CSS11503/ACE 4710 - SSL session id cache

I have a couple of questions.
1. I'd like to know what happens when the SSL session id cache (def 10k) gets filled on a CSS11503. Do new connections get dropped or do they still work but are they less efficient?
2. What is the cache size on an ACE4710?

The problem was caused by an incorrect nat pool. Correct Mask was 255.255.255.0.

Similar Messages

ACE 4710 & SSL Offloading

I testing the 4710 for load balancing between 2 web servers. I have the http portion working just fine but would like to get some input on the SSL portion.
We have a section of our site that requires user login and the whole session is https from when they login and when they are browsing through our site.
My questions are within the design aspects. Would this best be designed using SSL offloading and then using clear text from the ACE to the web servers? Also, what would the differences be with configuring ssl offloading with stickiness if configured with http server load balancing on the same server farm versus creating a new server farm just for https? Would end-to-end ssl be best in this scenario?
Description of the web application usage:
Users log in and their whole session is https. Users will be filling out forms, inputting data, registering for events and uploading some files.

Okay so that makes sense to me now. When the client requests an HTTPS page and the ACE terminates the connection, the ACE uses SSL rewrite/redirect to send the request back to the client so that the client still maintains the SSL connection. Otherwise it will request an HTTP page instead of the HTTPS page.
Am I correct?

ACE 4710 SSL server LB with stickiness

I will be replacing 11500 CSS which are not doing SSL termination, just load-balancing SSL sessions terminated on servers with ACE 4710.
On their CSS config, they were doing SSL-sticky. I understand the 4710 doesn't support SSL sticky, but can perform the same function by parsing the HTTP header. Has anyone done this config before and know where/how to parse the header to look for the SSL session# and stick connections to same server?
THANKS!

In Ace 2.x code GPP (Generic protocol parsing) was introduced that enables ACE to look into the Layer 4 payload.Which is how this stickiness id achieved.
details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1133923
I dont think its currently available on ACE appliance yet.
Syed

ACE LB SSL Session ID in onearm mode

I am trying to set-up SSL stickyness using the session ID in a onearm configuration mode and can not access the website via the vip. I can browse to both servers directly.
The ACE is connected to a Cat 6500, via a 4 gigabit ethernet port-channel and only the management and onearm context vlan is trunked down the port-channel.
From the OneArm Mode context i am able to ping the MSFC (VLAN980) default gateway and both rservers. The rservers, Server Farm and Service Policy are all showing as in service.   I am also able to ping the vip from any device on the network.
The incoming connection is establish and nat appears to take place, although the return session is report as init.
I have posted the configuration below and was hoping someone could make a few suggestions.   One of the things i notice is on the MSFC the nat address isn't in the arp table, although, it's showing on the ACE.
logging enable
logging buffered 7
access-list everyoneline 1 extended permit ip any any
script file name SSL_PROBE_SCRIPT
probe scripted ssl443
port 443
interval 60
passdetect interval 60
script SSL_PROBE_SCRIPT
parameter-map type generic sslidparam
set max-parse-length 70
rserver host host1
ip address 192.168.20.129
inservice
rserver host host2
ip address 192.168.20.130
inservice
serverfarm host ssl-443
rserver host1
    weight 10
    probe ssl443
    inservice
rserver host2
    weight 10
    probe ssl443
    inservice
sticky layer4-payload sticky-443
timeout 720
serverfarm ssl-443
response sticky
layer4-payload offset 43 length 32 begin-pattern "\x20"
class-map type management match-any MANAGEMENT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol ssh any
6 match protocol telnet any
class-map match-any slb-vip
3 match virtual-address 192.168.198.50 tcp eq https
policy-map type management first-match MANAGEMENT-POLICY
class MANAGEMENT
    permit
policy-map type loadbalance generic first-match slb-vip
class class-default
    sticky-serverfarm sticky-443
policy-map multi-match SSL-STICKY
class slb-vip
    loadbalance vip inservice
    loadbalance policy slb-vip
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 980
    appl-parameter generic advanced-options sslidparam
interface vlan 980
ip address 192.168.198.4 255.255.255.0
peer ip address 192.168.198.5 255.255.255.0
access-group input everyone
nat-pool 1 192.168.198.6 192.168.198.6 netmask 255.255.255.255 pat
service-policy input MANAGEMENT-POLICY
service-policy input SSL-STICKY
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.198.1
sh conn
total current connections : 2
conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
19828      1 in TCP   98   192.168.18.139:2411    192.168.198.50:443      ESTAB
19829      1 out TCP   98   192.168.20.129 :443    192.168.198.6:1059     INIT

The problem was caused by an incorrect nat pool.   Correct Mask was 255.255.255.0.

ACE 4710 SSL connection rate

What exactly happens when the SSL connection rate is exceeded. Is the connection dropped, queued or what ?
Defined as the SSL TPS. In our case 1000 but upgradeable to 5000

Hi,
The connection will be denied once the SSL connection rate is exceeded.
That can be identified by using the command :
show resource usage all
You will see something like this :
Resource Current Peak Min Max Denied
ssl-connections rate 995 1000 0 1000 28975
You will notice that the deny counter will start increasing once the rate is exceeded.
hope that helps.
regards,
Ajay Kumar

Ace 4710 SSL Proxy TLS (Beast) Mitigation

Has anyone heard if there is an upgrade path to mitigate this recent tls1.0 and sslv3 exploit?
Thanks
Darren
Sent from Cisco Technical Support iPad App

Hi Darren,
I haven't seen any official cisco comment about this yet.
Also our customers are asking for updates on this security advisory....
Edwin

ACE 4710. Unable to clear ssh sessions

Hi.
Once in the CLI of an ACE 4710, using the command "clear ssh session id" I am unable to clear/kill any of the remote ssh sessions established.
According to the administration guide, the "clear ssh .." command must clear the sessions, but it does not, or maybe I am missing something?
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/administration/guide/access.html#wp1050335
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
ACE/CONTEXTO_A# show ssh session-info
Session ID     Remote Host         Active Time
13728          222.98.54.158:50556   67:43:38
13732          200.44.158.70:46172   67:43:36
13735          200.44.158.70:46174   67:43:36
13737          200.44.158.70:46177   67:43:36
ACE/CONTEXTO_A#
ACE/CONTEXTO_A# clear ssh 13728
ACE/CONTEXTO_A# clear ssh 13732
ACE/CONTEXTO_A# clear ssh 13735
ACE/CONTEXTO_A# clear ssh 13737
ACE/CONTEXTO_A# show ssh session-info
Session ID     Remote Host         Active Time
13728          222.98.54.158:50556   67:43:54
13732          200.44.158.70:46172   67:43:52
13735          200.44.158.70:46174   67:43:52
13737          200.44.158.70:46177   67:43:52

Hello,
Seems to be working for me in my tests. Works in the Admin context and a user context, and when clearing connections from console connection or one of the SSH sessions.
ace-appliance-15/CTX1# sho ssh sess
Session ID     Remote Host         Active Time
24705          161.44.77.245:1586     0: 1:42
25100          161.44.77.245:1589     0: 0:27
25116          161.44.77.245:1590     0: 0:16
ace-appliance-15/CTX1# clear ssh 25116
ace-appliance-15/CTX1#
ace-appliance-15/CTX1# sho ssh sess
Session ID     Remote Host         Active Time
24705          161.44.77.245:1586     0: 2: 5
25100          161.44.77.245:1589     0: 0:50
What version of software are you running on your 4710? I am running the latest A3(2.4). Can you try this version?
Thanks,
Sean

Http.keepAlive does not turn off SSL session cache?

Hi there,
I have a web service client that uses JSSE for making web service calls via https. In an effort to debug problems, I set http.keepAlive to false, I can see from the SSL debug output that KeepAlive timer messages no longer shows up, but I still see text such as "Cached client session" and "try to reuse cached session", etc.
Should not turning off keepAlive disable the use of persistent sessions?
Thanks.
Yan

They are unrelated features.
HTTP Keep Alive allows the browser to maintain a Socket to the server and issue multiple HTTP requests over that same socket.
SSL Session caching is when an SSL Session is assigned an ID, and additional SSL connects may be established with the same ID. These additional sockets then do not need to perform the full SSL handshake, since much of the data has already been negotiated previously.

ACE 4710 transparent LB with two Caches and two routers.

Hello,
I have ACE 4710 that load balance two cach flows (bluecoat), i am doing pbr on the routers to send the traffic destined to port 80 to ACE then Cach farm. After that the Cach flow will get the page from the internet via two routers. The return traffic will match another pbr on the routers with source port 80 that will send it to the ACE then CachFlow again .....then to the users.
I am not using ip-spoofing on the CachFlow for now. In the figure attached i created a VIP 0.0.0.0 0.0.0.0 port 80 on the interface on the ACE facing the routers, but the question is do i have to create another VIP 0.0.0.0 0.0.0.0 port 80 on the interface on ACE facing the Cach Flow? or just forward the traffic on the default route? What might be the default route since i have to use two routers and i cannot use hsrp?
Kindly I need some assistance
Thank you and regards,
George
access-list PERMIT_ALL line 8 extended permit ip any any
access-list CFLOW line 8 extended permit ip any any
ip name-server 8.8.8.8
ip name-server 4.2.2.2
##################################Config for Cache Cache Servers###################
probe http CISCO_WWW_PROBE
ip address 72.163.4.161
interval 2
faildetect 2
passdetect interval 2
passdetect count 5
request method head url /index.html
expect status 200 200
exit
probe http YAHOO_WWW_PROBE
ip address 87.248.112.181
interval 2
faildetect 2
passdetect interval 2
passdetect count 5
request method head url /index.html
expect status 200 200
exit
serverfarm host TRANSPARENT_PROXY_SF
description Transparent Proxy Farm
transparent
predictor hash url
probe CISCO_WWW_PROBE
probe YAHOO_WWW_PROBE
rserver CFLOW01
    inservice
rserver CFLOW02
    inservice
exit
exit
############################################# Router Cache Farm ############################
probe icmp ICMP_PROBE
description *** Probe for icmp health monitoring ***
interval 5
faildetect 2
passdetect interval 60
passdetect count 2
exit
rserver host Router01
description Connection to Sodetel Router
ip address 192.168.14.4
probe ICMP_PROBE
inservice
rserver host Router02
description Connection to IDM Router
ip address 192.168.14.5
probe ICMP_PROBE
inservice
serverfarm host Routers
description Transparent Proxy Farm
transparent
predictor hash url
probe ICMP_PROBE
rserver Router01
    inservice
rserver Router02
    inservice
exit
exit
################################# Management################################
class-map type management match-any REMOTE_MGMT
description Allow Remote management for below protocols
8 match protocol icmp any
9 match protocol ssh source-address 172.31.13.31 255.255.255.255
10 match protocol ssh source-address 172.31.31.21 255.255.255.255
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_MGMT
    permit
class-map match-all CFLO2Internet
2 match virtual-address 0.0.0.0 0.0.0.0 any
class-map match-all TRANSPARENT_VIP_CM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
policy-map type loadbalance first-match TRANSPARENT_LB_PM
class class-default
    serverfarm TRANSPARENT_PROXY_SF backup Routers
policy-map type loadbalance first-match CFLO2Internet_LB
class class-default
    serverfarm Routers
policy-map multi-match CFLO2Internet_PM
class CFLO2Internet
    loadbalance vip inservice
    loadbalance policy CFLO2Internet_LB
    loadbalance vip icmp-reply active
    connection advanced-options TCP
policy-map multi-match L3L4_PM
class TRANSPARENT_VIP_CM
    loadbalance vip inservice
    loadbalance policy TRANSPARENT_LB_PM
    loadbalance vip icmp-reply active
    connection advanced-options TCP
====Interfaces======
interface vlan 11
description Interface between Routers and ACE
ip address 192.168.14.2 255.255.255.224
alias 192.168.14.1 255.255.255.224
peer ip address 192.168.14.3 255.255.255.224
no icmp-guard
access-group input PERMIT_ALL
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input L3L4_PM
no shutdown
interface vlan 21
description Connection to CFlow ServerFarm
ip address 192.168.12.2 255.255.255.224
alias 192.168.12.1 255.255.255.224
peer ip address 192.168.12.3 255.255.255.224
no icmp-guard
access-group input CFLOW
service-policy input CFLO2Internet_PM ------>>>> Is this necessary???
no shutdown

Hi George,
In the topology you described, only the service-policy in the interface towards the routers is necessary. For the traffic from the caches, the ACE will just forward to the default gateway.
The only problem is, as you mentioned, that you cannot use HSRP. In that case, you can still configure two default gateways, but there is no way to predict which one the ACE will use at a given time (the way it does to select the one it will use is sending an ARP request to both gateways and using the one that replies first until the ARP entry expires)
If you need to load-balance the traffic between both routers, then yes, you would need to configure a new VIP on the cache side and load-balanced to a transparent serverfarm composed of both routers.
Regards
Daniel

SSL Session cache persistence

Hello,
I've been scratching my head for while on a problem concerning SSL session caching. Upon examining memory usage of the session cache I noticed that the number of cached sessions is reset at some point while new session are created. For example sometimes at around 300 -1500 sessions the number drops to under 10. I have set the session cache size to unlimited (via SSLSessionContext.setSessionCacheSize()) and session timeout to 24 hours (via setSessionTimeout()).
I noticed that this has probably something to do with garbage collection. I made a server application that receives SSL connections and every few seconds prints the number sessions in the cache and the amount of consumed memory (in megs). I also enabled garbace collection information printing and ran java VM with a maximum heap size of 512M. I ran a client application against it that continuously initializes a new sessions. Here's what I got:
Sessions: 484     Memory: 1.7913589477539062
[GC [DefNew: 503K->4K(576K), 0.0007350 secs] 2234K->1734K(3796K), 0.0008700 secs]
[GC [DefNew: 513K->63K(576K), 0.0009260 secs] 2243K->1793K(3796K), 0.0010680 secs]
Sessions: 490     Memory: 1.7832870483398438
[GC [DefNew: 569K->37K(576K), 0.0021150 secs] 2299K->1773K(3796K), 0.0022560 secs]
Sessions: 495     Memory: 2.1244659423828125
[GC [DefNew: 543K->37K(576K), 0.0019000 secs] 2279K->1775K(3796K), 0.0034750 secs]
[GC [DefNew: 549K->57K(576K), 0.0009080 secs] 2287K->1796K(3796K), 0.0010290 secs]
[Full GC [Tenured: 1739K->1635K(3220K), 0.0865340 secs] 1962K->1635K(3796K), [Perm : 3267K->3267K(8192K)], 0.0885000 secs]
Sessions: 6     Memory: 1.7752304077148438
[GC [DefNew: 512K->58K(576K), 0.0016310 secs] 2147K->1694K(3796K), 0.0017680 secs]
[GC [DefNew: 568K->37K(576K), 0.0009750 secs] 2204K->1678K(3796K), 0.0011110 secs]
Sessions: 12     Memory: 1.7010269165039062
[GC [DefNew: 549K->56K(576K), 0.0014310 secs] 2190K->1699K(3796K), 0.0015600 secs]Notice how the number of sessions drops from 495 to 6? And in between there's a garbage collection print "[Full GC...". Why is this? Shouldn't the session cache keep the sessions until there's either too many of the them or they get too old? Here only a few minutes have elapsed and memory consumption is under control (1 to 3 megs).

In my implementation I avoid session renegotiation as
much as possible to achieve high throughput. My goal
is to preserve sessions for the entire session
timeout time. This raises a few questions:Understood, but you also have to protect the server against resource exhaustion. It's in the client's interest to cache lots of sessions for a long time; the server's interest is to conserve resources so it can keep itself running.
You actually don't want to cache all the sessions, just the 'hot' ones, so you're better off having the SessionContext remove sessions on an LRU basis by having a finite limit, rather than just letting them be GC'd. The fact that so many sessions were collected in your runs indicates pretty severe memory usage.
(1) Is there any way to tweak this behavior? For
example can make the sessions live longer by using
some GC flags for the VM? Allocate more heap space, or cache fewer sessions.
(2) How about keeping regular references to all the
sessions in my application?That would save them from GC of course. But then you'll quickly discover that you really do need a finite limit.
(3) Is the behavior of the session cache or the inner
workings of the SSL API in general documented
somewhere?Only in the source code of JSSE, and that's only a property of Sun's JRE implementation. Session caching is not even a required feature, and J2ME implementations for example generally don't do it at all.

How to install a root certificate of private CA for SSL initiation in ACE 4710 ?

Hello ACE Gurus,
We have to deploy end-to-end SSL for one of our application, but of course we won't be buying Entrust or other big name certificates for each web server : we want to use self-issued certs signed by our private CA.The topology looks like this :
Internet Client ----HTTPs_Entrust_Cert----> ACE ------HTTPs_Private_Cert------> WebServers
Maybe my search skills are soft, but I haven't found how to import a private CA certificate in the ACE, so that when the ACE initiates an SSL session with the webserver (as a client), it will recognize the Web Server's SSL Cert as valid, because he already has it in it's root store.
The only thing I've found, is how to configure the ACE to ignore the SSL authentification/validation errors, like this :
host1/Admin(config)# parameter-map type ssl SSL_PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# authentication-failure ignore
Thanks for the help!
Alex.

Hi Alex,
From ACE perspective, it doesn't make differences if you are using certificates issued by your local or a "well known" CA. Moreover, if not mistaken, you have to configure authentication group whatever you are doing client or server authentication.
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp1043643
Thanks,
Olivier

SSL Certificates Update Error in ACE 4710

Hi,
I am facing a problem while updating the SSL certificates in ACE 4710. Our certificate is expired and we have purchased a new certificate from CA. Moreover the common name of the certificate is also changed.
I tried importing the certificate to the repository and change the SSL proxy likewise to use the new certificate. but still the new certificate with new CN is not recognised by the clients. they can see the old certificate only. I even tried deleting and creating a new ssl proxy service with the new cert and attaching it to policy map.
but still the new certificate is not used even after a reboot,
Attaching screenshots and running config. Any help will be appreciated.
BR//Rajiv

Ravi,
Here are the procedures for updating your certificate on the ACE.
1) Create New RSA Key
2) Create CSR
3) Send CSR to CA authority for a new certificate
4) Import Certificate into the ACE
5) Change the ssl-proxy to use the new Certificate and Key
6) Remove the SSL-Proxy from the policy map and reapply
Now if you created the CSR on a different box, you will need to import both the RSA key are the certificate. Another thing you should be aware of is a possible change in the Root and intermediate certicates that are used by the CA. In your configuration, you have
crypto chaingroup iotms-chain-gr-1
cert inter-root-new
Is the the correct certificates for your cert? If so, it seems odd that there is only on certificate in the Chaingroup. Most CAs use an intermediate and and a root certificate.
Verify that you have the correct chaingroup (with the correct root and intermediate certificates).

SSL Termination in ACE 4710 not working

Hi,
I have configured a new ACE 4710 with only a sinlge context to redirect https traffic to http real servers using SSL Termination. When I do a telnet on port 443 or 80 to the VIP it works fine but when I try to open the URL it prompts me for accepting the certificate then it tries to find and establish connection to the URL but eventually dies out giving a "Page cannot be displayed error". I have done some troubleshooting and found that the connection to the VIP on 443 port is Established but the out connection from the real server to the client remains in the INIT state. I am attaching the configs and all the troubleshooting data I have collected. Pls someone help.

Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE.So as suggested I have configured default route in the servers towards the ACE interface vlan ip address. Still the server packet count is not incrementing. I am posting the updated configuration of the ACE as an attachment. Pls help.

ACE 3.0(0) SW / LB with SSL Session-ID

Hello!
I want to use "SSL Session-ID" sticky method in load-balancing, but can't find any info about it in 3.0(0)A1(2) sw configuration guides. Where i can find info about it? Or this method is supported only in old A2(1.0) release?
Thanks.

SSL Session ID Sticky to ensure Client Persistence
1. Demonstrate the ability to provide stickiness using SSL
Session ID. To do this you will need to the Generic Protocol Parsing
framework on ACE. With the right regular expression you will be successful!!
2. Before you begin to configure the SSL Sticky group, be sure that
you have allocated resources to the sticky group. Note this done in the
Admin context.
resource-class cart
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 1.00 maximum equal-to-min
context Lab-Cart-11
allocate-interface vlan 211
allocate-interface vlan 411
member cart
3. Create an SSL-v3 sticky group and associate the serverfarm. Good
idea to configure a sticky timeout value. This specifies the period of time
that the ACE keeps the sticky information in the sticky table. Note the ACE
resets the timer each time ACE opens connections matching that entry. Also
configure the Layer 4 sticky parameters for 32 bytes session ID.
sticky layer4-payload ssl-v3
timeout 600
serverfarm HTTPS-FARM
response sticky
layer4-payload offset 43 length 32 begin-pattern "\x20"
When a new session is established between client and server, the server
generates a session id. The session id is an arbitrary sequence of bytes.
The length of the session id is 16 bytes for SSLv2 sessions and between 1
and 32 bytes for SSLv3/TLSv1. The session id is not security critical but
must be unique for the server. Additionally, the session id is transmitted
in the clear when reusing the session so it must not contain sensitive
information.
4. Create a class-map to match the layer 4 payload.
class-map type generic match-any SSL-v3-32
2 match layer4-payload regex "\x16\x03\x00..\x01.*"
3 match layer4-payload regex "\x16\x03\x01..\x01.*"
5. Create a new generic load balance policy map and assoiciate the
sticky-serverfarm understand the class.
policy-map type loadbalance generic first-match SSL-v3-Sticky
class SSL-v3-32
sticky-serverfarm ssl-v3
6. Change to the client-vips policy map to represent the new
SSL-v3-Sticky policy you just created
policy-map multi-match client-vips
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy SSL-v3-Sticky
loadbalance vip icmp-reply active
7. Verify the VIP is accessible by trying to hit the VIP.
8. View the connection using the show cons command.
Pod1-ACE/Lab-Cart-11# show conn
total current connections : 1
conn-id np dir proto vlan source destination
state
----------+--+---+-----+----+---------------------+---------------------+---
---+
10 1 in TCP 211 209.165.201.11:1115 172.16.11.190:443
ESTAB
9. Interesting I can see that the first connection has been setup. Why
is ACE not load balancing the connection to the server?
10. Great I need to configure a L7 parameter map with a max parse-length
parameter-map type generic SSL-v3
set max-parse-length 70
11. Associate the parameter map to the client-vips policy map
policy-map multi-match client-vips
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy SSL-v3-Sticky
loadbalance vip icmp-reply active
appl-parameter generic advanced-options SSL-v3
12. Verify the VIP is now accessible by trying to hit the VIP.

ACE 4710 in failover - ssl offload, cert for second ACE

Hi,
I'm testing two ACE 4710 appliances that should work in active/standby mode and do ssl offload in bridged mode.
At the moment I have configured one of the devices to do basic load balancing (without ssl offload).
Now I would like to move further and configure ssl offload and configure High availability.
I read that the certificate for ssl can be localy generated on the ACE device but I couldn't find any information regarding the cert that should be used on the second ACE.
Should I generate a new cert od the standby unit or somehow use the one on the first ACE?
Is it better to first set up high availability and then configure ssl offload or vice versa?
Does anyone have a config example of ssl offload and active/standby configuration?
Thank you in advance.

You simply need to generate keys & CSR on the primary ACE. Export the Keys from Primary ACE, Import these keys to Standby ACE and once you recieve the certs from CA then simply import the cert to both ACEs.
FOllowing will be steps to achive that
On primary Ace
1. create RSA Keys
crypto generate key 2048 app1.key
2. Create CSR & send it to CA
ace/Admin(config)# crypto csr-params app1-csr
ace/Admin(config-csr-params)# common-name www.app1.com
ace/Admin(config-csr-params)# country US
ace/Admin(config-csr-params)# email [email protected]
ace/Admin(config-csr-params)# locality xyz
ace/Admin(config-csr-params)# organization-name xyz
ace/Admin(config-csr-params)# organization-unit xyz
ace/Admin(config-csr-params)# state CA
ace/Admin(config-csr-params)# serial-number 1234
ace/Admin(config-csr-params)# end
ace/Admin(config)# crypto generate csr app1-csr app1.key
(copy the result to a file)
4. Import certificate recieved from CA
crypto import terminal app1.cert
(pasted the content from the cert)
5. verify the cert & keys match
crypto verify app1.key app1.cert
6. Export the keys from Active
crypto export app1.key
(copy the result to a file)
ON Standby ACE:
1. Import the keys
crypto import terminal app1.key
2. Import the cert
crypto import terminal app1.cert
3.verify the cert & keys match
crypto verify app1.key app1.cert
Hope this helps
Syed

CSS11503/ACE 4710 - SSL session id cache

Similar Messages

Maybe you are looking for