Ace ssl-proxy problem, Online store.
Hello!
I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.
The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.
The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.
If i have missed something in the config or if someone have any other idea why this dont work for me..
Appreciate any help!
My config:
(at the moment only web5 is in use)
ACE-1/CO-WEB1# show run
access-list ANY line 10 extended permit ip any any
access-list icmp line 8 extended permit icmp any any
probe http PROBE-HTTP
interval 3
passdetect interval 10
passdetect count 2
expect status 200 200
expect status 300 323
parameter-map type ssl SSLPARAMS
cipher RSA_WITH_RC4_128_MD5
rserver host vmware-server1
description testserver1
ip address 219.222.4.180
probe PROBE-HTTP
inservice
rserver host vmware-server2
description testserver 2
ip address 219.222.4.181
probe PROBE-HTTP
inservice
rserver host web5
description testserver from windows nlb
ip address 219.222.4.185
probe PROBE-HTTP
inservice
ssl-proxy service SSL-PROXY-SE
key cert-se.key
cert cert-se.pem
ssl advanced-options SSLPARAMS
serverfarm host WM-ware_servers
rserver vmware-server1
inservice
serverfarm host webtest
description testserver-farm
predictor leastconns
rserver vmware-server1 80
rserver vmware-server2 80
rserver web5
inservice
sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1
timeout 60
serverfarm webtest
class-map match-all VIP-HTTP
2 match virtual-address 219.222.4.178 tcp eq www
class-map match-all VIP-HTTPS
2 match virtual-address 219.222.4.178 tcp eq https
class-map type management match-any icmp
description for icmp reply
2 match protocol icmp any
policy-map type management first-match icmp
class icmp
permit
policy-map type loadbalance first-match VIP-HTTP
class class-default
sticky-serverfarm STICKY-GROUP1
policy-map type loadbalance first-match VIP-SSL
class class-default
serverfarm webtest
policy-map multi-match SLB-VIP-HTTP
class VIP-HTTP
loadbalance vip inservice
loadbalance policy VIP-HTTP
loadbalance vip icmp-reply
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy VIP-SSL
loadbalance vip icmp-reply
ssl-proxy server SSL-PROXY-SE
interface vlan 21
description ### ACE OUTSIDE mot FW ###
ip address 219.222.4.171 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
service-policy input SLB-VIP-HTTP
no shutdown
interface vlan 22
description ### ACE INSIDE Gateway for Web-servers ###
ip address 219.222.4.177 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
no shutdown
ip route 0.0.0.0 0.0.0.0 219.222.4.161
ACE-1/CO-WEB1#
as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):
ACE-1/CO-WEB1# show conn
total current connections : 4
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB
14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB
11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB
3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB
ACE-1/CO-WEB1#
Hello Krille
i had the same problem.
The HTT Probe you define will do a check if
the return code is
expect status 200 200
expect status 300 323
Now if a user is accessing the hppts site, in the flow there will be an expect status like 404, the ACE now is not establish an sticky connection, cause it think that the flow is not ok.
The only output after ther Certificates is a blank site.
If you change the Probing to ICMP you will be able to access the https site and the connection is sticky. With a litte tool like IE Watch you will be able to see the wrong Status codes.
regards
eberhard
Similar Messages
-
ACE SSL Proxy performance issue
Hi I've got an ACE module in a 6500 that is being used as an SSL Proxy For a web service.
So the configuration is fairly basic, matches a VIP which has been Nat'ed from the public IP address port 443 and load balances over a number of reservers with the server ports being set to 80.
The problem is the main web site is hosted elsewhere and so when they switch to checkout on a secure port the browser page requests multiple https:// files .
The users are seeing very slow page loads a considerable amount longer than equivalent on http and more than you'd expect. The ACE is no where near any throughout or transaction limits.
My concern is on how the session is tracked, would the ACE attempt to renegotiate with every https:// get? I've seen example configs for stickiness inserting cookies for normal end-end load balancing but not with an SSL proxy configuration.
Sent from Cisco Technical Support iPad AppHi Craig,
The SSL negotiation/handshake will happen everytime a client opens a new TCP connection i.e comes with a different source port.
To make sure that ACE doesn't renegotiate you can try and use this command:
(config-parammap-ssl)# session-cache timeout . You can use 24 hours or anytime you think is suitable.
This is basically to enable SSL session reuse. A little explanation below for your reference:
When client connects to a server over SSL, the server creates a session for that connection. This session ID is sent as a part of the Server Hello message. This is to make things efficient, in case the client has any plans of closing the current connection and reconnect in the near future. Most of the servers have a time out for these sessions (I think 24 hours is a common value, unless pressed for space).
When the client connects to the same server again, it can send the same session ID as a part of the Client Hello. The server will first look up if it can find any sessions with that ID. If found, the same session will be reused. Thus the time spent in verifying the certs and negotiating the keys is saved. If the server cannot find a matching session, then it responds with a new session ID and its certificate in Server Hello message. The client knows that it has to verity the cert and negotiate the key again.
Considerable amount of time is spent in validating server certs. Reusing SSL session will save this time.
Having said that you need to check if the client is coming with a session ID which it got in previous handshake or not. If it doesn't and it is a new TCP connection then SSL handshake will happen. Please enable that command before testing.
Also, ensure that you have allocated proper SSL resources to your context. Lack of resources can also cause dropped connections and sluggish performance.
Regards,
Kanwal -
Is anyone else having problems with the Canon Online Store?
In the last month or so, I've had one problem after another with the Canon Online Store; from being unable to delete items from the shopping cart; to not being able to add "in stock" items; disappearing Wish Lists; and just now, I tried to add one lens cap to the 6 or 7 items I already had in the Shopping Cart, and they disappeared.
I've called, more than once, and I've written, also more than once, to Canon Support about this, but they ignore what I tell them, and tell me there are no problems with the Online Store. They don't even seem to report to anyone that anyone has complained, because each time is "the first time", even though I've called (more than once) and written (more than once) to them about continuing Online Stores problems.
Is anyone else having problems with the Canon Online Store?
Why does Canon not care to track reported problems with the storefront part of their web-site?
I'm not trying to insult Canon, it's just that I've been a Canon customer for less than 3 months, and the're only batting .333, so far. Canon Support was very quick to respond about a concern I had that a 50mm f/1.4 I had just purchased was authentic or not. In trying to register that lens, I looked up on the Canon web site where to find the serial number. Since my new lens did not have any numbers there, I was concerned I had been sold a fake. But, then Canon Support sent me link to a different online document that showed a few different places where it might be, and there it was.
Is Canon like that with other problems, as well? Or is their "batting" average better than my very limited experience?
I just love my Rebel T5i, and my Canon lenses (from "the Kit brothers of the Cropped Frame coral": EF-S 18-55mm f/3.5-5.6 IS STM, and EF-S 70-300mm f/4-5.6 IS USM; to the "Truly Nifty Fifty", the 50mm f/1.4 USM, [the f/1.8 is just a "thrifty fifty"], and finally, the "Super-Macro" MP-E 65mm f/2.8 1x-5x Macro)!
Regards and Thanks,
Calen
As an old friend used to always say,
"Keep Looking Up!"
CalenHi Danny. Thanks for replying.
I only use my desktop PC to access Canon's web site, and I've been using Mozilla Firefox for years. And, yes, it is the latest version. Since Canon REFUSES to support the use of Firefox on it's web site, WHAT BROWSER DOES CANON SUPPORT? WHEN did Canon STOP SUPPORTING Firefox?
I've been told that there are 2 pending orders in my account. Yet, I NEVER placed those orders! WHY CAN'T CANON SEE THAT THIS IS A PROBLEM???
Instead of off-target suggestions, and pasted boilerplate REFUSALS TO EVEN LOOK at this issue, I would prefer it if Canon went "old school", and FIXED THE PROBLEM, in the first place! But, maybe that's a bit too grown up of an answer for you!
"Award-winning" support??? And, just exactly WHAT AWARD did Canon "support" WIN for CONSISTANTLY IGNORING REPORTED PROBLEMS??? The OSTRICH?
Please pull your head out, and FIX this problem, OR YOU ARE THE PROBLEM!!!
Thank you for your "prompt" attention to this matter!
Calen
As an old friend used to always say,
"Keep Looking Up!"
Calen -
Hello Apple and the iTunes Windows PC users community.
I am trying to sync films that I have converted from purchased DVD to mp4 format locally, not purchases from the online store. The mp4s all appear and play successfully in my iTunes application but will not sync across to the iPod film library folder.
For your information: I am using iTunes 11.1.3.8 on a Windows 7 64bit machine with 500GB hard disk and 8GB of Ram in the UK.
I have restored the iPod classic 160GB three times now to see if it was a hardware problem with no joy. Each time all the music restores properly as do the podcasts and all the items in TV programmes all appear to sync and work fine.
I have also tried to copy films into the TV Programmes to get around it with no joy. They always go to the films section to start with. It is just the Films library that does not sync - all others work perfectly. As a last resort I have uninstalled and re-installed iTunes with no joy either.
I am technically savvy and have gone through the itunes and ipod settings but nothing appears to make a difference - This is the first time I have had to post here as I can usually solve the majority of the ipod anomilies but this one has me flummoxed.
Has the film encoding type changed in the newest itunes update? - Has this happened to anybody else and is it a hardware, software, or operating system problem.Having uninstalled the current version 11.1.3.8 and loaded and older version of iTunes 10.7.0.21 I can now categorically confirm that the newest update seems to be causing the problem as the films and TV Programmes are syncing perfectly on this older version.
If you are going to do this please dont forget to remove the ' iTunes Library.itl' file as this stops the older versions from running as I've just found out -
My wifi is not working. It has no indication. I am living in Indonesia but I bought my iphone from apple online store. Can anyone help me how to fix my problem?
The No Service means there is a problem with cellular service. You mention wifi in your title. Which is it you are having trouble with? What happens when you switch on and off as you state in your post? Are you saying that wifi does not connect while at home either?
-
Hi, I have problems in ordering book from iPhoto. It says "problems in getting contact with Apple Online Store" I have changed password on my Apple ID - could that be the problem ??
Some additional efforts you can try:
Go to the System/Sharing preference pane and make sure Remote Apple Events is checked.
If it is, uncheck it and then recheck and try ordering again.
OT -
When ordering a project I'm getting a message " an error occurred while contacting the Apple online store. Please try again" Can anyone please tell me why I might be getting this message and how to fix the problem. Thank you
I've got the same problem.
It wasn't the case before the upgrade to v 9.2 (Iphoto 11) yesterday.
The previous solution preferences - advanced - "select a store" (last option) doesn't solve it anymore.
Thanks! -
I cannot upload my iPhoto book to the Online Store. I get an error message that I cannot connect. Instructs me to try again later. Apple support said servers are too busy. Anyone else have this problem and a solution?
I get an error message that I cannot connect. Instructs me to try again later.
Try again later?
LN -
ACE: SSL termination, Probe and Redirect problem
Hello,
I have problem with three things: -1) SSL offload, -2) probe, and -3) server redirect.
1) I made SSL offload like shows attached file with "show run". But during going to the VIP address by the browser: https://192.168.254.143 I get window with Java error: java.lang.NullPointerException - I have to click OK on this window and then can work fine. Without SSL offload I don't have this error message in window.
When I have SSL offload I have following configuration:
ssl-proxy service SSL
key klucz.pem
cert certyfikat.pem
serverfarm host SFARM
rserver S1 8080
rserver S2 8080
policy-map multi-match SLB-POLICY
class SLB
ssl-proxy server SSL
Without SSL offloading I have only this:
serverfarm host SFARM
rserver S1 (without 8080!)
rserver S2
2) Right now I have two real servers and I send traffic to them by port TCP 8080. So I made probe to check TCP 8080 port availability.:
probe tcp TCP_8080
port 8080
interval 15
passdetect interval 60
serverfarm host SFARM
rserver S1 8080
probe TCP_8080
inservice
rserver S2 8080
probe TCP_8080
inservice
I want also check port TCP 6400 availability, and I only one from port 8080 or 6400 don't work - make real server unavailable. So must work TCP port 8080 ang 6400 togethet to treat real server as operational.
So I want to make something like this:
probe tcp TEST
port 8080 and 6400 !?! - ofcourse It is impossible but I want to make config with this functionality.
How to do this?
3) I hant to make that when I write in browser https://bo.kw.coig.biz/ = https://192.168.254.143 I want to be redirected to one of real server on address: https://bo.kw.coig.biz/businessobjects/enterprise115/desktoplaunch/InfoView/logon/logon.do
I made something like this:
rserver redirect S3
webhost-redirection https://%h/businessobjects/enterprise115/desktoplaunch/InfoView/logon/logon.do 302
inservice
serverfarm redirect REDIRECT
rserver S3
inservice
policy-map type loadbalance first-match POLICY-TYPE
class class-default
serverfarm REDIRECT
But this configuration dosn't work. I have in browser window with error messeging.
How to do this?1/ this is a java problem.
Java is telling you that it attempted to use a null pointer. You need to check with the people who created the java program
2/ you can configure multiple tcp probe, one for each port you need to monitor and assign all the probes to the serverfarm.
BTW, you can assign the problem to the entire serverfarm so you don't need to specify it for each rserver.
3/ the problem with your redirect is that you applied to class-default.
So even a request to ...../logon will be redirected to ...../logon.
Therefore you just created a nice loop.
You need to create a class-map to only match the url "/" so the redirect is only applied then.
Gilles. -
"There was a problem communicating with the Apple Online Store. Please try again."
When I try to order prints on my Macbook I get the error .... "There was a problem communicating with the Apple Online Store. Please try again." I've gotten this error for a few days. When I try the same thing with my wife's Macbook Pro there are no issues. How do I fix the problem on m Macbook?
I found the problem thanks to some help given.
Go to iPhoto menu -> Preferences... -> Advanced -> > Print Products Store was set to "none". I changed that to my own country and then it worked, I could place the order.
Thanks a lot! -
IPhoto 2014 Ordering prints, problems communicating with apple online store
iPhoto v. 9.5.1
When I'm trying to order prints directly from within iPhoto, i get this error "There was a problem communicating with the Apple Online Store. Please try again."
I tried:
- Booting from safe mode
- Calling tech support
- Reinstalling iPhoto
- This guide: http://b.rthr.me/wp/?p=356
The only thing that are partly working is changing country iPhoto > Preferences > Advanced > Print Product Store.
If i change from Denmark to Germany or UK, i get the check out screen - but I can't pay with a danish credit card or choose to have the package send to Denmark.
Any ideas?The following are two fixes posted by other users that helped them:
#1
go to the System/Sharing preference pane and make sure Remote Apple Events is checked.
If it is, uncheck it and then recheck and try ordering again.
#2
Quit iPhoto.
From the Finder menu bar, choose Go > Utilities to access your Utilities folder (or press Shift-Command-U).
In your Utilities folder, open Keychain Access.
Find the "NetServices" entry in your Keychain Access window.
Select the "NetServices" entry and press the delete key.
Reopen iPhoto and attempt to place your order again.
You should be prompted to enter your account information if you deleted the Keychain entry successfully.
After entering your account information, you should be able to complete your order.
OT -
Problem in uploading Online store sample project script
I am not able to upload "online store" sample project script. The Appex (3.0.1) I am using flashes a message that the script size is exceeding the limit.
Anybody, please help me.
Jayashree.
Message was edited by:
user589027Are you 'uploading' it as a script? It is an export file and needs to be imported.
1. Unzip and extract all files
2. Access your target Workspace
3. Select the Application Builder
4. Click [Import >]
5. Browse and locate the installer file, online_store_installer_0.9.sql
6. When prompted, select to install supporting objects
-- Sharon -
ACE SSL - Modifying certs and keys
I'm having a problem updating the certs and keys I have in my ssl-proxy service.
My cert is about to expire and I've purchased a new cert. I've uploaded the new cert and key, but I still see the old cert when I go to the VIP with my browser. I thought that by deleting the proxy-service and re-adding I could get the ACE to recognize that it's got new certs but that didn't seem to work.
Is there a trick to make the ACE see the new certs? Does it cache the certs instead of reading them from flash? What's going on here.
Thanks!I changed my certs hot while the application was still running worked like a charm.
What i did was.
- import the new certificate into the crypto store (pkcs12)
- prepare a textfile with the necessary commands
no key old
key new
no cert old
cert new
- paste the commands into the running config.
I had several Customers and Application Admins test the App. while i was changing certs. They didn't even notice something happened. After approx. 60 seconds all new connections were using the new cert old connections were using the old cert. No trouble at all.
And yes the ACE caches the certs if i am not mistaken.
If you want to make sure that it works just create a test context or try it on a test farm first. That's what i did prior to changing the certs and the config on the production enviroment.
Hope it helps.
Roble -
ACE SSL terminate not working ... please help
Hello, I configured cisco ace 4710 with ssl-proxy and it is not working, but http://10.1.40.2 and http://10.1.40.3 is OK. When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage".
The configuration:
ace-demo/Admin# sh run
Generating configuration....
boot system image:c4710ace-mz.A3_2_4.bin
boot system image:c4710ace-mz.A3_2_1.bin
login timeout 0
hostname ace-demo
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 400-401,450
no shutdown
crypto csr-params testparams
country PE
state Lima
locality Lima
organization-name TI
organization-unit TI
common-name www.yyy.com
serial-number 1000
access-list anyone line 8 extended permit ip any any
access-list anyone line 16 extended permit icmp any any
parameter-map type ssl sslparams
cipher RSA_WITH_RC4_128_MD5
version SSL3
rserver host rsrv1
ip address 10.1.40.2
inservice
rserver host rsrv2
ip address 10.1.40.3
inservice
serverfarm host farm-demo
rserver rsrv1
inservice
rserver rsrv2
inservice
serverfarm host site-A
rserver rsrv1
inservice
serverfarm host site-B
rserver rsrv2
inservice
ssl-proxy service testssl
key testkey.key
cert testcert.pem
ssl advanced-options sslparams
class-map type management match-any MGMT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol snmp any
6 match protocol telnet any
7 match protocol ssh any
class-map match-any VIP
6 match virtual-address 10.1.41.10 any
class-map type generic match-any WAN-site-A
2 match source-address 192.168.10.106 255.255.255.255
3 match source-address 192.168.10.125 255.255.255.255
class-map type generic match-any WAN-site-B
2 match source-address 192.168.10.96 255.255.255.255
3 match source-address 192.168.10.93 255.255.255.255
class-map type management match-any icmp
2 match protocol icmp any
class-map match-any vip-ssl-10.1.41.20
2 match virtual-address 10.1.41.20 tcp eq https
policy-map type management first-match ICMP
class icmp
permit
policy-map type management first-match MGMT
class MGMT
permit
policy-map type loadbalance first-match vip-ssl-10.1.41.20
class class-default
serverfarm farm-demo
policy-map type loadbalance generic first-match lb-server
class WAN-site-A
serverfarm site-A
class WAN-site-B
serverfarm site-B
class class-default
serverfarm farm-demo
policy-map multi-match client-side
class VIP
loadbalance vip inservice
loadbalance policy lb-server
policy-map multi-match lb-vip
class vip-ssl-10.1.41.20
loadbalance vip inservice
loadbalance policy vip-ssl-10.1.41.20
loadbalance vip icmp-reply
ssl-proxy server testssl
interface vlan 400
description side-server
ip address 10.1.40.1 255.255.255.0
access-group input anyone
service-policy input ICMP
no shutdown
interface vlan 401
description side-client
ip address 10.1.41.1 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ICMP
service-policy input client-side
service-policy input lb-vip
no shutdown
interface vlan 450
description mgmt
ip address 10.1.45.1 255.255.255.0
access-group input anyone
service-policy input MGMT
no shutdown
ip route 192.168.10.0 255.255.255.0 10.1.45.10
And the proof:
ace-demo/Admin# sh serverfarm farm-demo
serverfarm : farm-demo, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: rsrv1
10.1.40.2:0 8 OPERATIONAL 0 25 19
rserver: rsrv2
10.1.40.3:0 8 OPERATIONAL 0 23 18
ace-demo/Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
admin 887 PEM Yes KEY
testcert.pem 709 PEM Yes CERT
testkey.key 497 PEM Yes KEY
ace-demo/Admin#
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 38
dropped conns : 18
client pkt count : 159 , client byte count: 12576
server pkt count : 16 , server byte count: 640
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
in other time:
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 170
dropped conns : 89
client pkt count : 703 , client byte count: 60089
server pkt count : 85 , server byte count: 3400
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
ace-demo/Admin#
ace-demo/Admin# sh stats crypto server
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 43
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 37
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 6
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto server alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 6
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 47
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 43
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
ace-demo/Admin# crypto verify testkey.key testcert.pem
Keypair in testkey.key matches certificate in testcert.pem.
ace-demo/Admin#
ace-demo/Admin# sh conn
total current connections : 0
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+Hello Alvaro,
The issue here is that your config is missing the clear text port the ACE should use to send the traffic to the backend servers; in this case port 80.
Remove the rservers from the SF "farm-demo" and then configure them back like this:
serverfarm host farm-demo
rserver rsrv1 80
inservice
rserver rsrv2 80
inservice
That should do the trick =)
HTH
Pablo -
ACE SSL Terminator doesn't work
Hi,
I should implement a balancing HTTP and for HTTPS an SSL terminator on my ACE.
Public IP 22.235.121.6 port 80 --> balanced on 192.168.250.165-166 on port 8889
Public IP 22.235.121.6 port 443 --> my ace terminate ssl and balance the traffic in clear text to 192.168.250.165-166 on port 8889
This is the configuration:
probe http EXAMPLE_IT_HTTP
port 8889
interval 5
faildetect 2
passdetect interval 10
passdetect count 2
request method get url /probe/probe.html
expect status 200 206
expect status 300 307
open 1
serverfarm host example_IT_HTTP
failaction reassign across-interface
predictor leastconns
probe example_IT_HTTP
fail-on-all
rserver H-192.168.250.165 8889
inservice
rserver H-192.168.250.166 8889
inservice
serverfarm host example_IT_HTTPS-HTTP
failaction reassign across-interface
predictor leastconns
probe example_IT_HTTP
fail-on-all
rserver H-192.168.250.165 8889
inservice
rserver H-192.168.250.166 8889
inservice
sticky ip-netmask 255.255.255.255 address both example-IT-HTTPS-HTTP
timeout 60
replicate sticky
serverfarm example_IT_HTTPS-HTTP
ssl-proxy service SSL_example_IT
key example_it.key
cert example_it.cert
chaingroup SSL_CHAIN_example_IT
crypto chaingroup SSL_CHAIN_example_IT
cert example_it.ca
class-map match-all example_IT_HTTP
2 match virtual-address 22.235.121.6 tcp eq www
class-map match-all example_IT_HTTPS-HTTP
2 match virtual-address 22.235.121.6 tcp eq www
policy-map type loadbalance first-match example_IT_HTTP-l7slb
class class-default
serverfarm example_IT_HTTP
policy-map type loadbalance first-match example_IT_HTTPS-HTTP-l7slb
class class-default
sticky-serverfarm example-IT-HTTPS-HTTP
policy-map multi-match int41
class example_IT_HTTP
loadbalance vip inservice
loadbalance policy example_IT_HTTP-l7slb
loadbalance vip icmp-reply active primary-inservice
class example_IT_HTTPS-HTTP
loadbalance vip inservice
loadbalance policy example_IT_HTTPS-HTTP-l7slb
loadbalance vip icmp-reply active primary-inservice
ssl-proxy server SSL_example_IT
the balancing on http work properly, but doesn't work the ssl termination, when I try to connect from my client in https I don't see request on the server 192.168.250.165-166 coming.
Some show:
balancer# sh crypto certificate all
example_it.cert:
Subject: /C=GB/ST=United Kingdom/L=London/O=XXXXXXXX/OU=XXXXXXXXX/CN=*.xxxx.com
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
Not Before: Apr 11 00:00:00 2014 GMT
Not After: Apr 12 23:59:59 2015 GMT
CA Cert: FALSE
example_it.ca:
Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Not Before: Nov 8 00:00:00 2006 GMT
Not After: Jul 16 23:59:59 2036 GMT
CA Cert: TRUE
balancer# sh crypto session
SSL Session Cache Stats for Context
Number of Client Sessions: 0
Number of Server Sessions: 0
balancer#
balancer# sh crypto files
Filename File File Expor Key/
Size Type table Cert
cisco-sample-cert 1082 PEM Yes CERT
cisco-sample-key 887 PEM Yes KEY
example_it.ca 7444 PEM Yes CERT
example_it.cert 1812 PEM Yes CERT
example_it.key 1675 PEM Yes KEY
balancer#
balancer# crypto verify example_it.key example_it.cert
Keypair in example_it.key matches certificate in example_it.cert.
balancer#
the show stats crypto client/server give me all 0
Someone can help me to understand why is not working ?
for further information please ask me
Thanks a lotHi,
The problem is here:
class-map match-all example_IT_HTTPS-HTTP
2 match virtual-address 22.235.121.6 tcp eq www
You should change it to 443 instead of WWW which means port 80.
You will never match this class "example_IT_HTTPS-HTTP".
Regards,
Kanwal
Note: Please mark answers if they are helpful.
Maybe you are looking for
-
Hello, I'm having problems on the Lightroom CC App,as it seem's that when I open the Develop heading at the top of the screen,there is message that comes,which says this section is disabled and I need to renew my membership.My membership is up to dat
-
is there a way to run a external ssd with my mid 2011 iMac hdd in a raid configuration and basically have a fusion drive
-
Cannot Install Flash Player to Mac OS X 10.9.4
Hi. I have a mac OS X 10.9.4 and using safari 7.0.5. i have downloaded adobe flash player and before the download ever finishes i am told to close my safari. I have checked a million and one times to see if my safari is open and it is not open. I shu
-
Customer Access to Loyalty Programs - Loyalty Management - SAP Library
To add a comment, please log in or register on the top of this page and choose Reply. Please write your comment in English. You can also go back to the SAP help page.
-
Changing the multicast Address and Port giving error
I am using Coherence 3.3.1 jar files (Coherence.jar and tangosol.jar) in my local application. But when I try to change the multicast Address and Port in tangosole-coherence.xml(in Coherence.jar) then it is giving this error - "This member could not