ACE SSL terminate not working ... please help
Hello, I configured cisco ace 4710 with ssl-proxy and it is not working, but http://10.1.40.2 and http://10.1.40.3 is OK. When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage".
The configuration:
ace-demo/Admin# sh run
Generating configuration....
boot system image:c4710ace-mz.A3_2_4.bin
boot system image:c4710ace-mz.A3_2_1.bin
login timeout 0
hostname ace-demo
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 400-401,450
no shutdown
crypto csr-params testparams
country PE
state Lima
locality Lima
organization-name TI
organization-unit TI
common-name www.yyy.com
serial-number 1000
access-list anyone line 8 extended permit ip any any
access-list anyone line 16 extended permit icmp any any
parameter-map type ssl sslparams
cipher RSA_WITH_RC4_128_MD5
version SSL3
rserver host rsrv1
ip address 10.1.40.2
inservice
rserver host rsrv2
ip address 10.1.40.3
inservice
serverfarm host farm-demo
rserver rsrv1
inservice
rserver rsrv2
inservice
serverfarm host site-A
rserver rsrv1
inservice
serverfarm host site-B
rserver rsrv2
inservice
ssl-proxy service testssl
key testkey.key
cert testcert.pem
ssl advanced-options sslparams
class-map type management match-any MGMT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol snmp any
6 match protocol telnet any
7 match protocol ssh any
class-map match-any VIP
6 match virtual-address 10.1.41.10 any
class-map type generic match-any WAN-site-A
2 match source-address 192.168.10.106 255.255.255.255
3 match source-address 192.168.10.125 255.255.255.255
class-map type generic match-any WAN-site-B
2 match source-address 192.168.10.96 255.255.255.255
3 match source-address 192.168.10.93 255.255.255.255
class-map type management match-any icmp
2 match protocol icmp any
class-map match-any vip-ssl-10.1.41.20
2 match virtual-address 10.1.41.20 tcp eq https
policy-map type management first-match ICMP
class icmp
permit
policy-map type management first-match MGMT
class MGMT
permit
policy-map type loadbalance first-match vip-ssl-10.1.41.20
class class-default
serverfarm farm-demo
policy-map type loadbalance generic first-match lb-server
class WAN-site-A
serverfarm site-A
class WAN-site-B
serverfarm site-B
class class-default
serverfarm farm-demo
policy-map multi-match client-side
class VIP
loadbalance vip inservice
loadbalance policy lb-server
policy-map multi-match lb-vip
class vip-ssl-10.1.41.20
loadbalance vip inservice
loadbalance policy vip-ssl-10.1.41.20
loadbalance vip icmp-reply
ssl-proxy server testssl
interface vlan 400
description side-server
ip address 10.1.40.1 255.255.255.0
access-group input anyone
service-policy input ICMP
no shutdown
interface vlan 401
description side-client
ip address 10.1.41.1 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ICMP
service-policy input client-side
service-policy input lb-vip
no shutdown
interface vlan 450
description mgmt
ip address 10.1.45.1 255.255.255.0
access-group input anyone
service-policy input MGMT
no shutdown
ip route 192.168.10.0 255.255.255.0 10.1.45.10
And the proof:
ace-demo/Admin# sh serverfarm farm-demo
serverfarm : farm-demo, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: rsrv1
10.1.40.2:0 8 OPERATIONAL 0 25 19
rserver: rsrv2
10.1.40.3:0 8 OPERATIONAL 0 23 18
ace-demo/Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
admin 887 PEM Yes KEY
testcert.pem 709 PEM Yes CERT
testkey.key 497 PEM Yes KEY
ace-demo/Admin#
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 38
dropped conns : 18
client pkt count : 159 , client byte count: 12576
server pkt count : 16 , server byte count: 640
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
in other time:
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 170
dropped conns : 89
client pkt count : 703 , client byte count: 60089
server pkt count : 85 , server byte count: 3400
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
ace-demo/Admin#
ace-demo/Admin# sh stats crypto server
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 43
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 37
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 6
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto server alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 6
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 47
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 43
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
ace-demo/Admin# crypto verify testkey.key testcert.pem
Keypair in testkey.key matches certificate in testcert.pem.
ace-demo/Admin#
ace-demo/Admin# sh conn
total current connections : 0
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
Hello Alvaro,
The issue here is that your config is missing the clear text port the ACE should use to send the traffic to the backend servers; in this case port 80.
Remove the rservers from the SF "farm-demo" and then configure them back like this:
serverfarm host farm-demo
rserver rsrv1 80
inservice
rserver rsrv2 80
inservice
That should do the trick =)
HTH
Pablo
Similar Messages
-
my iphone 4s does not start by power switch, it starts when i connect to pc. the proximity sensor is not working. please help.
Sounds like it may be a hardware issue.
Please contact Apple Support in your country.
Here is a list of numbers: http://support.apple.com/kb/HE57
Regards
J -
I have unabled 5 fingure gesture now not able to perform any task,also my power button is not working,please help me in removing this gesture,using I phone 4
I have unabled 5 fingure gesture now not able to perform any task,also my power button is not working,please help me in removing this gesture,using I phone 4
-
I have 4s iPhone , I download the iOS 7. Now the front receiver microphone is not working , please help me that how to fix the problem.
I live in South Africa, and I had the same problem with my iPhone 4.
After weeks of frustration and swearing, I was in the process of restoring my phone to a previous iOS. To do that you need to turn the "Find my iPhone" option off, since i turned it off, my problem was solved. No need to repair anything or revert back to old iOS.
***** that i cant use Find my iPhone, but atleast i can use my phone. -
I installed windows 7 on my macbook pro. all is working but lan adaptor and sound od laptop is not working. please help me or send the link where i can download the these drivers.I have lost my resource cd .
If you are running Lion or Mountain Lion, the drivers are downloaded from within Bootcamp Assistant. If you are running Snow Leopard the drivers are on your Snow Leopard install disk.
Read the Bootcamp Install Guide for your version of OSx. http://www.apple.com/support/bootcamp/
Bootcamp questions should be asked in the Bootcamp forum where the Bootcamp gurus hang out https://discussions.apple.com/community/windows_software/boot_camp -
this is what my iphone 4 shows. iv tried switching off again and again, closing apps by double tapping the home button but still not working. please help.
is there any other method to download ios 6.1.2.
my phone is not being recognized by itunes on my new windows 8. neither its working on touch copy.
kindly help.
thankswell in thatcase, i need another help .
thanks for your instant reply.
i have currently bought a new laptop (windows 8) and my iphone is not being recognized by itunes.
because i have no backup on my previous laptop, i downloaded touchcopy but even touch copy is not recognizing my iphone. -
while updating 4.0 version to 5 version system shows sim card is not valid. My iphone is not working .Please help me
I would imagine your iPhone was hacked to make it work on your local carrier.
Updating the iOs to 5.xx will lock it back to the original carrier .The carrier holding the lock are the only
entity able to authorise the unlock .You will have to contact them and see if they unlock and the terms the apply -
HT1414 my handsfree is not working please help me
Hi There!
I am using Iphone 4s and ny handsfree in not working please help meTry restarting you iPhone by holding down the on/off and the home buttons at the same time until you see the Apple logo.
-
I have ne iphone 5, i been setting my email using AT&T global but it is not working, please help me on the correct configuration
Contact the email provider and obtain the correct setup information.
-
The built-in mic in g50 122ca laptop model is not working. please help me out.
the built-in mic in g50 122ca laptop model is not working. please help me out. OS: Windows Vista (32-bit)
here is a sample code .
so far you procedure looks good but
i bet you have to specify the name of report , instead of 'filename'.
see this
Plist_id := GET_PARAMETER_LIST('P_name');
IF NOT ID_NULL(Plist_id) THEN
DESTROY_PARAMETER_LIST(Plist_id);
END IF;
Plist_id := CREATE_PARAMETER_LIST('P_name');
ADD_PARAMETER( Plist_id, 'P_Receive_date', TEXT_PARAMETER, TO_CHAR(Receive_date,'mm/dd/yyyy'));
ADD_PARAMETER( Plist_id, 'P_Hearing_date', TEXT_PARAMETER, TO_CHAR(Hearing_date,'mm/dd/yyyy'));
ADD_PARAMETER( Plist_id, 'P_Hearing_time', TEXT_PARAMETER, TO_CHAR(Hearing_time,'mm/dd/yyyy'));
ADD_PARAMETER( Plist_id, 'P_Issue_date', TEXT_PARAMETER, TO_CHAR(Issue_date,'mm/dd/yyyy'));
ADD_PARAMETER( Plist_id, 'P_Workshop_date', TEXT_PARAMETER, TO_CHAR(Workshop_date,'mm/dd/yyyy'));
-- RUN_PRODCT(REPORTS,'..\Reports\Pro_License',SYNCHRONOUS, RUNTIME, FILESYSTEM, Plist_id, NULL);
-- here Pro_License is the name of report.
did you tried to see if the parameter passed using a message ?
try
message('parameter name'); pause; write this before "run_report". -
my itnues for pc is not working it shows that iTunes has stop working,I have downloaded Itnues many times but still it is not working, please help me
Please helppppp
-
All my old tv shows are not working please help my computer sed I have to Atheris 5 computers to play all my old tv shows I Pade for with eney Itunas cards.
What do y mean by not work?
What happens when y try to play them on yur iPod?
What happens when yo try to play them in iTunes on yur computer?
If you get a message what is the exact wording of the message?
You can redownload most iTunes purchases by:
Downloading past purchases from the App Store, iBookstore, and iTunes Store
Some countries do not allow redownloads some kinds of media -
The click at touchpad is not working, please help!!!
I use Macpro, recently the click at touchpad is not working, please help!!! Thank you !!
For this issue AppleCare support told me to so a SMC reset as follows:
Power the machine OFF.
At the SAME TIME hold down the following buttons:
Shift
Control
Option
Power
Then release all buttons. Power up the Macbook and see if the trackpad button work.
Hope this helps.
Bill -
hi
i tried to update to ios 8.2 on my iphone 5s when message popup to me now my iphone not working, please help i dont want to lose my dataWhat is the exact text of the message you got? And did you not back up before you updated?
-
After I updated my new Ipad with IOS 6, now Map& Dictation icon are not working. please help me
Thank you wjsten for your soon reply. Unfortunately on these days I'm in a country that Apple don't have any retail store here and for sake of time I prefer to fix it myself to DHL it to the nearest country to use its warranty. Do you have any idea how can I fix it? Do you think it's a software issue?
Maybe you are looking for
-
Hello all, I created a small program to give me a total record count for my huge table and ran it in the background. It ran for hours and finally did finish but i dont know where to retrieve the information of how many records were counted in total.
-
How to fade groups of images or multiple images at the same time?
I am creating a flash infographic, and want to fade images I have imported from Illustrator that are grouped. I would like to know how to fade these groups and multiple images at the same time. Thanks!
-
How to Disable field in Selection-screen
Hi All, I want to disable Screen field in my seelction screen. Below is my Code, but it is not working. I want to perform. If RB1 = X Then Parameter P_VBELN should get disabled. Please suggest, find below my code. *....Selection Screen selection-scre
-
"Unable to Create Volumes" error message in iPhoto export
Hi. I am attempting to export all of my videos from iPhoto onto an external drive. I have read several articles in this community, but so far my problem has not been solved. I keep getting the error message "Unable to /create/volumes/Lisa's Prtable D
-
i want to change my apple id on my macbook pro in the user info. it ask for a password...i am typing in my password to the apple id but it will not accept it....how to solve it ?