
ssl advanced-options sslparams
class-map type management match-any MGMT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol snmp any
6 match protocol telnet any
7 match protocol ssh any
class-map match-any VIP
6 match virtual-address 10.1.41.10 any
class-map type generic match-any WAN-site-A
2 match source-address 192.168.10.106 255.255.255.255
3 match source-address 192.168.10.125 255.255.255.255
class-map type generic match-any WAN-site-B
2 match source-address 192.168.10.96 255.255.255.255
3 match source-address 192.168.10.93 255.255.255.255
class-map type management match-any icmp
2 match protocol icmp any
class-map match-any vip-ssl-10.1.41.20
2 match virtual-address 10.1.41.20 tcp eq https
policy-map type management first-match ICMP
class icmp
permit
policy-map type management first-match MGMT
class MGMT
permit
policy-map type loadbalance first-match vip-ssl-10.1.41.20
class class-default
serverfarm farm-demo
policy-map type loadbalance generic first-match lb-server
class WAN-site-A
serverfarm site-A
class WAN-site-B
serverfarm site-B
class class-default
serverfarm farm-demo
policy-map multi-match client-side
class VIP
loadbalance vip inservice
loadbalance policy lb-server
policy-map multi-match lb-vip
class vip-ssl-10.1.41.20
loadbalance vip inservice
loadbalance policy vip-ssl-10.1.41.20
loadbalance vip icmp-reply
ssl-proxy server testssl
interface vlan 400
description side-server
ip address 10.1.40.1 255.255.255.0
access-group input anyone
service-policy input ICMP
no shutdown
interface vlan 401
description side-client
ip address 10.1.41.1 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ICMP
service-policy input client-side
service-policy input lb-vip
no shutdown
interface vlan 450
description mgmt
ip address 10.1.45.1 255.255.255.0
access-group input anyone
service-policy input MGMT
no shutdown
ip route 192.168.10.0 255.255.255.0 10.1.45.10
And the proof:
ace-demo/Admin# sh serverfarm farm-demo
serverfarm : farm-demo, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: rsrv1
10.1.40.2:0 8 OPERATIONAL 0 25 19
rserver: rsrv2
10.1.40.3:0 8 OPERATIONAL 0 23 18
ace-demo/Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
admin 887 PEM Yes KEY
testcert.pem 709 PEM Yes CERT
testkey.key 497 PEM Yes KEY
ace-demo/Admin#
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 38
dropped conns : 18
client pkt count : 159 , client byte count: 12576
server pkt count : 16 , server byte count: 640
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
in other time:
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 170
dropped conns : 89
client pkt count : 703 , client byte count: 60089
server pkt count : 85 , server byte count: 3400
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
ace-demo/Admin#
ace-demo/Admin# sh stats crypto server
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 43
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 37
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 6
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto server alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 6
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 47
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 43
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
ace-demo/Admin# crypto verify testkey.key testcert.pem
Keypair in testkey.key matches certificate in testcert.pem.
ace-demo/Admin#
ace-demo/Admin# sh conn
total current connections : 0
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+Hello Alvaro,
The issue here is that your config is missing the clear text port the ACE should use to send the traffic to the backend servers; in this case port 80.
Remove the rservers from the SF "farm-demo" and then configure them back like this:
serverfarm host farm-demo
rserver rsrv1 80
inservice
rserver rsrv2 80
inservice
That should do the trick =)
HTH
Pablo -
ACE SSL Terminator doesn't work
Hi,
I should implement a balancing HTTP and for HTTPS an SSL terminator on my ACE.
Public IP 22.235.121.6 port 80 --> balanced on 192.168.250.165-166 on port 8889
Public IP 22.235.121.6 port 443 --> my ace terminate ssl and balance the traffic in clear text to 192.168.250.165-166 on port 8889
This is the configuration:
probe http EXAMPLE_IT_HTTP
port 8889
interval 5
faildetect 2
passdetect interval 10
passdetect count 2
request method get url /probe/probe.html
expect status 200 206
expect status 300 307
open 1
serverfarm host example_IT_HTTP
failaction reassign across-interface
predictor leastconns
probe example_IT_HTTP
fail-on-all
rserver H-192.168.250.165 8889
inservice
rserver H-192.168.250.166 8889
inservice
serverfarm host example_IT_HTTPS-HTTP
failaction reassign across-interface
predictor leastconns
probe example_IT_HTTP
fail-on-all
rserver H-192.168.250.165 8889
inservice
rserver H-192.168.250.166 8889
inservice
sticky ip-netmask 255.255.255.255 address both example-IT-HTTPS-HTTP
timeout 60
replicate sticky
serverfarm example_IT_HTTPS-HTTP
ssl-proxy service SSL_example_IT
key example_it.key
cert example_it.cert
chaingroup SSL_CHAIN_example_IT
crypto chaingroup SSL_CHAIN_example_IT
cert example_it.ca
class-map match-all example_IT_HTTP
2 match virtual-address 22.235.121.6 tcp eq www
class-map match-all example_IT_HTTPS-HTTP
2 match virtual-address 22.235.121.6 tcp eq www
policy-map type loadbalance first-match example_IT_HTTP-l7slb
class class-default
serverfarm example_IT_HTTP
policy-map type loadbalance first-match example_IT_HTTPS-HTTP-l7slb
class class-default
sticky-serverfarm example-IT-HTTPS-HTTP
policy-map multi-match int41
class example_IT_HTTP
loadbalance vip inservice
loadbalance policy example_IT_HTTP-l7slb
loadbalance vip icmp-reply active primary-inservice
class example_IT_HTTPS-HTTP
loadbalance vip inservice
loadbalance policy example_IT_HTTPS-HTTP-l7slb
loadbalance vip icmp-reply active primary-inservice
ssl-proxy server SSL_example_IT
the balancing on http work properly, but doesn't work the ssl termination, when I try to connect from my client in https I don't see request on the server 192.168.250.165-166 coming.
Some show:
balancer# sh crypto certificate all
example_it.cert:
Subject: /C=GB/ST=United Kingdom/L=London/O=XXXXXXXX/OU=XXXXXXXXX/CN=*.xxxx.com
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
Not Before: Apr 11 00:00:00 2014 GMT
Not After: Apr 12 23:59:59 2015 GMT
CA Cert: FALSE
example_it.ca:
Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Not Before: Nov 8 00:00:00 2006 GMT
Not After: Jul 16 23:59:59 2036 GMT
CA Cert: TRUE
balancer# sh crypto session
SSL Session Cache Stats for Context
Number of Client Sessions: 0
Number of Server Sessions: 0
balancer#
balancer# sh crypto files
Filename File File Expor Key/
Size Type table Cert
cisco-sample-cert 1082 PEM Yes CERT
cisco-sample-key 887 PEM Yes KEY
example_it.ca 7444 PEM Yes CERT
example_it.cert 1812 PEM Yes CERT
example_it.key 1675 PEM Yes KEY
balancer#
balancer# crypto verify example_it.key example_it.cert
Keypair in example_it.key matches certificate in example_it.cert.
balancer#
the show stats crypto client/server give me all 0
Someone can help me to understand why is not working ?
for further information please ask me
Thanks a lotHi,
The problem is here:
class-map match-all example_IT_HTTPS-HTTP
2 match virtual-address 22.235.121.6 tcp eq www
You should change it to 443 instead of WWW which means port 80.
You will never match this class "example_IT_HTTPS-HTTP".
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
We have a new secure site where we are using the ACE as a ssl-proxy. I see connections make it all the way to the servers, but the session eventually times out (Browser responds with "The connection has timed out"). I haven't been able to grab a packet capture yet, but I am looking for some input since I am new to the ACE. We are also set up for sticky connections using cookies.
I see connections to the server but no response back. I also see the cookie places in my browser. Once I close the browser window, the current connection drops.
sh serverfarm SECUREMAIL
serverfarm : SECUREMAIL, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: E01
10.0.0.95:8080 8 OPERATIONAL 1 4 0
rserver: E02
10.0.0.98:8080 8 OPERATIONAL 0 1
I verified the cert and keys match with the verify cryto command. If I bypass https and connect via http, I am able to hit the server test page. I attached the scrubbed config.
Any info is appreciated.Make sure clock on supervisor/device has correct date to avoid not before not after check of cert.
Once the configuration is complete, check to make sure the VIP address can be accessed via HTTPS in a web browser. If any certificate errors are shown, this indicates a problem with the certificate, not with the Cisco ACE configuration. The above commands can be used to verify that SSL sessions are being terminated successfully.
When a client’s web browser connects to an SSL server on any device, the browser and server negotiate which encryption cipher to use for the session. The list and order of ciphers presented by the ACE in a default configuration are as follows.
1. CM_SSL_RSA_WITH_RC4_128_MD5
2. CM_SSL_RSA_WITH_RC4_128_SHA
3. CM_SSL_RSA_WITH_DES_CBC_SHA
4. CM_SSL_RSA_WITH_3DES_EDE_CBC_SHA
5. CM_SSL_RSA_WITH_AES_128_CBC_SHA
6. CM_SSL_RSA_WITH_AES_256_CBC_SHA
7. CM_SSL_RSA_EXPORT_WITH_RC4_40_MD5
8. CM_SSL_RSA_EXPORT1024_WITH_RC4_56_MD5
9. CM_SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
10. CM_SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
11. CM_SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
If this list is not desirable or the order needs to be changed, an SSL parameter map can be configured to make such changes.
Can you send the output of the following commands to suggest more on your config
ACE-1/routed#show crypto authgroup all
ACE-1/routed# show conn display 1000 detail
ACE-1/routed# show crypto files
ACE-1/routed# show crypto certificate all
ACE-1/routed# show crypto key all
ACE-1/routed# show crypto session
ACE-1/routed# show crypto hardware
ACE-1/routed# show service-policy detail
Please Display client SSL statistics by entering the the following command and also attach it here so that I can also see what is happening in your ace device:
ACE_module5/Admin# show stats crypto client
+----------------------------------------------+
+---- Crypto client termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 0
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto client alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto client authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto client cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
To Display SSL server statistics by entering the following command and send the results to us for further suggestions:
ACE_module5/Admin# show stats crypto server
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 0
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto server alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
Also you can Display the number of SSL data messages sent and SSL FIN/RST messages sent by entering the following command and send the output from your ACE devices:
ACE_module5/Admin# show stats http
+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 0 , TCP data msgs sent : 0
Inspect parse result msgs : 0 , SSL data msgs sent : 0 <-------
sent
TCP fin/rst msgs sent : 0 , Bounced fin/rst msgs sent: 0
SSL fin/rst msgs sent : 0 , Unproxy msgs sent : 0 <-------
Drain msgs sent : 0 , Particles read : 0
Reuse msgs sent : 0 , HTTP requests : 0
Reproxied requests : 0 , Headers removed : 0
Headers inserted : 0 , HTTP redirects : 0
HTTP chunks : 0 , Pipelined requests : 0
HTTP unproxy conns : 0 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 0 , Analysis errors : 0
Header insert errors : 0 , Max parselen errors : 0
Static parse errors : 0 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Headers rewritten : 0 , Header rewrite errors : 0
Lastly to Display session cache statistics for the current context by entering the following command:
switch/Admin# show crypto session
SSL Session Cache Stats for Context
Number of Client Sessions: 0
Number of Server Sessions: 0
Please send the output of all the commands requested to see in more detail for your issue.
HTH
Sachin -
ACE client authentication performance degredation
Hi,
If possible is anybody able to provide any advice & guidance WRT the below:
According to; http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/command/reference/sslproxy.html “When you enable client authentication, a significant performance decrease may occur in the ACE module.”
The statement raises a lot of questions;
1. Presumably the degradation can only happen as a result of an SSL client performing a handshake with the ACE (SSL server), the ACE requesting a client certificate and the client responding with a certificate at which stage the ACE has to verify the Client certificate?
2. Some metrics are needed from Cisco around the degradation – for example how many certificate verifications per second can the ACE support (1,10,100,1000)? If this is dependent on RSA key size then metrics are needed for 1024 and 2048 keys.
3. The Cisco ACE supports partitioning of resources (http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide,_Release_A2%28x%29_--_Managing_Resources_ and therefore I assume that the ACE can be protected from degradation by setting a limit on SSL handshakes per second which is well below the limit from 2?
4. Any references to some relevant documentation ?Hello Preck-
As a first point, we don't generally document ever possible aspect of performance numbers on products because there are many factors that play into the numbers. This is one of the grey areas where we cannot pin down any hard numbers due to too many outside factors.
Here is the full story on SSL client authentication:
Under a normal SSL handshake, the SSL server exchanges the public key and certificate file to the client, and a cipher is chosen to encrypt the communication between the two entities. Past that communication, there are a few things that could result in extra packets, or a new SSL handshake i.e. SSL version negotiation and/or cipher related issues. Some things can shorten the handshake time like SSL session ID's and using specific SSL protocols (i.e. if the client and server only ever used TLS v1.1 and never had to negotiate from SSL v3.0 to TLS).
Once the handshake is done, the performance only depends on network latency and the amount of time it takes to encrypt/decypt the traffic which is dependent on the SSL version, cipher, and SSL strength (key bits). This is important to your questions because the only thing that effects performance is the initial handshake process.
When you enable client authentication, before the handshake is complete, the server requests the client to send a certificate. The client may send multiple certificates, or just 1. When the server recieves the certificate, it checks that it matches the certificate that it has installed for client authentication. As well, the server may do an extra check against the CRL to see if the certificate has been revoked (this is an external call to the CA via TCP or LDAP generally) The amount of certs, size of the certs, and size of the CRL are not known to the server, hence, it has to work with what it recieves. The larger the files, the longer the handshake takes to complete.
Specific to ACE:
The degredation you are going to see is exactly what I stated in the last paragraph - it will be related to how many certs the ACE has to parse, how long it takes to get the CRL and check it all the way through. Because every client could give the ACE a different amount of certificates and the CRL could be any size/take any amount of time to retrieve and scan, there is no such thing as a common metric we can state about the difference in performance.
We can tell you that the performance degredation is limited to the VIP that you have this enabled on and should not effect any other vips/context/the whole ACE in general. It also only relates to the amount of possible transactions per second, and not to total SSL concurrent connections or throughput. Throughput is not effected because the SSL Nitrox and Cadvium engines are not used to scan the client certificate - the XScale Microengine is, so the throughput of the SSL daughter cards are not effected here.
The bit count within the keypair is non-effecting to the performance when enabling client authentication if you are comparing the same as without client authentication. Certainly, you will see a drop in performance when moving from 1024 to 2048 bit keys due to the extra complexity involved in encrypting/decrypting - but no additional loss with client authentication. On a side note, keep in mind that doubling you key bit strength means your performance will take an exponential drop - not a linear drop. If you are planning on deploying 2048bit keys, make sure you test your environment prior to production release so that you know exactly what kind of performance to expect.
About your question on partitioning resources, because this only effects the vip you have the authentication on, you don't need to worry about sandboxing off a context to handle this.
Regards,
Chris Higgins -
Performance Issues with Photoshop CS6 64-Bit
Hello -
Issue at hand: over the course of the last few weeks, I have noticed significant issues with performance since the last update to PS CS6 via the Adobe Application Manager, ranging from unexpected shut downs to bringing my workstation to a crawl (literally, my cursor seems to crawl across my displays). I'm curious as to if anyone else is experiencing these issues, or if there is a solution I have not yet tried. Here is a list of actions that result in these performance issues - there are likely more that I have either not experienced due to my frustration, or have not documented as occuring multiple times:
Opening files - results in hanging process, takes 3-10 seconds to resolve
Pasting from clipboard - results in hanging process, takes 3-10 seconds to resolve
Saving files - takes 3-10 seconds to open the dialog, another 3-10 seconds to return to normal window (saving a compressed PNG)
Eyedropper tool - will either crash Photoshop to desktop, or take 5-15 seconds to load
Attempting to navigate any menu - will either crash Photoshop to desktop, or take 5-15 seconds to load
Attempts I've taken to resolve this matter, which have failed:
Uninstalled all fonts that I have added since the last update (this was a pain in the ***, thank you Windows explorer for being glitchy)
Uninstall application and reinstall application
Use 32-bit edition
Changing process priority to Above Normal
Confirm process affinity to all available CPU cores
Change configuration of Photoshop performance options
61% of memory is available to Photoshop to use (8969 MB)
History states: 20; Cache levels: 6; Cache tile size: 1024K
Scratch disks: active on production SSD, ~10GB space available
Dedicated graphics processor is selected (2x nVidia cards in SLI)
System Information:
Intel i7 2600K @ 3.40GHz
16GB DDR3, Dual Channel RAM
2x nVidia GeForce GTS 450 cards, 1GB each
Windows 7 Professional 64-bit
Adobe Creative Cloud
This issue is costing me time I could be working every day, and I'm about ready to begin searching for alternatives and cancel my membership if I can't get this resolved.Adobe Photoshop Version: 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00) x64
Operating System: Windows 7 64-bit
Version: 6.1 Service Pack 1
System architecture: Intel CPU Family:6, Model:10, Stepping:7 with MMX, SSE Integer, SSE FP, SSE2, SSE3, SSE4.1, SSE4.2, HyperThreading
Physical processor count: 4
Logical processor count: 8
Processor speed: 3392 MHz
Built-in memory: 16350 MB
Free memory: 12070 MB
Memory available to Photoshop: 14688 MB
Memory used by Photoshop: 61 %
Image tile size: 1024K
Image cache levels: 6
OpenGL Drawing: Enabled.
OpenGL Drawing Mode: Basic
OpenGL Allow Normal Mode: True.
OpenGL Allow Advanced Mode: True.
OpenGL Allow Old GPUs: Not Detected.
OpenCL Version: 1.1 CUDA 4.2.1
OpenGL Version: 3.0
Video Rect Texture Size: 16384
OpenGL Memory: 1024 MB
Video Card Vendor: NVIDIA Corporation
Video Card Renderer: GeForce GTS 450/PCIe/SSE2
Display: 2
Display Bounds: top=0, left=1920, bottom=1080, right=3840
Display: 1
Display Bounds: top=0, left=0, bottom=1080, right=1920
Video Card Number: 3
Video Card: NVIDIA GeForce GTS 450
Driver Version: 9.18.13.1106
Driver Date: 20130118000000.000000-000
Video Card Driver: nvd3dumx.dll,nvwgf2umx.dll,nvwgf2umx.dll,nvd3dum,nvwgf2um,nvwgf2um
Video Mode:
Video Card Caption: NVIDIA GeForce GTS 450
Video Card Memory: 1024 MB
Video Card Number: 2
Video Card: LogMeIn Mirror Driver
Driver Version: 7.1.542.0
Driver Date: 20060522000000.000000-000
Video Card Driver:
Video Mode: 1920 x 1080 x 4294967296 colors
Video Card Caption: LogMeIn Mirror Driver
Video Card Memory: 0 MB
Video Card Number: 1
Video Card: NVIDIA GeForce GTS 450
Driver Version: 9.18.13.1106
Driver Date: 20130118000000.000000-000
Video Card Driver: nvd3dumx.dll,nvwgf2umx.dll,nvwgf2umx.dll,nvd3dum,nvwgf2um,nvwgf2um
Video Mode: 1920 x 1080 x 4294967296 colors
Video Card Caption: NVIDIA GeForce GTS 450
Video Card Memory: 1024 MB
Serial number: 90970233273769828003
Application folder: C:\Program Files\Adobe\Adobe Photoshop CS6 (64 Bit)\
Temporary file path: C:\Users\ANDREW~1\AppData\Local\Temp\
Photoshop scratch has async I/O enabled
Scratch volume(s):
C:\, 111.8G, 7.68G free
Required Plug-ins folder: C:\Program Files\Adobe\Adobe Photoshop CS6 (64 Bit)\Required\
Primary Plug-ins folder: C:\Program Files\Adobe\Adobe Photoshop CS6 (64 Bit)\Plug-ins\
Additional Plug-ins folder: not set
Installed components:
ACE.dll ACE 2012/06/05-15:16:32 66.507768 66.507768
adbeape.dll Adobe APE 2012/01/25-10:04:55 66.1025012 66.1025012
AdobeLinguistic.dll Adobe Linguisitc Library 6.0.0
AdobeOwl.dll Adobe Owl 2012/09/10-12:31:21 5.0.4 79.517869
AdobePDFL.dll PDFL 2011/12/12-16:12:37 66.419471 66.419471
AdobePIP.dll Adobe Product Improvement Program 7.0.0.1686
AdobeXMP.dll Adobe XMP Core 2012/02/06-14:56:27 66.145661 66.145661
AdobeXMPFiles.dll Adobe XMP Files 2012/02/06-14:56:27 66.145661 66.145661
AdobeXMPScript.dll Adobe XMP Script 2012/02/06-14:56:27 66.145661 66.145661
adobe_caps.dll Adobe CAPS 6,0,29,0
AGM.dll AGM 2012/06/05-15:16:32 66.507768 66.507768
ahclient.dll AdobeHelp Dynamic Link Library 1,7,0,56
aif_core.dll AIF 3.0 62.490293
aif_ocl.dll AIF 3.0 62.490293
aif_ogl.dll AIF 3.0 62.490293
amtlib.dll AMTLib (64 Bit) 6.0.0.75 (BuildVersion: 6.0; BuildDate: Mon Jan 16 2012 18:00:00) 1.000000
ARE.dll ARE 2012/06/05-15:16:32 66.507768 66.507768
AXE8SharedExpat.dll AXE8SharedExpat 2011/12/16-15:10:49 66.26830 66.26830
AXEDOMCore.dll AXEDOMCore 2011/12/16-15:10:49 66.26830 66.26830
Bib.dll BIB 2012/06/05-15:16:32 66.507768 66.507768
BIBUtils.dll BIBUtils 2012/06/05-15:16:32 66.507768 66.507768
boost_date_time.dll DVA Product 6.0.0
boost_signals.dll DVA Product 6.0.0
boost_system.dll DVA Product 6.0.0
boost_threads.dll DVA Product 6.0.0
cg.dll NVIDIA Cg Runtime 3.0.00007
cgGL.dll NVIDIA Cg Runtime 3.0.00007
CIT.dll Adobe CIT 2.1.0.20577 2.1.0.20577
CoolType.dll CoolType 2012/06/05-15:16:32 66.507768 66.507768
data_flow.dll AIF 3.0 62.490293
dvaaudiodevice.dll DVA Product 6.0.0
dvacore.dll DVA Product 6.0.0
dvamarshal.dll DVA Product 6.0.0
dvamediatypes.dll DVA Product 6.0.0
dvaplayer.dll DVA Product 6.0.0
dvatransport.dll DVA Product 6.0.0
dvaunittesting.dll DVA Product 6.0.0
dynamiclink.dll DVA Product 6.0.0
ExtendScript.dll ExtendScript 2011/12/14-15:08:46 66.490082 66.490082
FileInfo.dll Adobe XMP FileInfo 2012/01/17-15:11:19 66.145433 66.145433
filter_graph.dll AIF 3.0 62.490293
hydra_filters.dll AIF 3.0 62.490293
icucnv40.dll International Components for Unicode 2011/11/15-16:30:22 Build gtlib_3.0.16615
icudt40.dll International Components for Unicode 2011/11/15-16:30:22 Build gtlib_3.0.16615
image_compiler.dll AIF 3.0 62.490293
image_flow.dll AIF 3.0 62.490293
image_runtime.dll AIF 3.0 62.490293
JP2KLib.dll JP2KLib 2011/12/12-16:12:37 66.236923 66.236923
libifcoremd.dll Intel(r) Visual Fortran Compiler 10.0 (Update A)
libmmd.dll Intel(r) C Compiler, Intel(r) C++ Compiler, Intel(r) Fortran Compiler 12.0
LogSession.dll LogSession 2.1.2.1681
mediacoreif.dll DVA Product 6.0.0
MPS.dll MPS 2012/02/03-10:33:13 66.495174 66.495174
msvcm80.dll Microsoft® Visual Studio® 2005 8.00.50727.6195
msvcm90.dll Microsoft® Visual Studio® 2008 9.00.30729.1
msvcp100.dll Microsoft® Visual Studio® 2010 10.00.40219.1
msvcp80.dll Microsoft® Visual Studio® 2005 8.00.50727.6195
msvcp90.dll Microsoft® Visual Studio® 2008 9.00.30729.1
msvcr100.dll Microsoft® Visual Studio® 2010 10.00.40219.1
msvcr80.dll Microsoft® Visual Studio® 2005 8.00.50727.6195
msvcr90.dll Microsoft® Visual Studio® 2008 9.00.30729.1
pdfsettings.dll Adobe PDFSettings 1.04
Photoshop.dll Adobe Photoshop CS6 CS6
Plugin.dll Adobe Photoshop CS6 CS6
PlugPlug.dll Adobe(R) CSXS PlugPlug Standard Dll (64 bit) 3.0.0.383
PSArt.dll Adobe Photoshop CS6 CS6
PSViews.dll Adobe Photoshop CS6 CS6
SCCore.dll ScCore 2011/12/14-15:08:46 66.490082 66.490082
ScriptUIFlex.dll ScriptUIFlex 2011/12/14-15:08:46 66.490082 66.490082
svml_dispmd.dll Intel(r) C Compiler, Intel(r) C++ Compiler, Intel(r) Fortran Compiler 12.0
tbb.dll Intel(R) Threading Building Blocks for Windows 3, 0, 2010, 0406
tbbmalloc.dll Intel(R) Threading Building Blocks for Windows 3, 0, 2010, 0406
updaternotifications.dll Adobe Updater Notifications Library 6.0.0.24 (BuildVersion: 1.0; BuildDate: BUILDDATETIME) 6.0.0.24
WRServices.dll WRServices Friday January 27 2012 13:22:12 Build 0.17112 0.17112
Required plug-ins:
3D Studio 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Accented Edges 13.0
Adaptive Wide Angle 13.0
Angled Strokes 13.0
Average 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Bas Relief 13.0
BMP 13.0
Camera Raw 8.1
Camera Raw Filter 8.1
Chalk & Charcoal 13.0
Charcoal 13.0
Chrome 13.0
Cineon 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Clouds 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Collada 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Color Halftone 13.0
Colored Pencil 13.0
CompuServe GIF 13.0
Conté Crayon 13.0
Craquelure 13.0
Crop and Straighten Photos 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Crop and Straighten Photos Filter 13.0
Crosshatch 13.0
Crystallize 13.0
Cutout 13.0
Dark Strokes 13.0
De-Interlace 13.0
Dicom 13.0
Difference Clouds 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Diffuse Glow 13.0
Displace 13.0
Dry Brush 13.0
Eazel Acquire 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Embed Watermark 4.0
Entropy 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Extrude 13.0
FastCore Routines 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Fibers 13.0
Film Grain 13.0
Filter Gallery 13.0
Flash 3D 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Fresco 13.0
Glass 13.0
Glowing Edges 13.0
Google Earth 4 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Grain 13.0
Graphic Pen 13.0
Halftone Pattern 13.0
HDRMergeUI 13.0
IFF Format 13.0
Ink Outlines 13.0
JPEG 2000 13.0
Kurtosis 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Lens Blur 13.0
Lens Correction 13.0
Lens Flare 13.0
Liquify 13.0
Matlab Operation 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Maximum 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Mean 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Measurement Core 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Median 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Mezzotint 13.0
Minimum 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
MMXCore Routines 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Mosaic Tiles 13.0
Multiprocessor Support 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Neon Glow 13.0
Note Paper 13.0
NTSC Colors 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Ocean Ripple 13.0
Oil Paint 13.0
OpenEXR 13.0
Paint Daubs 13.0
Palette Knife 13.0
Patchwork 13.0
Paths to Illustrator 13.0
PCX 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Photocopy 13.0
Photoshop 3D Engine 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Picture Package Filter 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Pinch 13.0
Pixar 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Plaster 13.0
Plastic Wrap 13.0
PNG 13.0
Pointillize 13.0
Polar Coordinates 13.0
Portable Bit Map 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Poster Edges 13.0
Radial Blur 13.0
Radiance 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Range 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Read Watermark 4.0
Reticulation 13.0
Ripple 13.0
Rough Pastels 13.0
Save for Web 13.0
ScriptingSupport 13.1.2
Shear 13.0
Skewness 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Smart Blur 13.0
Smudge Stick 13.0
Solarize 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Spatter 13.0
Spherize 13.0
Sponge 13.0
Sprayed Strokes 13.0
Stained Glass 13.0
Stamp 13.0
Standard Deviation 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
STL 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Sumi-e 13.0
Summation 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Targa 13.0
Texturizer 13.0
Tiles 13.0
Torn Edges 13.0
Twirl 13.0
Underpainting 13.0
Vanishing Point 13.0
Variance 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Variations 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Water Paper 13.0
Watercolor 13.0
Wave 13.0
Wavefront|OBJ 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
WIA Support 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
Wind 13.0
Wireless Bitmap 13.1.2 (13.1.2 20130105.r.224 2013/01/05:23:00:00)
ZigZag 13.0
Optional and third party plug-ins: NONE
Plug-ins that failed to load: NONE
Flash:
Mini Bridge
Kuler
Installed TWAIN devices: NONE -
PLSRV_CALL_ADAPTER, HTTP_SEND Performance issue in PI 7.0 (SP16)
Dear friends,
I have a synchronous WebService -> XI -> Proxy scenario and tried to do a stress testing this morning, when we simulate 80 client users to send the soap request to XI server, I found a performance issue that some of the request messages spent too long time, after checking the details, it's found that the run time item 'HTTP_SEND' is the major reason:
<SAP:RunTimeItem>
<SAP:Name type="PLSRV">PLSRV_CALL_ADAPTER</SAP:Name>
<SAP:Timestamp type="begin" host="JT-PIDEV">20080919023723.87111</SAP:Timestamp>
</SAP:RunTimeItem>
- <SAP:RunTimeItem>
<SAP:Name type="PLSRV">HTTP_SEND</SAP:Name>
<SAP:Timestamp type="begin" host="JT-PIDEV">20080919023723.878215</SAP:Timestamp>
</SAP:RunTimeItem>
- <SAP:RunTimeItem>
<SAP:Name type="PLSRV">HTTP_SEND</SAP:Name>
<SAP:Timestamp type="end" host="JT-PIDEV">20080919023734.474367</SAP:Timestamp>
</SAP:RunTimeItem>
- <SAP:RunTimeItem>
<SAP:Name type="PLSRV">PLSRV_CALL_ADAPTER</SAP:Name>
<SAP:Timestamp type="end" host="JT-PIDEV">20080919023734.480719</SAP:Timestamp>
</SAP:RunTimeItem>
you can find that this step spent about 11 seconds which is not acceptable, as in the normal case, it takes not more than 1 second.
From my understanding, this step will send the message to the target SAP system via the plugin http, why these messages took such long time? How can I tuning this issue?
Regards,
BeanHi kk,
thanks a lot for your kind help .
Do you have a web dispatcher to balance the load for the HTTP calls to your ABAP proxy? Please note, in SMICM of your backend SAP system, you will see minimum number of threads that have been allotted. More threads get allotted till the maximum limit is reached. Looks like this could be the issue. Are you webservice calls to XI load balanced as well. Also, check if the ABAP server proxy program is not causing a delay. Looks like you need some fine tuning to be done.
as both of the inbound and outbound in integration server use the plugin http from/to ICM, and the business logic in backend SAP system so very simple (just some assignment statements), therefore I'm considering the following fine tuning options:
1. increase the max threads of integration server to make sure that the outbound messages don't need to wait for the free thread
2. increase the max threads of ICM in target SAP backend system to make sure that the inbound messages don't need to wait
3. i'm not clear whether we have web dispatcher in XI or SAP backend system, could you please guide me how I can tuning that?
Regards,
Bean -
Exchange 2010 to 2013 Migration: Authentication/Proxy Settings Issue
I'm in the final stages of preparing for our Exchange 2010 to 2013 migration. I'm noticing minor authentication issues on mobile devices (android & ios) and proxy setting issues with Outlook that require user intervention. In an effort to make the migration
as smooth as possible for our internal users, I'd like to get these settings ironed out before starting the migration.
Symptoms:
Outlook - I'm aware that internal Outlook usage has changed its connection protocol from RCP/TCP to RCP/HTTP, but it appears that Outlook isn't updating its settings in the "Microsoft Exchange Proxy Settings" after a users mailbox has been migrated
from 2010 to 2013. Currently, 2010 users with Outlook 2013 have the following settings configured in Outlook's Exchange Proxy Settings:
URL to connect to my proxy server for Exchange: webmail.domain.com
Connect using SSL only: Checked
Only connect to proxy servers that have this principal name in their certificates: Unchecked
On fast networks, connect using HTTP first, then connect using TCP/IP: Unchecked
On slow networks, connect using HTTP first, then connect using TCP/IP: Checked
After migrating a user's mailbox from 2010 to 2013, the above settings remain the same in Outlook and their client disconnects from Exchange and isn't able to reconnect. After manually enabling the checkbox for "On fast networks, connect using HTTP
first, then connect using TCP/IP", Outlook clients are able to connect to Exchange via their newly migrated mailbox.
Is there a way to automatically updating these 2 proxy settings in Outlook during the migration instead of having to manually change each user's configuration in Outlook?
Android & iOS - Currently, users on Android & iOS with Exchange 2010 mailboxes have the following configuration:
domain: blank
username: their AD username
server: webmail.domain.com
After migrating a mobile users mailbox from 2010 to 2013, neither OS (Android or iOS) is able to connect due to an authentication failure. On iOS, if I manually change the domain from blank to my company's domain, authentication succeeds and their 2013 mailbox
begins to update. On Android, the option to change the domain name from null is grayed out, requiring the user to delete the Exchange profile and re-add it with the domain name intact. Is there a way to configure Exchange 2013 to not require the domain name
for mobile users in the same way that it's been working for us with Exchange 2010?
Please let me know if you require cmdlet print outs of my virtual directories to help troubleshoot the issue.Hi,
Generally, when the user mailbox is moved from Exchange 2010 to Exchange 2013, the Autodiscover service would detect the changes and update the new configuration automatically.
Please make sure the autodiscover service in your new Exchange 2013 is configured correctly. We can create a new mailbox in Exchange 2013 and check whether the new Exchange 2013 user can setup account successfully in Outlook or not. If the new user works
fine, it indicates the autodiscover service in Exchange 2013 should be proper for internal user.
Please restart the following Exchange service to have a try:
Microsoft Exchange RPC Client Access
Microsoft Exchange Mailbox Replication
Restart IIS service by running IISReset in a Command Prompt window.
Then check whether the Outlook client can connect to Exchange 2013 or not.
As for Android & iOS issue, I suggest we can ask a question in ActiveSync forum for more suggestion:
https://social.technet.microsoft.com/Forums/en-US/home?forum=exchangesvrmobility
Regards,
Winnie Liang
TechNet Community Support -
Performance issues logging on to Workspace 11.1.2.1
Hi All,
We have a distributed install of 11.1.2.1 (2 HSS, 3 PLN, 3HFM, 3 Workspace, 2 FDM servers) and facing significant performance issues:
- Logging on to the Workspace as an external user takes 5 min
- Logging on to the AAS console as an external user takes over 2 min
- Opening HBRs in AAS takes a couple of minutes
- Logging on to HSS as an external user takes over a min
Logging on as a native user takes around 30 seconds.
We have disabled compoments we do not use under the Workspace server properties and applied patch Set Exception (PSE): 13327628 which addressed the following perfomance issues:
• 12913216 – Intermittent login error is observed while attempting to log into EPM System Workspace. Workspace displays the error message “You must supply a valid User Name and Password to log onto the system.” However, user can log in by clicking OK.
• 13341789 – Poor login performance (delay of 3-5 minutes) is observed at the first user login if Workspace web application has been inactive for an hour. Subsequent login performance is not impacted.
• 13388864 – In deployments where a firewall is configured to time out idle applications (for example, after 30 minutes) users can login once, but subsequent login times out.
In Shared Services we have also set Evict Interval and Allowed Idle Connection Time to 5 mins.
Is there anything else we could try to improve performance?
Thanks for your help.
Regards
SebIf you already have deactivated the non used services from WS, it's weird. As I can see you may be using an external directory for authenticating, check on these.
* have you checked the response time from the external directory... sometimes for example in Active directory the user hierarchy is too complex to navigate on it. you can use an LDAP tester to see
* Are you using SSL? if yes, try wtihout SSL
* For workspace Start the non used services, and activate back the services in the WS to see if there it improves with all the apps up ( this will help you to narrow the debugging)
* go directly to java based servers, for instance in the shared services server go directly to the port 28080 for interop, instead of going by http server and check if you can login quick or not. This will help you also to isolate the issue (if it's related or not to Workspace).
Hope this help u to narrow your search
Motor
Maybe you are looking for
-
How can i sync podcasts from iphone to itunes?
Here's my situation: I have an iPhone 5c that I have always synced with iTunes on a laptop that belonged to my workplace. But I have left that job now, and with it, I have left the laptop. I now want to sync that same iPhone 5c on my iMac at home. Th
-
I beg you. Please. Help me. Flash keeps crashing and I have a beast computer. I want to cry.
Please. Anybody. Somebody. I beg you, help me! My Specs: Processor: Intel Core i7-2600k CPU @ 3.40 GHz 3.40 GHz RAM: 16 Gig Windows 7 64 bit I have Adobe Flash cs4 and cs5.5. I jump back and forth in attempt to bypass crashes. My situation is n
-
Payment methods download from ECC to CRM
Hi Masters, Due to some requirement, new Payment methods customised in ECC so have to download from ECC to CRM. How it download through delta download. Existing payment methods data updated with adapter object name # CUST_TSP_WRITE and table name # C
-
Transferring an Existing Website from a .Mac Name to a Personal Domain Name
I presently have several websites running using a .Mac Family Pack - on both the primary account and a subaccount. Given the new iLive'08 and the .Mac upgraded capabilities, I'm anxious to migrate these websites to a personal domain name that I own b
-
Hi All, I have a requirement, If user passes a date "1-JAN-2012" i need to pick the data between first half of the month i.e 01-JAN-2012 to 15-JAN-2012.This same for the dates 1-15. If user passes the date "16-JAN-2012" ineed to pick the date between