Modifying an ssl-proxy-list

Similar Messages

• Modifying an "ssl-proxy-list" without disturbing the active sessions.

  Hello,
  I would like to know if it is possible to have two SSL modules installed in a CSS11503 with each one having it's own "ssl-proxy-list" ("ssl-proxy-list list1" and "ssl-proxy-list list2"), but the two lists (list1 and list2) are exactly the same.
  I will explain my idea:
  In normal situation the two "ssl-proxy-list" are active and the user's encrypted sessions are load balanced between the two SSL modules. But when we need to make a change to the "ssl-proxy-list", like changing a server's certificate, I would like to be able to suspend one service (type ssl-accel with the "ssl-proxy-list List1" attached to it for example) and wait for all active sessions to terminate before suspending the "ssl-proxy-list list1" for applying the changes.
  Once the first "ssl-proxy-list" is updated I would make it active again and apply the same changes to the second "ssl-proxy-list".
  Doing this this way I would like to be able to upgrade the servers's certificate during the working houres without disturbing the connected users...
  Do you think this way of doing would be possible, or do you have an other solution to modify a "ssl-proxy-list" without disturbing the active running sessions ?
  Thank you for your answer,
  Best regards

  Hi Francois,
  An SSL proxy list may belong to multiple SSL services (one SSL proxy list per service), and an SSL service may belong to multiple content rules. You can apply the services to content rules that allow the CSS to direct SSL requests for content.
  The CSS supports one active SSL service for each SSL module in the CSS, one SSL service per slot. You can configure more than one SSL service for a slot but only a single SSL service can be active at a time.
  No modifications to an SSL proxy list are permitted on an active list. Suspend the list prior to making changes, and then reactivate the SSL proxy list once the changes are complete. Once you have modified the SSL proxy list, suspend the SSL service, reactivate the SSL proxy list, and then reactivate the SSL service.
  You can use maximum 4 different certificates at a time.
  Use the suspend command to suspend an active SSL proxy list.
  To suspend an active SSL proxy list, enter:
  (config-ssl-proxy-list[ssl_list1])# suspend
  use the url below for your reference:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.10/command/reference/CmdSSLC.html
  Kind regards,
  Sachin Garg
  Senior Specialist Security
  HCL Comnet Ltd.
  http://www.hclcomnet.co.in
  A-10, Sector 3, Noida- 201301
  INDIA
  Mob: +91-9911757733
  Email: [email protected]

• Ace ssl-proxy problem, Online store.

  Hello!
  I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.
  The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.
  The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.
  If i have missed something in the config or if someone have any other idea why this dont work for me..
  Appreciate any help!
  My config:
  (at the moment only web5 is in use)
  ACE-1/CO-WEB1# show run
  access-list ANY line 10 extended permit ip any any
  access-list icmp line 8 extended permit icmp any any
  probe http PROBE-HTTP
  interval 3
  passdetect interval 10
  passdetect count 2
  expect status 200 200
  expect status 300 323
  parameter-map type ssl SSLPARAMS
  cipher RSA_WITH_RC4_128_MD5
  rserver host vmware-server1
  description testserver1
  ip address 219.222.4.180
  probe PROBE-HTTP
  inservice
  rserver host vmware-server2
  description testserver 2
  ip address 219.222.4.181
  probe PROBE-HTTP
  inservice
  rserver host web5
  description testserver from windows nlb
  ip address 219.222.4.185
  probe PROBE-HTTP
  inservice
  ssl-proxy service SSL-PROXY-SE
  key cert-se.key
  cert cert-se.pem
  ssl advanced-options SSLPARAMS
  serverfarm host WM-ware_servers
  rserver vmware-server1
  inservice
  serverfarm host webtest
  description testserver-farm
  predictor leastconns
  rserver vmware-server1 80
  rserver vmware-server2 80
  rserver web5
  inservice
  sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1
  timeout 60
  serverfarm webtest
  class-map match-all VIP-HTTP
  2 match virtual-address 219.222.4.178 tcp eq www
  class-map match-all VIP-HTTPS
  2 match virtual-address 219.222.4.178 tcp eq https
  class-map type management match-any icmp
  description for icmp reply
  2 match protocol icmp any
  policy-map type management first-match icmp
  class icmp
  permit
  policy-map type loadbalance first-match VIP-HTTP
  class class-default
  sticky-serverfarm STICKY-GROUP1
  policy-map type loadbalance first-match VIP-SSL
  class class-default
  serverfarm webtest
  policy-map multi-match SLB-VIP-HTTP
  class VIP-HTTP
  loadbalance vip inservice
  loadbalance policy VIP-HTTP
  loadbalance vip icmp-reply
  class VIP-HTTPS
  loadbalance vip inservice
  loadbalance policy VIP-SSL
  loadbalance vip icmp-reply
  ssl-proxy server SSL-PROXY-SE
  interface vlan 21
  description ### ACE OUTSIDE mot FW ###
  ip address 219.222.4.171 255.255.255.240
  access-group input ANY
  access-group output ANY
  service-policy input icmp
  service-policy input SLB-VIP-HTTP
  no shutdown
  interface vlan 22
  description ### ACE INSIDE Gateway for Web-servers ###
  ip address 219.222.4.177 255.255.255.240
  access-group input ANY
  access-group output ANY
  service-policy input icmp
  no shutdown
  ip route 0.0.0.0 0.0.0.0 219.222.4.161
  ACE-1/CO-WEB1#
  as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):
  ACE-1/CO-WEB1# show conn
  total current connections : 4
  conn-id np dir proto vlan source destination state
  ----------+--+---+-----+----+---------------------+---------------------+------+
  4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB
  14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB
  11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB
  3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB
  ACE-1/CO-WEB1#

  Hello Krille
  i had the same problem.
  The HTT Probe you define will do a check if
  the return code is
  expect status 200 200
  expect status 300 323
  Now if a user is accessing the hppts site, in the flow there will be an expect status like 404, the ACE now is not establish an sticky connection, cause it think that the flow is not ok.
  The only output after ther Certificates is a blank site.
  If you change the Probing to ICMP you will be able to access the https site and the connection is sticky. With a litte tool like IE Watch you will be able to see the wrong Status codes.
  regards
  eberhard

• Proxy list report

  I am needing to generate a list of all accounts and the proxy access granted from each one. I have found proxy.pl however, when I run GWCheck from C1 setting it to user databases only and verbose logging the PO is tanking. Any other options out there or will they all require the gwcheck log configured as stated previously?

  It can be done using the GroupWise Admin API to generate a list of users and the GroupWise Object API to login to each mailbox and output the proxy list. Below are two Visual Basic scripts - listActiveUsers.vbs and listProxy.vbs
  listActiveUsers.vbs
  option explicit
  ' Define constants
  const DomainPath = "f:\gwdom"
  ' Define variables
  dim GWSystem
  dim GWUser
  'create connection to GroupWise
  set GWSystem=CreateObject("NovellGroupWareAdmin")
  GWSystem.Connect( DomainPath )
  for each GWUser in GWSystem.Users
  ' list accounts that are disabled and are not expired
  if GWUser.disableLogin = FALSE and ( GWUser.MailboxExpDate = 0 or GWUser.MailboxExpDate > now() ) then
  wscript.echo GWUser.Name
  end if
  next
  listProxy.vbs
  option explicit
  ' Define constants
  const TrustedApp = "ProxyReport"
  const TrustedAppKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxx"
  ' Define variables
  dim stdin
  dim GWApplication
  dim GWAccount
  dim GWAccountRights
  dim UserName
  ' Connect to GroupWise with trusted application key
  set GWApplication = CreateObject("NovellGroupwareSession")
  call GWApplication.SetTrustedApplicationCredentials(Tru stedApp, TrustedAppKey)
  ' Open standard input
  set stdin = wscript.stdin
  do while not stdin.atendofstream
  ' Read in user name
  UserName = stdin.readline
  ' Login to GroupWise
  set GWAccount = GWApplication.MultiLogin(UserName)
  ' Write out <All User Access> proxy access rights
  wscript.echo GWAccount.Owner.DisplayName & "," _
  & "<All User Access>" & "," _
  & GWAccount.DefaultAccountRights.BitMask
  ' Write out user proxy rights
  for each GWAccountRights in GWAccount.AccountRights
  wscript.echo GWAccount.Owner.DisplayName & "," _
  & GWAccountRights.Address.DisplayName & "," _
  & GWAccountRights.BitMask
  next
  ' Log out from GroupWise
  set GWAccount = Nothing
  loop
  Copy the scripts to a folder.
  Open a command window and change the current working directory to the folder that contains the scripts.
  Open listActiveUsers.vbs with a text editor ( i.e. NotePad ) and modify the DomainPath constant to a GroupWise domain folder.
  Run the listActiveUsers.vbs using cscript - i.e. 'cscript /nologo listActiveUsers.vbs'. This will output a list of users to the screen. The output can be directed to a text file - i.e 'cscript /nologo listActiveUsers.vbs > gwusers.txt'.
  Create a trusted application key using ConsoleOne.
  Open listProxy.vbs with a text editor and modify the TrustedApp and TrustedAppKey constants accordingly.
  I advise testing listProxy.vbs by editing gwuser.txt to include with a few select accounts. Run listProxy.vbs script using cscript - i.e. 'type gwuser.txt | cscript /nologo listProxy.vbs'. It should output the proxy list for each user in gwuser.txt in CSV format.
  If satisfied with the results rerun 'cscript /nologo listActiveUsers.vbs > gwusers.txt' to create a complete list and run 'type gwuser.txt | cscript /nologo listProxy.vbs > proxyreport.csv'. If you are feeling adventurous listActiveUsers.vbs could pipe its output directly to listProxy.vbs - i.e 'cscript /nologo listActiveUsers.vbs | cscript /nologo listProxy.vbs > proxyreport.csv'.
  The proxyreport.csv file can be imported into Excel for formatting. The proxy rights are output as a bit map. The bit map is:
  1 - The user can archive messages.
  2 - The user can modify preferences, rules, and groups.
  4 - The user can read appointments.
  8 - The user can read mail and phone messages.
  16 - The user can read notes.
  32 - The user can read private messages.
  64 - The user can read tasks.
  128 - The user can receive alarms.
  256 - The user can receive notifications.
  512 - The user can write appointments.
  1024 - The user can write mail and phone messages.
  2048 - The user can write notes.
  4096 - The user can write tasks.
  I suggest that you refer to the Cool Solutions article I wrote "Scripting GroupWise" - Scripting GroupWise | Novell User Communities for more information on the GroupWise Admin API.
  Good luck.
  Bryan Vandenberg
  Originally Posted by isutton
  I am needing to generate a list of all accounts and the proxy access granted from each one. I have found proxy.pl however, when I run GWCheck from C1 setting it to user databases only and verbose logging the PO is tanking. Any other options out there or will they all require the gwcheck log configured as stated previously?

• Bordermanager 3.8 SSL Proxy & Macintosh/Safari Browser

  Does anyone know if the Safari browser now included with the Mac OS X
  10 is
  compatible with BM 3.8 SSL Proxy? The SSL Proxy we have set up works
  with
  all other PCs, but I can't get it to work with the Safari and I can't
  get an
  answer from either Novell or Apple as to whether this is even a
  supported
  configuration. All I get is a reference to the login page with an
  error
  that a secure connection cannot be made. I have a school client who
  was
  just given 180 of these IMAC notebooks by the State and I need to get
  them
  working through their Bordermanager. I see there are definitely some
  issues
  with IE and Macs with SSL Proxy. Is there another browser, such as
  Netscape, where this might work better.
  What about using a third party novell client for Macs (like from
  proform).
  Would that be able to use clntrust authentication instead or is it not
  a
  true client32? Thanks!!

  Hi Craig,
  you've misunderstood what I meant (I guess I should have worded it
  better).
  What I meant was:
  1. If you've already logged in (using another browser) Safari seems to
  work
  OK (but not necessarily for SSL)
  2. that (it looks like) the reason Safari can't be used to login is
  because
  it's not using the proxy for the SSL login page requests - and to
  login to
  BM you must use the proxy to make the login request.
  Safari error:
  Could not open the page.
  Could not open the page
  https://proxy:444/BM-Login/?%22http:...novell.com/%22 because
  Safari
  could not establish a secure connection to the server "proxy".
  Again, from this (and more) Safari is trying to Connect directly to
  https://proxy:444 - instead of requesting the entire URL from the BM
  proxy
  (proxy:8080).
  The same sort of problem can be created in other browsers by
  configuring
  them to not use a proxy for HTTPS/SSL requests.
  -Sandy
  "Craig Johnson" <[email protected]> wrote in message
  news:[email protected]..
  > In article <HLaLb.8715$[email protected]>, Sandy
  wrote:
  > > Once authenticated (using IE or Mozilla), Safari works through the
  proxy.
  > > (It looks like Safari is bypassing the proxy for SSL requests.)
  > >
  > Once a host is authenticated, a browser doesn't 'bypass' the ssl
  login, it
  > is already authenticated. Once authenticated, the proxy holds the
  > authentication association between the requesting IP and the user
  ID.
  > Until the idle timeout expires, another authentication request is
  not sent
  > to the browser from the proxy.
  >
  > Craig Johnson
  > Novell Support Connection SysOp
  > *** For a current patch list, tips, handy files and books on
  > BorderManager, go to http://www.craigjconsulting.com ***
  >

• Is it possible to view individual SSL-proxy service usage (TPS)?

  Hi,
  Can the ACE provide any detail above and beyond just the overall ssl-connection rate for a particular context?
  I have an ACE with two contexts and multiple ssl-proxy services configured within each and it would be really helpful to know the ssl-connection rate associated with each service (current, average, peak, etc) as I've got the issue where the SSL resource limit for one of the contexts has been reached and I don't know which service has jumped up in usage;-
  Allocation
  Resource Current Peak Min Max Denied
  ssl-connections rate 0 250 250 250 351
  I can set up custom MIB pollers based on OID values within our SolarWinds network monitoring system so even if the information isn't directly available through the ACE CLI but has an associated OID I'd be grateful for the info if any one knows it (or even just the OIDs that contain the connection rate values from the 'sh resource usage' command so I can graph the overall usage against date/time within SolarWinds).
  Thanks
  Matthew

  Matthew,
  I do not know the OID to poll the service-policy info.
  But if you do a 'show service-policy ' at regular interval and compare the hitcon, you can compute the connection rate for each service policy individually.
  Gilles.

• CSS SSL Proxy - how can I write the original source address in http header

  I'm replacing some BigIP's with CSS11500's that are configured to do front/backend ssl proxying in a one-armed configuration. The BigIP's write the original source IP address as a http header value when the traffic is sent to the application, and the application uses the IP to match against an application ACL. How can I do the same in the CSS.
  thanks,
  Brian

  here is what you can insert with the SSL module :
  http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080292a76.html#wp1027619
  Gilles.

• Changing the Modified Date of a List Item using the SharePoint Client Object Model (C#) with Contribute Permission

  I have a small snippet of code that I use to update the Modified Date of a list item and it works great for users with Full Control permissions.  However, for users with just Contribute access to the site the code doesn't work.  Instead, SharePoint
  just updates the Modified Date to now.
  I did some testing, and narrowed down the specific permission level that allows updating of Modified dates and oddly enough, it's the "Manage Permissions" level.
  Has anyone run into this issue? If so, how do I work around this and update the Modified date as a user with only Contribute access to a site/library?
  Here's the code:
  DateTime Test = new DateTime(2012, 5, 4);
  ListItem li = list.GetItemById(itemID);
  li["Modified"] = Test;
  li.Update();
  ct.ExecuteQuery();
  Thanks,
  Max

  Hello,
  As a workaround you can pass admin credential in your code because as per my knowledge contributor can't update default columns like: created by, modified by, modified, created.
  ClientContext clientContext = newClientContext(siteUrl);
  ClientContext.Credentials = newNetworkCredential(UserName, Password, Domain);
  Hope it could help
  Hemendra:Yesterday is just a memory,Tomorrow we may never see
  Please remember to mark the replies as answers if they help and unmark them if they provide no help

• Can't Remove some users from proxy list

  There are 3 users who keep being added to my proxy list, and when i go to remove the from from file -> proxy, i select their names and click remove. They are removed from the box and then i hit ok. But when i go back to my proxy list they are still there and the removing didn't work.
  Please help.

  Originally Posted by laurabuckley
  Hi,
  I suggest running a standalone GWCheck on your user.db with the misc. option of proxyfix.
  Let us know how that goes.
  Cheers,
  This worked!
  Thank you so much

• How to get the list of database Views modifying the DB tools list tables.vi

  Hi,
  I have a problem, I just started using LabVIEW and in particular the LabVIEW connectivity toolkit and I am lookig fgor suggestion regarding how to get the list of database Views modifying the DB tools list tables.vi...
  Thanks in advance,
  Michela

  Hi Michela,
  since the VI you want to modify is part of a Toolkit, I suggest you to copy the whole block diagram in a new VI and then save it in a new location.
  Place the DB List Tables.vi on a block diagram, double click on it and go to the tab "Window -> Show Block Diagram "
  Select "Edit -> Select All" to select the whole block diagram and select "Edit -> Copy"
  Open a new VI and select "Edit -> Paste"
  Save the new VI
  In this way you can modify everything you want without overwriting the Toolkits VIs.
  Hope this can help.
  Regards, 
  Andrea N.
  Systems Engineer ATE & RF - Mediterranean Region
  National Instruments Italy

• Apache 1.3.12 running with Raven SSL Proxy

            Hi All,
            I am currently having an issue clustering 2 WLS 5.1 sp8 app servers using Apache
            1.3.12 with the Raven SSL 1.4.3 plugin. (All on Solaris 7)
            Here is my scenario:
            The cluster "seems" to work. A session is processed fine on it's primary server,
            while the session information is replicated to the secondary server.
            Yet when we crash the primary server to test failover, all of the sessions on the
            primary server are lost and NOT processed by the secondary server. It is almost
            like the cookie was not updated to reflect that the primary had gone down, so the
            secondary server does not know it is now the primary.
            Any ideas?.. As long as the primary does not fail the system works fine.. so I know
            the sessions are being directed to the correct server the rest of the time, just
            not during failover.
            NOTE: I have had no problems with failover using Apache Stronghold using the mod_wl_ssl.so
            proxy, this problem only seems to occur with the Apache using Raven SSL and the mod_wl_ssl_raven.so
            proxy. Is there a bug with this proxy?
            Thank you for any ideas.
            -Nick
            

  The Web server plug-ins do not natively support outbound SSL connections
  yet(i.e. SSL from the plug-in to WebLogic). This is a feature for version
  6.0. You can use SSL from the browser to Apache or from the browser to
  WebLogic directly.
  The majority of our customers use strict firewall rules to protect the
  traffic between Apache and WebLogic. If they are paranoid, they use an SSL
  proxy or a VPN product.
  Thanks,
  Michael
  Michael Girdley
  BEA Systems Inc
  "Josh Kwan" <[email protected]> wrote in message
  news:39d4e8a5$[email protected]..
  >
  Hello,
  I want to know how to connect Apache 1.3.12 with mod_ssl to BEA WebLogic5.1.0 on Solaris via HTTPS. I have heard that this can only work over t3...
  is that true? If so, how can it be done securely? If that isn't the case,
  how can httpd.conf/weblogic.conf be configured on the Apache server to talk
  to the WebLogic server on port 7002? Both of the machines I am using are
  running Solaris 7 with necessary patches. I have installed SP5 for WebLogic
  and I have copied mod_wl.so and mod_wl_ssl.o to the Apache server for
  inclusion as modules.
  >
  The two servers communicate correctly over HTTP, but I want to be able toserve some JSPs via HTTPS from the WebLogic server through the Apache web
  server. I have generated all the required CA and server certificates for
  each server, and they both individually answer HTTPS requests, but do not
  work when an HTTPS request is sent to the Apache server for a JSP that is
  served from the WebLogic server. I read somewhere in the documentation for
  5.1.0 that WebLogic will communicate via HTTPS to various web and proxy
  servers.
  >
  Any help would be greatly appreciated... thanks!
  Regards,
  Josh Kwan
  Sr. Systems Engineer
  iXL

• Multiple SSL Certs in one SSL Proxy/VIP

  Guys
  I have a requirement to be able to provide SSL for two different sites that will resolve to the same VIP.  Ive created alot of SSL sites before and these work a treat with HTTP to HTTPS redirection.
  However Im not sure how are take two different SSL certs, and bind them to the same SSL Proxy, inorder for me to add them to the same VIP.  The customer wants to use only port 443.  I had thought about using a secondary port something like 8443, and adding another class under the multi-match policy.
  Is this possible at all?  I use a standard L4 class-map in the multi-match policy, that then nests down into L7 class-maps, for URL load balancing.
  Because this is a multi-match policy can I just create another L4 Policy, which in turn nests down to a different L7 class-map, allowing me to match the second URL. And thus because I have another L4 policy I can assign a new SSL Proxy?
  Thanks

  Cathy
  Thanks for the reply, thats what i was thinking. we use wild card certificates for several of the other domains, how we need to provide  certificates for www.website.com and ww2.website.com due to cost.
  Is it possible to replace the L4 policy map, with a straight L7 so that we are load balancing directly on URL as apposed to verifying L4 matches first?  Or would this not be advisable / possible.  I always thought it was the L4 policy that made the VIP proxy?
  Can SAN certs not be used in this example?
  Thanks

• Error: Proxy list must not be empty

  Hello All,
  I use a apex listener 2.0.5 version and glass fish webserver on windows server 2008.
  Did any body had the above error, while connecting through apex listener by providing username: listeneradmin credentials?
  One of my teamates already connected to the listener, able to configure settings, and deploy the changes to the apex.war file.
  Basically, i'm trying to connect with similar settings that my colleage has.
  Thanks for all your help in advance.

  Figured it out: Go to Tools -> Preferences -> Web Browser and Proxy, "Proxy Settings" tab.
  I changed mine to "No Proxy" from "Use System Default Proxy Settings".
  I use Linux as my workstation and don't [normally] have HTTP_PROXY, et al. defined thus the "Proxy list must not be empty" error.

• Invoke webservice behind ssl proxy

  Trying to connect to a webservice behind SSL Proxy with
  following url:
  https://ssl.xyz.com/is-db/cfc/listingservice.cfc?WSDL,DanaInfo=servername.int.com
  if i open this url direct i got a clean XML Page, but if i
  use it in a cfinfoke statement i get following error
  Could not generate stub objects for web service invocation.
  Name:
  https://ssl.xyz.com/is-db/cfc/listingservice.cfc?WSDL,DanaInfo=servername.int.com.
  WSDL:
  https://ssl.xyz.com/is-db/cfc/listingservice.cfc?WSDL,DanaInfo=servername.int.com.
  org.xml.sax.SAXException: Fatal Error: URI=null Line=15: The
  element type "link" must be terminated by the matching end-tag "".
  It is recommended that you use a web browser to retrieve and
  examine the requested WSDL document for correctness. If the
  requested WSDL document can't be retrieved or it is dynamically
  generated, it is likely that the target web service has programming
  errors.
  anyone got an idee about that
  Daniel

  We had the same problem. Our work around involved saving the
  WSDL locally and then using that to run the web service. As long as
  the WSDL contains a service port element, it will still send the
  data to the correct server.
  In order to ensure that the WSDL stayed up to date, we have a
  scheduled task that hits the server and downloads the WSDL on a
  regular basis. Of course, CFHTTP has problems with SSL as well, so
  you need to include 2 custom headers when you post. You should be
  able to find them by doing a search on cfhttp and SSL.

• ACE SSL Proxy performance issue

  Hi I've got an ACE module in a 6500 that is being used as an SSL Proxy For a web service.
  So the configuration is fairly basic, matches a VIP which has been Nat'ed from the public IP address port 443 and load balances over a number of reservers with the server ports being set to 80.
  The problem is the main web site is hosted elsewhere and so when they switch to checkout on a secure port the browser page requests multiple https:// files .
  The users are seeing very slow page loads a considerable amount longer than equivalent on http and more than you'd expect. The ACE is no where near any throughout or transaction limits.
  My concern is on how the session is tracked, would the ACE attempt to renegotiate with every https:// get? I've seen example configs for stickiness inserting cookies for normal end-end load balancing but not with an SSL proxy configuration.
  Sent from Cisco Technical Support iPad App

  Hi Craig,
  The SSL negotiation/handshake will happen everytime a client opens a new TCP connection i.e comes with a different source port.
  To make sure that ACE doesn't renegotiate you can try and use this command:
  (config-parammap-ssl)# session-cache timeout . You can use 24 hours or anytime you think is suitable.
  This is basically to enable SSL session reuse. A little explanation below for your reference:
  When client connects to a server over SSL, the server creates a session for that connection. This session ID is sent as a part of the Server Hello message. This is to make things efficient, in case the client has any plans of closing the current connection and reconnect in the near future. Most of the servers have a time out for these sessions (I think 24 hours is a common value, unless pressed for space).
  When the client connects to the same server again, it can send the same session ID as a part of the Client Hello. The server will first look up if it can find any sessions with that ID. If found, the same session will be reused. Thus the time spent in verifying the certs and negotiating the keys is saved. If the server cannot find a matching session, then it responds with a new session ID and its certificate in Server Hello message. The client knows that it has to verity the cert and negotiate the key again.
  Considerable amount of time is spent in validating server certs. Reusing SSL session will save this time.
  Having said that you need to check if the client is coming with a session ID which it got in previous handshake or not. If it doesn't and it is a new TCP connection then SSL handshake will happen. Please enable that command before testing.
  Also, ensure that you have allocated proper SSL resources to your context. Lack of resources can also cause dropped connections and sluggish performance.
  Regards,
  Kanwal