Header Insert Statistics on SSL Module
Hi,
I use an SSL Module running SW 2.1.8. Within ouput of "sh ssl-proxy stats hdr" I have a lot of "Service Errors" without any configured http header insertion policy.
Any idea what could cause this ??
Any answer is appreciated.
Volker Kreisel
Header Insert Statistics:
Session Headers Inserted : 0 Custom Headers Inserted : 0
Session Id's Inserted : 0 Client Cert. Inserted : 0
Client IP/Port Inserted : 0
No End of Hdr Detected : 0 Payload no HTTP header : 0
Desc Alloc Failed : 0 Buffer Alloc Failed : 0
Client Cert Errors : 0 Malloc failed : 0
Service Errors : 28730384 Conn Entry Invalid : 0
Buffers allocated : 0 Buffers Scanned : 0
Insertion Points Found : 0 Header Overflow : 0
End of Header Found : 0 Buffers Accumulated : 0
CSCsb82589
show ssl-proxy stats hdr counter Service Errors is erroneously increment
This has been fixed in 3.1.1 and will be fixed soon in the next 2.1 release.
Regards,
Gilles.
Similar Messages
-
ACE One-Arm Source-NAT HTTP Header Insert
Hellow ACE Gurus,
This is probably a dumb question but I'm looking for info on HTTP Header Insert for SSL sessions. Does the HTTP header re-write action list work for SSL traffic? I guess I'm not clear on whether or not the header is encrypted and if the ACE can modify on an HTTPS session. Any input would be greatly appreciated.
/r
RobHi Rob,
When using HTTPS, all the data is encrypted, including the HTTP headers.
In such a situation, if you want to insert headers (or do any other kind of L7 processing), you will have to configure the ACE to do SSL termination. Once the connection is decrypted, the ACE can do any processing it needs before sending the connection towards the server either in clear text or again using HTTPS.
I would recommend you to have a look at the link below. This is an example of how to configure an ACE for end-to-end SSL (so, HTTPS on both sides of the ACE). In the example, the only L7 processing that is being done is matching on the URL, but it would be enough to replace that part with whatever header insertion commands you need
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
If you still need more help to understand any of the points involved in the process, please, do not hesitate to contact me again.
Regards
Daniel -
How to Filter Initial Client HTTP Headers on a CSS11506 SSL module
Is there any way to filter the initial client headers on a css11506 ssl module ?? (software version 8.1)
This is one of the default options on the "old" SCA11000 appliances.Douglas, with an SSL module, the CSS can decrypt HTTPS traffic and see the cleartext HTTP traffic.
We can then apply any rules to the header.
I think in this case, the question refered to some data injected in the http header by the CSS and filter what data from the client certificate should be dropped or inserted.
We currently do not have this option on the CSS.
Gilles. -
HTTP header insertion problem with ACE
Hi
I try to configure the HTTP header insertion feature based on the action-list type modify http. Unfortunately it does not works.
The config looks like that
action-list type modify http TEST
header insert both Host header-value test:test.
I added this action-list to the correct policy-map.
When I checked the snifer output on the server side, there is no test value in the HTTP header.
I test the same feature based on the "insert-http" command in the policy-map and this one works.
Could anybody help me with this problem?
Thank you in advance
Regards
LucasHi Lukas,
Add a new parameter-map named PRMAP_PERST_REBLNC and add this to the policy map using command appl-parameter http advanced-options PRMAP_PERST_REBLNC as shown below:
action-list type modify http test-insert
header insert both My-Header header-value test
header insert both SSL header-value TRUE
policy-map type loadbalance http first-match HtppInsert
class class-default
serverfarm linux1-80
action test-insert
policy-map multi-match SLB1
class VIP-122-80
loadbalance vip inservice
loadbalance policy HtppInsert
loadbalance vip icmp-reply active
loadbalance vip advertise active
loadbalance vip advertise metric 1
connection advanced-options SetTos
appl-parameter http advanced-options PRMAP_PERST_REBLNC
parameter-map type http PRMAP_PERST_REBLNC
persistence-rebalance
Hope this will make all the packets are inserted with the http header not the first one only.
If it works then plz inform.
Kind Regards.
Sachin Garg -
CSS 115xx and SSL module.
Good day, I have a general question on the SSL module. Currently we have a pair of CSS's handeling our external site web sites. We are starting to run out of external IP addresses, If we installed the SSL module and terminated the Certificates on the CSS would we be able to read the ssl header and utilize 1 ip for multiple ssl sites?
thx
-RichCheck the URL: Overview of CSS SSL:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.40/configuration/ssl/guide/overview.html
Examples of CSS SSL Configurations:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/examples.html -
ACE: dropped conns due to header insert
My LB is dropping connections on port 443 when I have "insert-http source header-value "%is" configured. Other ports such as 80, or 8080 are working. The config is the same for all ports.
class-map match-any Service_VIP_Class
4 match virtual-address 1.1.1.1 tcp eq https
policy-map type loadbalance first-match Service_L7_Policy
class class-default
serverfarm Service_Serverfarm
insert-http source header-value "%is"
policy-map multi-match Service_LB_Policy
class Service_VIP_Class
loadbalance vip inservice
loadbalance policy Service_L7_Policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
I see dropped conns on the service policy. When I remove the header insertion config, it connects ok.
Please help!There is no way any device (including ACE) can open an https packet to insert anything.
Only exception:
You offload ssl using server keys and certs.Then make changes to the decrypted packet.
Syed -
How many ssl modules are needed for a redundant configuration?
Hi, apologies but I can't seem to find a definite answer for this question. I have two css 11506's set up using vip/virtual interface redundancy (active/standby). Each css 11506 has a single ssl module.
Is this adequate for ssl redundancy? I've read in this forum that if an ssl module fails, the css will reboot causing failover to the standby css so ssl connections will simply reset and as long as I have ASR set up on the back end http content, users will not notice the failover.
Am I correct in this thinking or do you recommend using two ssl modules in each css? Thinking there is that if one ssl module fails, there will still be a 2nd module to handle ssl traffic and the css's will not failover.
Thanks
-Danthere is no need for 2 modules.
You would use 2 modules if you need more power [handle more connections].
However, your assumption is incorrect.
Nowadays, there is no device in the worl [cisco and non-cisco] that can do SSL ststeful failover.
In other words, upon failure, all SSL users will have to restart their connection.
Gilles. -
SSL module - does server key must have a password?
Hi,
I'm trying to install server certificate, PEM formatted into SSL module. The key I've received is stripped off the challange password. Is it possible to import such a key without pass? "crypto ca import server.com PEM terminal xxx" seems to not allow for this.
tiaYes, the SSL module must have a password for the server key. It is not possible to import the key without the password.
-
Http header insertion with MSISDN
Hi
I know that we can define a http header insertion on the ACE to insert a custom header and a string in to the value. Is there a way for me to insert a dynamic string read from a database in to the value field. My exact requirement is to insert the MSISDN of mobile subscribers in to their http traffic. The MSISDN can be extracted form the Radius accounting messages
Any ideas, I have no clue as to how to do such a thing.
thanksI don't know about this feature. I think it's not possible. ACE can insert/generate only cookie. All other L7 methods (e.g. http header) are using existing data in communication.
MSISDN inserting to http header/uri is role of wap-gw, or something like that device in data flow process.
martin -
Using SSL Module to Encrypt HTTP post to external Server
I would like to know if it's possible for a CSM with its SSL module to receive an HTTP POST from our internal web servers, encrypt that POST w/ SSL, and finally to forward the newly created SSL transmission to a remote external SSL server? If it is possible, is this good practice or is it better to let the web server do the encryption?
this is possible.
It is good practice if you do not want to overload your server with the heavy task of encryption/decryption.
If your server is very powerfull and far from being used to its maximum capacity, you can do it on the server.
Another advantage of using an SSL module is that the CSM will see your request in clear text and can therefore perform so *smart* loadbalancing before it gets encrypted by the SSL module.
[ie: cookie stickyness, url hashing, ...]
Regards,
Gilles. -
How to use debug on CSM SSL module?
I'm installing a new CSM with SSL module (WS-X6066-SLB-S-K9) and can't get the debugs to work. Acutally, I enabled debugging (to troubleshoot SSL Handshake problems) but nothing shows up on the screen or in the log. Any ideas?
mcbconmrk105d1z2-ssl#show debugging
STE Mgr:
STE SSL Pkt debugging is on
STE SSL Handshake events debugging is on
STE SSL Alert events debugging is on
STE SSL detailed debugging is on
STE SSL error events debugging is on
SSL Subsystem:
SSL Handshake Message debugging is on
SSL Traffic debugging is on
SSL Error debugging is on
SSL Event debugging is on
mcbconmrk105d1z2-ssl#show log
Syslog logging: enabled (0 messages dropped, 31 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
Console logging: level debugging, 254 messages logged, xml disabled
Monitor logging: level debugging, 241 messages logged, xml disabled
Logging to: vty4(0)
Buffer logging: level debugging, 284 messages logged, xml disabled
Logging Exception size (8192 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 324 message lines logged
mcbconmrk105d1z2-ssl#
Thanks in advance,
Danielthe debug messages are displayed on a different console. The console is different depending on the type of debug.
telnet 2001 ? FDU cpu
telnet 2002 ? TCP cpu
telnet 2003 ? SSL cpu
Gilles. -
Load Balancing with a CSM & SSL Module
I'm trying to understand the best way to balance traffic to two servers when decrypting and re-encrypting with the CSM and an SSL module. I take the SSL traffic hitting the first CSM VIP and forward to the SSL module for decryption. Send the decrypted traffic back to another VIP on the CSM. Send the traffic to the client proxy VIP on the SSL which encrypts the traffic and forwards to the CSM VIP. That final VIP passes the traffic to the serverfarm containing the actual servers. How do I make sure the traffic is balanced between the final VIP and my servers. It seems that sticking on SSL session ID is the only way to go at that point which made decryption pointless. I feel like I'm missing something basic here.
Thanks..Hi David,
Here find some full config example for your perusal for CSM and SSL Services Module Initial Configuration Example
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a0080216c16.shtml
2nd config example to Configuring CSM to Load Balance SSL to a Farm of SCAs for One-Armed Proxy Mode
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00801aca55.shtml
Sachin garg -
CSS with single SSL module.. balance option needed?
Hi all,
Quick question. If you have a CSS 11503 with one SSL offload module installed.. is there any point in using the "application ssl" and "advanced-balance ssl" options in the content rule? I can't find any info that tells me for sure but I'm guessing that these options can be used to balance between multiple ssl modules and provide stickiness to the modules etc.. but doesn't have any effect on the traffic distribution and stickiness to the backend server services?
For example if I have a L5 content rule like the one below and only one SSL module, should i remove the "application ssl" and "advanced-balance ssl" options and just use the port 80 content rule which the ssl proxy lists offloads traffic too and apply the "advanced-balance sticky-srcip-dstport" and "balance leastconn" there ?
content DEVCOM_TCP443_L5
vip address x.x.x.x
application ssl
advanced-balance ssl
protocol tcp
port 443
url "//dev.subdomain.domain.com/*"
add service ssl_module1
active
I have read various forum postings and i read the CSS SSL config guide but the examples all seem to differ in their implementation.
Many thanks
ScottYou're correct.
There is no need to specify the application type as ssl and the advanced-balance method when using a single ssl module.
Gilles. -
CSS without SSL Module needing sticky sessions
Hello All,
If anyone can help with this sticky situation I'd appreciate it.
I have a customer with a CSS11501. He does not have an SSL module installed.
He has 2 blade servers, when he adds a web site, which is accessible over SSL, the CSS load balances client requests causing lost sessions, mostly lost pop-ups, it does not want stick to the same server.
I've configured the following:-
service web1
protocol tcp
port 443
keepalive type tcp
ip address 192.168.200.50
string web1
active
service web2
rotocol tcp
port 443
eepalive type tcp
ip address 192.168.200.51
string web2
active
content SSL_Web
add service web1
add service web2
rotocol tcp
port 443
vip address 1.2.3.4
application ssl
advanced-balance sticky-srcip-dstport
active
group web_Farm
add service web1
add service web2
vip address 1.2.3.4
active
I was attempting to get the client to stick to the server but unfortunately, this didn't work, the CSS seems to continue to send requests to both servers and they are getting scripting errors.
Once the customer turns off the second blade, all is ok.
I did try adding the string value to the service and configuring 'advanced-balance arrowpoint-cookie' in the content but the clients were unable to reach any web sites.
Best Regards TonyTony,
The config looks fine other than the "application SSL" under the content rule, and right now you are probing the servers with a tcp probe on port 80. If you want the probe to be on port 443 you should add the command "keepalive port 443" to both of the services. The CSS will default to port 80 for a tcp probe.
Regards
Jim -
CSS 11150 and SSL module function
Hi, Pro:
There is any way I could find what ssl module could be used on CSS11150?
Thanks,there is none.
The css111xx and css110xx are not modular so you can't add or remove anything from it.
You will need a CSS115xx.
Regards,
Gilles.
Maybe you are looking for
-
I have an iMac that has been updated to Mac OS X 10.6.8. When I purchased the computer, it came with Mac OS X 10.5.6. Will I be able to use Boot Camp 3.0.4 to install Windows without a physical disk of Mac OS X 10.6 or later? Could I get around th
-
InDesign CS5 - Printing, only first page is upside down.
Strange problem. I have a multipage document that has threaded text on pages 2-10 (for example). When I print (duplex or not), the first page (cover page of the manual I writing) is upside down! It shows correctly in indesign, as well as when I expor
-
Information about bde_chk_cbo.sql
Hi All, I want my database to be configiured as per bde_chk_cbo.sql. My apps version -12.1.3 and db version is 11.2.0.3 I have run the bde_chk_cbo.sql. Now How i will which parameter is to confiogured as per bde_chk_cbo.sql. dentification Date: 0
-
Oracle license for VMWare server
A vendor is telling me I can not put their Oracle database on a VMWare server because it is only licensed for one CPU. I tried to explain I could set the VMWare session to only use one CPU but they said Oracle will not allow that. They have already p
-
hi does anyone have any ideas on how to split a single image into multiple parts and making each part a control. All I need to do is show a single image on the front panel and capture the event depending on which part of the image the user clicked.