Header Insert Statistics on SSL Module

Hi,
I use an SSL Module running SW 2.1.8. Within ouput of "sh ssl-proxy stats hdr" I have a lot of "Service Errors" without any configured http header insertion policy.
Any idea what could cause this ??
Any answer is appreciated.
Volker Kreisel
Header Insert Statistics:
Session Headers Inserted : 0 Custom Headers Inserted : 0
Session Id's Inserted : 0 Client Cert. Inserted : 0
Client IP/Port Inserted : 0
No End of Hdr Detected : 0 Payload no HTTP header : 0
Desc Alloc Failed : 0 Buffer Alloc Failed : 0
Client Cert Errors : 0 Malloc failed : 0
Service Errors : 28730384 Conn Entry Invalid : 0
Buffers allocated : 0 Buffers Scanned : 0
Insertion Points Found : 0 Header Overflow : 0
End of Header Found : 0 Buffers Accumulated : 0

CSCsb82589
show ssl-proxy stats hdr counter Service Errors is erroneously increment
This has been fixed in 3.1.1 and will be fixed soon in the next 2.1 release.
Regards,
Gilles.

Similar Messages

  • ACE One-Arm Source-NAT HTTP Header Insert

    Hellow ACE Gurus,
    This is probably a dumb question but I'm looking for info on HTTP Header Insert for SSL sessions.  Does the HTTP header re-write action list work for SSL traffic?  I guess I'm not clear on whether or not the header is encrypted and if the ACE can modify on an HTTPS session.  Any input would be greatly appreciated.
    /r
    Rob

    Hi Rob,
    When using HTTPS, all the data is encrypted, including the HTTP headers.
    In such a situation, if you want to insert headers (or do any other kind of L7 processing), you will have to configure the ACE to do SSL termination. Once the connection is decrypted, the ACE can do any processing it needs before sending the connection towards the server either in clear text or again using HTTPS.
    I would recommend you to have a look at the link below. This is an example of how to configure an ACE for end-to-end SSL (so, HTTPS on both sides of the ACE). In the example, the only L7 processing that is being done is matching on the URL, but it would be enough to replace that part with whatever header insertion commands you need
    http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
    If you still need more help to understand any of the points involved in the process, please, do not hesitate to contact me again.
    Regards
    Daniel

  • How to Filter Initial Client HTTP Headers on a CSS11506 SSL module

    Is there any way to filter the initial client headers on a css11506 ssl module ?? (software version 8.1)
    This is one of the default options on the "old" SCA11000 appliances.

    Douglas, with an SSL module, the CSS can decrypt HTTPS traffic and see the cleartext HTTP traffic.
    We can then apply any rules to the header.
    I think in this case, the question refered to some data injected in the http header by the CSS and filter what data from the client certificate should be dropped or inserted.
    We currently do not have this option on the CSS.
    Gilles.

  • HTTP header insertion problem with ACE

    Hi
    I try to configure the HTTP header insertion feature based on the action-list type modify http. Unfortunately it does not works.
    The config looks like that
    action-list type modify http TEST
    header insert both Host header-value test:test.
    I added this action-list to the correct policy-map.
    When I checked the snifer output on the server side, there is no test value in the HTTP header.
    I test the same feature based on the "insert-http" command in the policy-map and this one works.
    Could anybody help me with this problem?
    Thank you in advance
    Regards
    Lucas

    Hi Lukas,
    Add a new parameter-map named PRMAP_PERST_REBLNC and add this to the policy map using command appl-parameter http advanced-options PRMAP_PERST_REBLNC as shown below:
    action-list type modify http test-insert
    header insert both My-Header header-value test
    header insert both SSL header-value TRUE
    policy-map type loadbalance http first-match HtppInsert
    class class-default
    serverfarm linux1-80
    action test-insert
    policy-map multi-match SLB1
    class VIP-122-80
    loadbalance vip inservice
    loadbalance policy HtppInsert
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    loadbalance vip advertise metric 1
    connection advanced-options SetTos
    appl-parameter http advanced-options PRMAP_PERST_REBLNC
    parameter-map type http PRMAP_PERST_REBLNC
    persistence-rebalance
    Hope this will make all the packets are inserted with the http header not the first one only.
    If it works then plz inform.
    Kind Regards.
    Sachin Garg

  • CSS 115xx and SSL module.

    Good day, I have a general question on the SSL module. Currently we have a pair of CSS's handeling our external site web sites. We are starting to run out of external IP addresses, If we installed the SSL module and terminated the Certificates on the CSS would we be able to read the ssl header and utilize 1 ip for multiple ssl sites?
    thx
    -Rich

    Check the URL: Overview of CSS SSL:
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/ssl/guide/overview.html
    Examples of CSS SSL Configurations:
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html

  • ACE: dropped conns due to header insert

    My LB is dropping connections on port 443 when I have "insert-http source header-value "%is" configured. Other ports such as 80, or 8080 are working. The config is the same for all ports.
    class-map match-any Service_VIP_Class
    4 match virtual-address 1.1.1.1 tcp eq https
    policy-map type loadbalance first-match Service_L7_Policy
    class class-default
    serverfarm Service_Serverfarm
    insert-http source header-value "%is"
    policy-map multi-match Service_LB_Policy
    class Service_VIP_Class
    loadbalance vip inservice
    loadbalance policy Service_L7_Policy
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    I see dropped conns on the service policy. When I remove the header insertion config, it connects ok.
    Please help!

    There is no way any device (including ACE) can open an https packet to insert anything.
    Only exception:
    You offload ssl using server keys and certs.Then make changes to the decrypted packet.
    Syed

  • How many ssl modules are needed for a redundant configuration?

    Hi, apologies but I can't seem to find a definite answer for this question. I have two css 11506's set up using vip/virtual interface redundancy (active/standby). Each css 11506 has a single ssl module.
    Is this adequate for ssl redundancy? I've read in this forum that if an ssl module fails, the css will reboot causing failover to the standby css so ssl connections will simply reset and as long as I have ASR set up on the back end http content, users will not notice the failover.
    Am I correct in this thinking or do you recommend using two ssl modules in each css? Thinking there is that if one ssl module fails, there will still be a 2nd module to handle ssl traffic and the css's will not failover.
    Thanks
    -Dan

    there is no need for 2 modules.
    You would use 2 modules if you need more power [handle more connections].
    However, your assumption is incorrect.
    Nowadays, there is no device in the worl [cisco and non-cisco] that can do SSL ststeful failover.
    In other words, upon failure, all SSL users will have to restart their connection.
    Gilles.

  • SSL module - does server key must have a password?

    Hi,
    I'm trying to install server certificate, PEM formatted into SSL module. The key I've received is stripped off the challange password. Is it possible to import such a key without pass? "crypto ca import server.com PEM terminal xxx" seems to not allow for this.
    tia

    Yes, the SSL module must have a password for the server key. It is not possible to import the key without the password.

  • Http header insertion with MSISDN

    Hi
    I know that we can define a http header insertion on the ACE to insert a custom header and a string in to the value. Is there a way for me to insert a dynamic string read from a database in to the value field. My exact requirement is to insert the MSISDN of mobile subscribers in to their http traffic. The MSISDN can be extracted form the Radius accounting messages
    Any ideas, I have no clue as to how to do such a thing.
    thanks

    I don't know about this feature. I think it's not possible. ACE can insert/generate only cookie. All other L7 methods (e.g. http header) are using existing data in communication.
    MSISDN inserting to http header/uri is role of wap-gw, or something like that device in data flow process.
    martin

  • Using SSL Module to Encrypt HTTP post to external Server

    I would like to know if it's possible for a CSM with its SSL module to receive an HTTP POST from our internal web servers, encrypt that POST w/ SSL, and finally to forward the newly created SSL transmission to a remote external SSL server? If it is possible, is this good practice or is it better to let the web server do the encryption?

    this is possible.
    It is good practice if you do not want to overload your server with the heavy task of encryption/decryption.
    If your server is very powerfull and far from being used to its maximum capacity, you can do it on the server.
    Another advantage of using an SSL module is that the CSM will see your request in clear text and can therefore perform so *smart* loadbalancing before it gets encrypted by the SSL module.
    [ie: cookie stickyness, url hashing, ...]
    Regards,
    Gilles.

  • How to use debug on CSM SSL module?

    I'm installing a new CSM with SSL module (WS-X6066-SLB-S-K9) and can't get the debugs to work. Acutally, I enabled debugging (to troubleshoot SSL Handshake problems) but nothing shows up on the screen or in the log. Any ideas?
    mcbconmrk105d1z2-ssl#show debugging
    STE Mgr:
    STE SSL Pkt debugging is on
    STE SSL Handshake events debugging is on
    STE SSL Alert events debugging is on
    STE SSL detailed debugging is on
    STE SSL error events debugging is on
    SSL Subsystem:
    SSL Handshake Message debugging is on
    SSL Traffic debugging is on
    SSL Error debugging is on
    SSL Event debugging is on
    mcbconmrk105d1z2-ssl#show log
    Syslog logging: enabled (0 messages dropped, 31 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
    Console logging: level debugging, 254 messages logged, xml disabled
    Monitor logging: level debugging, 241 messages logged, xml disabled
    Logging to: vty4(0)
    Buffer logging: level debugging, 284 messages logged, xml disabled
    Logging Exception size (8192 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level informational, 324 message lines logged
    mcbconmrk105d1z2-ssl#
    Thanks in advance,
    Daniel

    the debug messages are displayed on a different console. The console is different depending on the type of debug.
    telnet 2001 ? FDU cpu
    telnet 2002 ? TCP cpu
    telnet 2003 ? SSL cpu
    Gilles.

  • Load Balancing with a CSM & SSL Module

    I'm trying to understand the best way to balance traffic to two servers when decrypting and re-encrypting with the CSM and an SSL module. I take the SSL traffic hitting the first CSM VIP and forward to the SSL module for decryption. Send the decrypted traffic back to another VIP on the CSM. Send the traffic to the client proxy VIP on the SSL which encrypts the traffic and forwards to the CSM VIP. That final VIP passes the traffic to the serverfarm containing the actual servers. How do I make sure the traffic is balanced between the final VIP and my servers. It seems that sticking on SSL session ID is the only way to go at that point which made decryption pointless. I feel like I'm missing something basic here.
    Thanks..

    Hi David,
    Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
    http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
    2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
    http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
    Sachin garg

  • CSS with single SSL module.. balance option needed?

    Hi all,
    Quick question. If you have a CSS 11503 with one SSL offload module installed.. is there any point in using the "application ssl" and "advanced-balance ssl" options in the content rule? I can't find any info that tells me for sure but I'm guessing that these options can be used to balance between multiple ssl modules and provide stickiness to the modules etc.. but doesn't have any effect on the traffic distribution and stickiness to the backend server services?
    For example if I have a L5 content rule like the one below and only one SSL module, should i remove the "application ssl" and "advanced-balance ssl" options and just use the port 80 content rule which the ssl proxy lists offloads traffic too and apply the "advanced-balance sticky-srcip-dstport" and "balance leastconn" there ?
      content DEVCOM_TCP443_L5
        vip address x.x.x.x
        application ssl
        advanced-balance ssl
        protocol tcp
        port 443
        url "//dev.subdomain.domain.com/*"
        add service ssl_module1
        active
    I have read various forum postings and i read the CSS SSL config guide but the examples all seem to differ in their implementation.
    Many thanks
    Scott

    You're correct.
    There is no need to specify the application type as ssl and the advanced-balance method when using a single ssl module.
    Gilles.

  • CSS without SSL Module needing sticky sessions

    Hello All,
    If anyone can help with this sticky situation I'd appreciate it.
    I have a customer with a CSS11501. He does not have an SSL module installed.
    He has 2 blade servers, when he adds a web site, which is accessible over SSL, the CSS load balances client requests causing lost sessions, mostly lost pop-ups, it does not want stick to the same server.
    I've configured the following:-
    service web1
    protocol tcp
    port 443
    keepalive type tcp
    ip address 192.168.200.50
    string web1
    active
    service web2
    rotocol tcp
    port 443
    eepalive type tcp
    ip address 192.168.200.51
    string web2
    active
    content SSL_Web
    add service web1
    add service web2
    rotocol tcp
    port 443
    vip address 1.2.3.4
    application ssl
    advanced-balance sticky-srcip-dstport
    active
    group web_Farm
      add service web1
      add service web2
      vip address 1.2.3.4
      active
    I was attempting to get the client to stick to the server but unfortunately, this didn't work, the CSS seems to continue to send requests to both servers and they are getting scripting errors.
    Once the customer turns off the second blade, all is ok.
    I did try adding the string value to the service and configuring 'advanced-balance arrowpoint-cookie' in the content but the clients were unable to reach any web sites.
    Best Regards Tony

    Tony,
    The config looks fine other than the "application SSL" under the content rule, and right now you are probing the servers with a tcp probe on port 80. If you want the probe to be on port 443 you should add the command "keepalive port 443" to both of the services. The CSS will default to port 80 for a tcp probe.
    Regards
    Jim

  • CSS 11150 and SSL module function

    Hi, Pro:
    There is any way I could find what ssl module could be used on CSS11150?
    Thanks,

    there is none.
    The css111xx and css110xx are not modular so you can't add or remove anything from it.
    You will need a CSS115xx.
    Regards,
    Gilles.

Maybe you are looking for

  • IMac has been updated and I don't have install disk for 10.6 or later.  Can I still proceed with using Boot Camp 3.0 to install Windows?

    I have an iMac that has been updated to Mac OS X 10.6.8.  When I purchased the computer, it came with Mac OS X 10.5.6.  Will I be able to use Boot Camp 3.0.4 to install Windows without a physical disk of Mac OS X 10.6 or later?  Could I get around th

  • InDesign CS5 - Printing, only first page is upside down.

    Strange problem. I have a multipage document that has threaded text on pages 2-10 (for example). When I print (duplex or not), the first page (cover page of the manual I writing) is upside down! It shows correctly in indesign, as well as when I expor

  • Information about bde_chk_cbo.sql

    Hi All, I want my database to be configiured as per bde_chk_cbo.sql. My apps version -12.1.3 and db version is 11.2.0.3 I have run the bde_chk_cbo.sql. Now How i will which parameter is to confiogured as per bde_chk_cbo.sql. dentification Date:     0

  • Oracle license for VMWare server

    A vendor is telling me I can not put their Oracle database on a VMWare server because it is only licensed for one CPU. I tried to explain I could set the VMWare session to only use one CPU but they said Oracle will not allow that. They have already p

  • Partion an image into parts

    hi   does anyone have any ideas on how to split a single image into multiple parts and making each part a control. All I need to do is show a single image on the front panel and capture the event depending on which part of the image the user clicked.