Ace ssl-proxy problem, Online store.

Similar Messages

• ACE SSL Proxy performance issue

  Hi I've got an ACE module in a 6500 that is being used as an SSL Proxy For a web service.
  So the configuration is fairly basic, matches a VIP which has been Nat'ed from the public IP address port 443 and load balances over a number of reservers with the server ports being set to 80.
  The problem is the main web site is hosted elsewhere and so when they switch to checkout on a secure port the browser page requests multiple https:// files .
  The users are seeing very slow page loads a considerable amount longer than equivalent on http and more than you'd expect. The ACE is no where near any throughout or transaction limits.
  My concern is on how the session is tracked, would the ACE attempt to renegotiate with every https:// get? I've seen example configs for stickiness inserting cookies for normal end-end load balancing but not with an SSL proxy configuration.
  Sent from Cisco Technical Support iPad App

  Hi Craig,
  The SSL negotiation/handshake will happen everytime a client opens a new TCP connection i.e comes with a different source port.
  To make sure that ACE doesn't renegotiate you can try and use this command:
  (config-parammap-ssl)# session-cache timeout . You can use 24 hours or anytime you think is suitable.
  This is basically to enable SSL session reuse. A little explanation below for your reference:
  When client connects to a server over SSL, the server creates a session for that connection. This session ID is sent as a part of the Server Hello message. This is to make things efficient, in case the client has any plans of closing the current connection and reconnect in the near future. Most of the servers have a time out for these sessions (I think 24 hours is a common value, unless pressed for space).
  When the client connects to the same server again, it can send the same session ID as a part of the Client Hello. The server will first look up if it can find any sessions with that ID. If found, the same session will be reused. Thus the time spent in verifying the certs and negotiating the keys is saved. If the server cannot find a matching session, then it responds with a new session ID and its certificate in Server Hello message. The client knows that it has to verity the cert and negotiate the key again.
  Considerable amount of time is spent in validating server certs. Reusing SSL session will save this time.
  Having said that you need to check if the client is coming with a session ID which it got in previous handshake or not. If it doesn't and it is a new TCP connection then SSL handshake will happen. Please enable that command before testing.
  Also, ensure that you have allocated proper SSL resources to your context. Lack of resources can also cause dropped connections and sluggish performance.
  Regards,
  Kanwal

• Is anyone else having problems with the Canon Online Store?

  In the last month or so, I've had one problem after another with the Canon Online Store; from being unable to delete items from the shopping cart; to not being able to add "in stock" items; disappearing Wish Lists; and just now, I tried to add one lens cap to the 6 or 7 items I already had in the Shopping Cart, and they disappeared.
  I've called, more than once, and I've written, also more than once, to Canon Support about this, but they ignore what I tell them, and tell me there are no problems with the Online Store.  They don't even seem to report to anyone that anyone has complained, because each time is "the first time", even though I've called (more than once) and written (more than once) to them about continuing Online Stores problems.
  Is anyone else having problems with the Canon Online Store?
  Why does Canon not care to track reported problems with the storefront part of their web-site? 
  I'm not trying to insult Canon, it's just that I've been a Canon customer for less than 3 months, and the're only batting .333, so far.  Canon Support was very quick to respond about a concern I had that a 50mm f/1.4 I had just purchased was authentic or not.  In trying to register that lens, I looked up on the Canon web site where to find the serial number.  Since my new lens did not have any numbers there, I was concerned I had been sold a fake.  But, then Canon Support sent me link to a different online document that showed a few different places where it might be, and there it was. 
  Is Canon like that with other problems, as well?  Or is their "batting" average better than my very limited experience? 
  I just love my Rebel T5i, and my Canon lenses (from "the Kit brothers of the Cropped Frame coral":  EF-S 18-55mm f/3.5-5.6 IS STM, and EF-S 70-300mm f/4-5.6 IS USM; to the "Truly Nifty Fifty", the 50mm f/1.4 USM, [the f/1.8 is just a "thrifty fifty"], and finally, the "Super-Macro" MP-E 65mm f/2.8 1x-5x Macro)! 
  Regards and Thanks,
  Calen
  As an old friend used to always say,
  "Keep Looking Up!"
  Calen

  Hi Danny.  Thanks for replying.
  I only use my desktop PC to access Canon's web site, and I've been using Mozilla Firefox for years.  And, yes, it is the latest version.  Since Canon REFUSES to support the use of Firefox on it's web site, WHAT BROWSER DOES CANON SUPPORT?  WHEN did Canon STOP SUPPORTING Firefox?
  I've been told that there are 2 pending orders in my account.  Yet, I NEVER placed those orders!  WHY CAN'T CANON SEE THAT THIS IS A PROBLEM??? 
  Instead of off-target suggestions, and pasted boilerplate REFUSALS TO EVEN LOOK at this issue, I would prefer it if Canon went "old school", and FIXED THE PROBLEM, in the first place!  But, maybe that's a bit too grown up of an answer for you! 
  "Award-winning" support???   And, just exactly WHAT AWARD did Canon "support" WIN for CONSISTANTLY IGNORING REPORTED PROBLEMS???  The OSTRICH?
  Please pull your head out, and FIX this problem, OR YOU ARE THE PROBLEM!!!
  Thank you for your "prompt" attention to this matter!
  Calen
  As an old friend used to always say,
  "Keep Looking Up!"
  Calen

• IPod Classic 160GB film library sync problem -  trying to sync films that have converted from purchased DVD to mp4 format locally, not purchases from the online store - all other libraries sync perfect - why?

  Hello Apple and the iTunes Windows PC users community.
  I am trying to sync films that I have converted from purchased DVD to mp4 format locally, not purchases from the online store. The mp4s all appear and play successfully in my iTunes application but will not sync across to the iPod film library folder.
  For your information: I am using iTunes 11.1.3.8 on a Windows 7 64bit machine with 500GB hard disk and 8GB of Ram in the UK.
  I have restored the iPod classic 160GB three times now to see if it was a hardware problem with no joy. Each time all the music restores properly as do the podcasts and all the items in TV programmes all appear to sync and work fine.
  I have also tried to copy films into the TV Programmes to get around it with no joy. They always go to the films section to start with. It is just the Films library that does not sync - all others work perfectly. As a last resort I have uninstalled and re-installed iTunes with no joy either.
  I am technically savvy and have gone through the itunes and ipod settings but nothing appears to make a difference - This is the first time I have had to post here as I can usually solve the majority of the ipod anomilies but this one has me flummoxed.
  Has the film encoding type changed in the newest itunes update? - Has this happened to anybody else and is it a hardware, software, or operating system problem.

  Having uninstalled the current version 11.1.3.8 and loaded and older version of iTunes 10.7.0.21 I can now categorically confirm that the newest update seems to be causing the problem as the films and TV Programmes are syncing perfectly on this older version.
  If you are going to do this please dont forget to remove the  ' iTunes Library.itl' file as this stops the older versions from running as I've just found out

• My wifi is not working. It has no indication. I am living in Indonesia but I bought my iphone from apple online store. Can anyone help me how to fix my problem?

  My wifi is not working. It has no indication. I am living in Indonesia but I bought my iphone from apple online store. Can anyone help me how to fix my problem?

  The No Service means there is a problem with cellular service. You mention wifi in your title. Which is it you are having trouble with? What happens when you switch on and off as you state in your post? Are you saying that wifi does not connect while at home either?

• Hi, I have problems in ordering book from iPhoto. It says "problems in getting contact with Apple Online Store" I have changed password on my Apple ID - could that be the problem ??

  Hi, I have problems in ordering book from iPhoto. It says "problems in getting contact with Apple Online Store" I have changed password on my Apple ID - could that be the problem ??

  Some additional efforts you can try:
  Go to the System/Sharing preference pane and make sure Remote Apple Events is checked.
  If it is, uncheck it and then recheck and try ordering again.
  OT

• When ordering a project I'm getting a message " an error occurred while contacting the Apple online store. Please try again"  Can anyone please tell me why I might be getting this message and how to fix the problem.  Thank you

  When ordering a project I'm getting a message " an error occurred while contacting the Apple online store. Please try again"  Can anyone please tell me why I might be getting this message and how to fix the problem.  Thank you

  I've got the same problem.
  It wasn't the case before the upgrade to v 9.2 (Iphoto 11) yesterday.
  The previous solution preferences - advanced - "select a store" (last option) doesn't solve it anymore.
  Thanks!

• I cannot upload my iPhoto book to the Online Store.  I get an error message that I cannot connect.  Apple support said servers are too busy. Anyone else have this problem and a solution?

  I cannot upload my iPhoto book to the Online Store.  I get an error message that I cannot connect.  Instructs me to try again later.  Apple support said servers are too busy. Anyone else have this problem and a solution?

  I get an error message that I cannot connect.  Instructs me to try again later.
  Try again later?
  LN

• ACE: SSL termination, Probe and Redirect problem

  Hello,
  I have problem with three things: -1) SSL offload, -2) probe, and -3) server redirect.
  1) I made SSL offload like shows attached file with "show run". But during going to the VIP address by the browser: https://192.168.254.143 I get window with Java error: java.lang.NullPointerException - I have to click OK on this window and then can work fine. Without SSL offload I don't have this error message in window.
  When I have SSL offload I have following configuration:
  ssl-proxy service SSL
  key klucz.pem
  cert certyfikat.pem
  serverfarm host SFARM
  rserver S1 8080
  rserver S2 8080
  policy-map multi-match SLB-POLICY
  class SLB
  ssl-proxy server SSL
  Without SSL offloading I have only this:
  serverfarm host SFARM
  rserver S1 (without 8080!)
  rserver S2
  2) Right now I have two real servers and I send traffic to them by port TCP 8080. So I made probe to check TCP 8080 port availability.:
  probe tcp TCP_8080
  port 8080
  interval 15
  passdetect interval 60
  serverfarm host SFARM
  rserver S1 8080
  probe TCP_8080
  inservice
  rserver S2 8080
  probe TCP_8080
  inservice
  I want also check port TCP 6400 availability, and I only one from port 8080 or 6400 don't work - make real server unavailable. So must work TCP port 8080 ang 6400 togethet to treat real server as operational.
  So I want to make something like this:
  probe tcp TEST
  port 8080 and 6400 !?! - ofcourse It is impossible but I want to make config with this functionality.
  How to do this?
  3) I hant to make that when I write in browser https://bo.kw.coig.biz/ = https://192.168.254.143 I want to be redirected to one of real server on address: https://bo.kw.coig.biz/businessobjects/enterprise115/desktoplaunch/InfoView/logon/logon.do
  I made something like this:
  rserver redirect S3
  webhost-redirection https://%h/businessobjects/enterprise115/desktoplaunch/InfoView/logon/logon.do 302
  inservice
  serverfarm redirect REDIRECT
  rserver S3
  inservice
  policy-map type loadbalance first-match POLICY-TYPE
  class class-default
  serverfarm REDIRECT
  But this configuration dosn't work. I have in browser window with error messeging.
  How to do this?

  1/ this is a java problem.
  Java is telling you that it attempted to use a null pointer. You need to check with the people who created the java program
  2/ you can configure multiple tcp probe, one for each port you need to monitor and assign all the probes to the serverfarm.
  BTW, you can assign the problem to the entire serverfarm so you don't need to specify it for each rserver.
  3/ the problem with your redirect is that you applied to class-default.
  So even a request to ...../logon will be redirected to ...../logon.
  Therefore you just created a nice loop.
  You need to create a class-map to only match the url "/" so the redirect is only applied then.
  Gilles.

• "There was a problem communicating with the Apple Online Store. Please try again."

  When I try to order prints on my Macbook I get the error .... "There was a problem communicating with the Apple Online Store. Please try again."  I've gotten this error for a few days.  When I try the same thing with my wife's Macbook Pro there are no issues.  How do I fix the problem on m Macbook?

  I found the problem thanks to some help given.
  Go to iPhoto menu -> Preferences... -> Advanced -> > Print Products Store  was set to "none". I changed that to my own country and then it worked, I could place the order.
  Thanks a lot!

• IPhoto 2014 Ordering prints, problems communicating with apple online store

  iPhoto v. 9.5.1
  When I'm trying to order prints directly from within iPhoto, i get this error "There was a problem communicating with the Apple Online Store. Please try again."
  I tried:
  - Booting from safe mode
  - Calling tech support
  - Reinstalling iPhoto
  - This guide: http://b.rthr.me/wp/?p=356
  The only thing that are partly working is changing country iPhoto > Preferences > Advanced > Print Product Store.
  If i change from Denmark to Germany or UK, i get the check out screen - but I can't pay with a danish credit card or choose to have the package send to Denmark.
  Any ideas?

  The following are two fixes posted by other users that helped them:
  #1
  go to the System/Sharing preference pane and make sure Remote Apple Events is checked.
  If it is, uncheck it and then recheck and try ordering again.
  #2
  Quit iPhoto.
  From the Finder menu bar, choose Go > Utilities to access your Utilities folder (or press Shift-Command-U).
  In your Utilities folder, open Keychain Access.
  Find the "NetServices" entry in your Keychain Access window.
  Select the "NetServices" entry and press the delete key.
  Reopen iPhoto and attempt to place your order again.
  You should be prompted to enter your account information if you deleted the Keychain entry successfully.
  After entering your account information, you should be able to complete your order.
  OT

• Problem in uploading Online store sample project script

  I am not able to upload "online store" sample project script. The Appex (3.0.1) I am using flashes a message that the script size is exceeding the limit.
  Anybody, please help me.
  Jayashree.
  Message was edited by:
  user589027

  Are you 'uploading' it as a script? It is an export file and needs to be imported.
  1. Unzip and extract all files
  2. Access your target Workspace
  3. Select the Application Builder
  4. Click [Import >]
  5. Browse and locate the installer file, online_store_installer_0.9.sql
  6. When prompted, select to install supporting objects
  -- Sharon

• ACE SSL - Modifying certs and keys

  I'm having a problem updating the certs and keys I have in my ssl-proxy service.
  My cert is about to expire and I've purchased a new cert. I've uploaded the new cert and key, but I still see the old cert when I go to the VIP with my browser. I thought that by deleting the proxy-service and re-adding I could get the ACE to recognize that it's got new certs but that didn't seem to work.
  Is there a trick to make the ACE see the new certs? Does it cache the certs instead of reading them from flash? What's going on here.
  Thanks!

  I changed my certs hot while the application was still running worked like a charm.
  What i did was.
  - import the new certificate into the crypto store (pkcs12)
  - prepare a textfile with the necessary commands
  no key old
  key new
  no cert old
  cert new
  - paste the commands into the running config.
  I had several Customers and Application Admins test the App. while i was changing certs. They didn't even notice something happened. After approx. 60 seconds all new connections were using the new cert old connections were using the old cert. No trouble at all.
  And yes the ACE caches the certs if i am not mistaken.
  If you want to make sure that it works just create a test context or try it on a test farm first. That's what i did prior to changing the certs and the config on the production enviroment.
  Hope it helps.
  Roble

• ACE SSL terminate not working ... please help

  Hello, I configured cisco ace 4710 with ssl-proxy and it is not working, but http://10.1.40.2 and http://10.1.40.3 is OK.  When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage".
  The configuration:
  ace-demo/Admin# sh run
  Generating configuration....
  boot system image:c4710ace-mz.A3_2_4.bin
  boot system image:c4710ace-mz.A3_2_1.bin
  login timeout 0
  hostname ace-demo
  interface gigabitEthernet 1/1
    channel-group 1
    no shutdown
  interface gigabitEthernet 1/2
    channel-group 1
    no shutdown
  interface gigabitEthernet 1/3
    channel-group 1
    no shutdown
  interface gigabitEthernet 1/4
    channel-group 1
    no shutdown
  interface port-channel 1
    switchport trunk allowed vlan 400-401,450
    no shutdown
  crypto csr-params testparams
    country PE
    state Lima
    locality Lima
    organization-name TI
    organization-unit TI
    common-name www.yyy.com
    serial-number 1000
  access-list anyone line 8 extended permit ip any any
  access-list anyone line 16 extended permit icmp any any
  parameter-map type ssl sslparams
    cipher RSA_WITH_RC4_128_MD5
    version SSL3
  rserver host rsrv1
    ip address 10.1.40.2
    inservice
  rserver host rsrv2
    ip address 10.1.40.3
    inservice
  serverfarm host farm-demo
    rserver rsrv1
      inservice
    rserver rsrv2
      inservice
  serverfarm host site-A
    rserver rsrv1
      inservice
  serverfarm host site-B
    rserver rsrv2
      inservice
  ssl-proxy service testssl
    key testkey.key
    cert testcert.pem
    ssl advanced-options sslparams
  class-map type management match-any MGMT
    2 match protocol icmp any
    3 match protocol http any
    4 match protocol https any
    5 match protocol snmp any
    6 match protocol telnet any
    7 match protocol ssh any
  class-map match-any VIP
    6 match virtual-address 10.1.41.10 any
  class-map type generic match-any WAN-site-A
    2 match source-address 192.168.10.106 255.255.255.255
    3 match source-address 192.168.10.125 255.255.255.255
  class-map type generic match-any WAN-site-B
    2 match source-address 192.168.10.96 255.255.255.255
    3 match source-address 192.168.10.93 255.255.255.255
  class-map type management match-any icmp
    2 match protocol icmp any
  class-map match-any vip-ssl-10.1.41.20
    2 match virtual-address 10.1.41.20 tcp eq https
  policy-map type management first-match ICMP
    class icmp
      permit
  policy-map type management first-match MGMT
    class MGMT
      permit
  policy-map type loadbalance first-match vip-ssl-10.1.41.20
    class class-default
      serverfarm farm-demo
  policy-map type loadbalance generic first-match lb-server
    class WAN-site-A
      serverfarm site-A
    class WAN-site-B
      serverfarm site-B
    class class-default
      serverfarm farm-demo
  policy-map multi-match client-side
    class VIP
      loadbalance vip inservice
      loadbalance policy lb-server
  policy-map multi-match lb-vip
    class vip-ssl-10.1.41.20
      loadbalance vip inservice
      loadbalance policy vip-ssl-10.1.41.20
      loadbalance vip icmp-reply
      ssl-proxy server testssl
  interface vlan 400
    description side-server
    ip address 10.1.40.1 255.255.255.0
    access-group input anyone
    service-policy input ICMP
    no shutdown
  interface vlan 401
    description side-client
    ip address 10.1.41.1 255.255.255.0
    access-group input anyone
    access-group output anyone
    service-policy input ICMP
    service-policy input client-side
    service-policy input lb-vip
    no shutdown
  interface vlan 450
    description mgmt
    ip address 10.1.45.1 255.255.255.0
    access-group input anyone
    service-policy input MGMT
    no shutdown
  ip route 192.168.10.0 255.255.255.0 10.1.45.10
  And the proof:
  ace-demo/Admin# sh serverfarm farm-demo
  serverfarm     : farm-demo, type: HOST
  total rservers : 2
                                                  ----------connections-----------
         real                  weight state        current    total      failures
     ---+---------------------+------+------------+----------+----------+---------
     rserver: rsrv1
         10.1.40.2:0           8      OPERATIONAL  0          25         19
     rserver: rsrv2
         10.1.40.3:0           8      OPERATIONAL  0          23         18
  ace-demo/Admin# sh crypto files
  Filename                                 File  File    Expor      Key/
                                           Size  Type    table      Cert
  admin                                    887   PEM     Yes         KEY
  testcert.pem                             709   PEM     Yes        CERT
  testkey.key                              497   PEM     Yes         KEY
  ace-demo/Admin#
  ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
  Status     : ACTIVE
  Interface: vlan 1 401
    service-policy: lb-vip
      class: vip-ssl-10.1.41.20
        ssl-proxy server: testssl
        loadbalance:
          L7 loadbalance policy: vip-ssl-10.1.41.20
          VIP ICMP Reply       : ENABLED
          VIP State: INSERVICE
          Persistence Rebalance: DISABLED
          curr conns       : 0         , hit count        : 38       
          dropped conns    : 18       
          client pkt count : 159       , client byte count: 12576              
          server pkt count : 16        , server byte count: 640                
          conn-rate-limit      : 0         , drop-count : 0        
          bandwidth-rate-limit : 0         , drop-count : 0        
        compression:
          bytes_in  : 0                  
          bytes_out : 0                  
          Compression ratio : 0.00%
  in other time:
  ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
  Status     : ACTIVE
  Interface: vlan 1 401
    service-policy: lb-vip
      class: vip-ssl-10.1.41.20
        ssl-proxy server: testssl
        loadbalance:
          L7 loadbalance policy: vip-ssl-10.1.41.20
          VIP ICMP Reply       : ENABLED
          VIP State: INSERVICE
          Persistence Rebalance: DISABLED
          curr conns       : 0         , hit count        : 170      
          dropped conns    : 89       
          client pkt count : 703       , client byte count: 60089              
          server pkt count : 85        , server byte count: 3400               
          conn-rate-limit      : 0         , drop-count : 0        
          bandwidth-rate-limit : 0         , drop-count : 0        
        compression:
          bytes_in  : 0                  
          bytes_out : 0                  
          Compression ratio : 0.00%
  ace-demo/Admin#
  ace-demo/Admin# sh stats crypto server
  +----------------------------------------------+
  +---- Crypto server termination statistics ----+
  +----------------------------------------------+
  SSLv3 negotiated protocol:                       43
  TLSv1 negotiated protocol:                        0
  SSLv3 full handshakes:                           37
  SSLv3 resumed handshakes:                         0
  SSLv3 rehandshakes:                               0
  TLSv1 full handshakes:                            0
  TLSv1 resumed handshakes:                         0
  TLSv1 rehandshakes:                               0
  SSLv3 handshake failures:                         6
  SSLv3 failures during data phase:                 0
  TLSv1 handshake failures:                         0
  TLSv1 failures during data phase:                 0
  Handshake Timeouts:                               0
  total transactions:                               0
  SSLv3 active connections:                         0
  SSLv3 connections in handshake phase:             0
  SSLv3 conns in renegotiation phase:               0
  SSLv3 connections in data phase:                  0
  TLSv1 active connections:                         0
  TLSv1 connections in handshake phase:             0
  TLSv1 conns in renegotiation phase:               0
  TLSv1 connections in data phase:                  0
  +----------------------------------------------+
  +------- Crypto server alert statistics -------+
  +----------------------------------------------+
  SSL alert CLOSE_NOTIFY rcvd:                      0
  SSL alert UNEXPECTED_MSG rcvd:                    0
  SSL alert BAD_RECORD_MAC rcvd:                    0
  SSL alert DECRYPTION_FAILED rcvd:                 0
  SSL alert RECORD_OVERFLOW rcvd:                   0
  SSL alert DECOMPRESSION_FAILED rcvd:              0
  SSL alert HANDSHAKE_FAILED rcvd:                  0
  SSL alert NO_CERTIFICATE rcvd:                    0
  SSL alert BAD_CERTIFICATE rcvd:                   0
  SSL alert UNSUPPORTED_CERTIFICATE rcvd:           0
  SSL alert CERTIFICATE_REVOKED rcvd:               0
  SSL alert CERTIFICATE_EXPIRED rcvd:               0
  SSL alert CERTIFICATE_UNKNOWN rcvd:               6
  SSL alert ILLEGAL_PARAMETER rcvd:                 0
  SSL alert UNKNOWN_CA rcvd:                        0
  SSL alert ACCESS_DENIED rcvd:                     0
  SSL alert DECODE_ERROR rcvd:                      0
  SSL alert DECRYPT_ERROR rcvd:                     0
  SSL alert EXPORT_RESTRICTION rcvd:                0
  SSL alert PROTOCOL_VERSION rcvd:                  0
  SSL alert INSUFFICIENT_SECURITY rcvd:             0
  SSL alert INTERNAL_ERROR rcvd:                    0
  SSL alert USER_CANCELED rcvd:                     0
  SSL alert NO_RENEGOTIATION rcvd:                  0
  SSL alert CLOSE_NOTIFY sent:                      0
  SSL alert UNEXPECTED_MSG sent:                    0
  SSL alert BAD_RECORD_MAC sent:                    0
  SSL alert DECRYPTION_FAILED sent:                 0
  SSL alert RECORD_OVERFLOW sent:                   0
  SSL alert DECOMPRESSION_FAILED sent:              0
  SSL alert HANDSHAKE_FAILED sent:                  0
  SSL alert NO_CERTIFICATE sent:                    0
  SSL alert BAD_CERTIFICATE sent:                   0
  SSL alert UNSUPPORTED_CERTIFICATE sent:           0
  SSL alert CERTIFICATE_REVOKED sent:               0
  SSL alert CERTIFICATE_EXPIRED sent:               0
  SSL alert CERTIFICATE_UNKNOWN sent:               0
  SSL alert ILLEGAL_PARAMETER sent:                 0
  SSL alert UNKNOWN_CA sent:                        0
  SSL alert ACCESS_DENIED sent:                     0
  SSL alert DECODE_ERROR sent:                      0
  SSL alert DECRYPT_ERROR sent:                     0
  SSL alert EXPORT_RESTRICTION sent:                0
  SSL alert PROTOCOL_VERSION sent:                 47
  SSL alert INSUFFICIENT_SECURITY sent:             0
  SSL alert INTERNAL_ERROR sent:                    0
  SSL alert USER_CANCELED sent:                     0
  SSL alert NO_RENEGOTIATION sent:                  0
  +-----------------------------------------------+
  +--- Crypto server authentication statistics ---+
  +-----------------------------------------------+
  Total SSL client authentications:                 0
  Failed SSL client authentications:                0
  SSL client authentication cache hits:             0
  SSL static CRL lookups:                           0
  SSL best effort CRL lookups:                      0
  SSL CRL lookup cache hits:                        0
  SSL revoked certificates:                         0
  Total SSL server authentications:                 0
  Failed SSL server authentications:                0
  +-----------------------------------------------+
  +------- Crypto server cipher statistics -------+
  +-----------------------------------------------+
  Cipher sslv3_rsa_rc4_128_md5:                    43
  Cipher sslv3_rsa_rc4_128_sha:                     0
  Cipher sslv3_rsa_des_cbc_sha:                     0
  Cipher sslv3_rsa_3des_ede_cbc_sha:                0
  Cipher sslv3_rsa_exp_rc4_40_md5:                  0
  Cipher sslv3_rsa_exp_des40_cbc_sha:               0
  Cipher sslv3_rsa_exp1024_rc4_56_md5:              0
  Cipher sslv3_rsa_exp1024_des_cbc_sha:             0
  Cipher sslv3_rsa_exp1024_rc4_56_sha:              0
  Cipher sslv3_rsa_aes_128_cbc_sha:                 0
  Cipher sslv3_rsa_aes_256_cbc_sha:                 0
  Cipher tlsv1_rsa_rc4_128_md5:                     0
  Cipher tlsv1_rsa_rc4_128_sha:                     0
  Cipher tlsv1_rsa_des_cbc_sha:                     0
  Cipher tlsv1_rsa_3des_ede_cbc_sha:                0
  Cipher tlsv1_rsa_exp_rc4_40_md5:                  0
  Cipher tlsv1_rsa_exp_des40_cbc_sha:               0
  Cipher tlsv1_rsa_exp1024_rc4_56_md5:              0
  Cipher tlsv1_rsa_exp1024_des_cbc_sha:             0
  Cipher tlsv1_rsa_exp1024_rc4_56_sha:              0
  Cipher tlsv1_rsa_aes_128_cbc_sha:                 0
  Cipher tlsv1_rsa_aes_256_cbc_sha:                 0
  ace-demo/Admin# crypto verify testkey.key testcert.pem
  Keypair in testkey.key matches certificate in testcert.pem.
  ace-demo/Admin#
  ace-demo/Admin#  sh conn
  total current connections : 0
  conn-id    np dir proto vlan source                destination           state
  ----------+--+---+-----+----+---------------------+---------------------+------+

  Hello Alvaro,
  The issue here is that your config is missing the clear text port the ACE should use to send the traffic to the backend servers; in this case port 80.
  Remove the rservers from the SF "farm-demo" and then configure them back like this:
  serverfarm host farm-demo
    rserver rsrv1 80
      inservice
    rserver rsrv2 80
      inservice
  That should do the trick =)
  HTH
  Pablo

• ACE SSL Terminator doesn't work

  Hi,
  I should implement a balancing HTTP and for HTTPS an  SSL terminator on my ACE.
  Public IP 22.235.121.6 port 80 --> balanced on 192.168.250.165-166 on port 8889
  Public IP 22.235.121.6 port 443 --> my ace terminate ssl and balance the traffic in clear text to 192.168.250.165-166 on port 8889
  This is the configuration:
  probe http EXAMPLE_IT_HTTP
  port 8889
  interval 5
  faildetect 2
  passdetect interval 10
  passdetect count 2
  request method get url /probe/probe.html
  expect status 200 206
  expect status 300 307
  open 1
  serverfarm host example_IT_HTTP
  failaction reassign across-interface
  predictor leastconns
  probe example_IT_HTTP
  fail-on-all
  rserver H-192.168.250.165 8889
  inservice
  rserver H-192.168.250.166 8889
  inservice
  serverfarm host example_IT_HTTPS-HTTP
  failaction reassign across-interface
  predictor leastconns
  probe example_IT_HTTP
  fail-on-all
  rserver H-192.168.250.165 8889
  inservice
  rserver H-192.168.250.166 8889
  inservice
  sticky ip-netmask 255.255.255.255 address both example-IT-HTTPS-HTTP
  timeout 60
  replicate sticky
  serverfarm example_IT_HTTPS-HTTP
  ssl-proxy service SSL_example_IT
  key example_it.key
  cert example_it.cert
  chaingroup SSL_CHAIN_example_IT
  crypto chaingroup SSL_CHAIN_example_IT
  cert example_it.ca
  class-map match-all example_IT_HTTP
  2 match virtual-address 22.235.121.6 tcp eq www
  class-map match-all example_IT_HTTPS-HTTP
  2 match virtual-address 22.235.121.6 tcp eq www
  policy-map type loadbalance first-match example_IT_HTTP-l7slb
  class class-default
  serverfarm example_IT_HTTP
  policy-map type loadbalance first-match example_IT_HTTPS-HTTP-l7slb
  class class-default
  sticky-serverfarm example-IT-HTTPS-HTTP
  policy-map multi-match int41
  class example_IT_HTTP
  loadbalance vip inservice
  loadbalance policy example_IT_HTTP-l7slb
  loadbalance vip icmp-reply active primary-inservice
  class example_IT_HTTPS-HTTP
  loadbalance vip inservice
  loadbalance policy example_IT_HTTPS-HTTP-l7slb
  loadbalance vip icmp-reply active primary-inservice
  ssl-proxy server SSL_example_IT
  the balancing on http work properly, but doesn't work the ssl termination, when I try to connect from my client in https I don't see request on the server 192.168.250.165-166 coming.
  Some show:
  balancer# sh crypto certificate all
  example_it.cert:
  Subject: /C=GB/ST=United Kingdom/L=London/O=XXXXXXXX/OU=XXXXXXXXX/CN=*.xxxx.com
  Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
  Not Before: Apr 11 00:00:00 2014 GMT
  Not After: Apr 12 23:59:59 2015 GMT
  CA Cert: FALSE
  example_it.ca:
  Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
  Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
  Not Before: Nov  8 00:00:00 2006 GMT
  Not After: Jul 16 23:59:59 2036 GMT
  CA Cert: TRUE
  balancer# sh crypto session
  SSL Session Cache Stats for Context
  Number of Client Sessions: 0
  Number of Server Sessions: 0
  balancer#
  balancer# sh crypto files
  Filename File File Expor Key/
  Size Type table Cert
  cisco-sample-cert 1082 PEM Yes CERT
  cisco-sample-key 887 PEM Yes KEY
  example_it.ca 7444 PEM Yes CERT
  example_it.cert 1812 PEM Yes CERT
  example_it.key 1675 PEM Yes KEY
  balancer#
  balancer# crypto verify example_it.key example_it.cert
  Keypair in example_it.key matches certificate in example_it.cert.
  balancer#
  the show stats crypto client/server give me all 0
  Someone can help me to understand why is not working ?
  for further information please ask me
  Thanks a lot

  Hi,
  The problem is here:
  class-map match-all example_IT_HTTPS-HTTP
    2 match virtual-address 22.235.121.6 tcp eq www
  You should change it to 443 instead of WWW which means port 80.
  You will never match this class "example_IT_HTTPS-HTTP".
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.