SSL Termination not working in ACE
Hi,
The context was configured for Load Balancing Port 80 and 443 traffic before the SSL Configs was Applied.
The SSL Termination is configured on ACE module running the software version A2(1.6a) [build 3.0(0)A2(1.6a)
The load balacing is working without no issues, But when i do a https://abc.www.abc.qa/wps/portal/login
the browser reconganizes the certificate from ACE, but does not show up any thing, just shows this symbol €
in a blank page.
Plese let me know if you have any suggestions.
Thanks in Advance.
Here is the relevant config.
===================
crypto csr-params ABC-II-PRAMS
country XX
state XXXX
locality XXXX
organization-name abc council
common-name abc.www.abc.qa
serial-number 1
email [email protected]
rserver host abcserver1
ip address 10.14.1.165
inservice
rserver host abcserver2
ip address 10.14.1.177
inservice
ssl-proxy service abc.www.proxy
key abc-II-key.pem
cert abc-II-cert.pem
serverfarm host abc.www.abc.qa-443
failaction purge
rserver abcserver1
probe abcicmp
inservice
rserver abcserver2
probe abcicmp
inservice
serverfarm host abc.www.abc.qa-80
failaction purge
rserver abcserver1
probe abcicmp
inservice
rserver abcserver2
probe abcicmp
inservice
sticky ip-netmask 255.255.255.255 address source abc.www.abc.qa-sticky-80
timeout 120
serverfarm abc.www.abc.qa-80
sticky ip-netmask 255.255.255.255 address source abc.www.abc.qa-sticky-443
timeout 120
serverfarm abc.www.abc.qa-443
class-map match-all abc.www.abc.qa-443
match virtual-address 10.14.1.203 tcp eq https
class-map match-all abc.www.abc.qa-80
match virtual-address 10.14.1.203 tcp eq www
policy-map type loadbalance first-match abc.www.abc.qa-VIP-443
class class-default
sticky-serverfarm abc.www.abc.qa-sticky-443
policy-map type loadbalance first-match abc.www.abc.qa-VIP-80
class class-default
sticky-serverfarm abc.www.abc.qa-sticky-80
policy-map multi-match abc-POLICY
class abc.www.abc.qa-80
loadbalance vip inservice
loadbalance policy abc.www.abc.qa-VIP-80
loadbalance vip icmp-reply
class abc.www.abc.qa-443
loadbalance vip inservice
loadbalance policy abc.www.abc.qa-VIP-443
loadbalance vip icmp-reply
ssl-proxy server abc.www.proxy
=============================
Hi,
You may want to check this thread I think it would be very helpful.
https://supportforums.cisco.com/thread/2027253
HTH
Pablo
Cisco TAC
Similar Messages
-
ACE SSL terminate not working ... please help
Hello, I configured cisco ace 4710 with ssl-proxy and it is not working, but http://10.1.40.2 and http://10.1.40.3 is OK. When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage".
The configuration:
ace-demo/Admin# sh run
Generating configuration....
boot system image:c4710ace-mz.A3_2_4.bin
boot system image:c4710ace-mz.A3_2_1.bin
login timeout 0
hostname ace-demo
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 400-401,450
no shutdown
crypto csr-params testparams
country PE
state Lima
locality Lima
organization-name TI
organization-unit TI
common-name www.yyy.com
serial-number 1000
access-list anyone line 8 extended permit ip any any
access-list anyone line 16 extended permit icmp any any
parameter-map type ssl sslparams
cipher RSA_WITH_RC4_128_MD5
version SSL3
rserver host rsrv1
ip address 10.1.40.2
inservice
rserver host rsrv2
ip address 10.1.40.3
inservice
serverfarm host farm-demo
rserver rsrv1
inservice
rserver rsrv2
inservice
serverfarm host site-A
rserver rsrv1
inservice
serverfarm host site-B
rserver rsrv2
inservice
ssl-proxy service testssl
key testkey.key
cert testcert.pem
ssl advanced-options sslparams
class-map type management match-any MGMT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol snmp any
6 match protocol telnet any
7 match protocol ssh any
class-map match-any VIP
6 match virtual-address 10.1.41.10 any
class-map type generic match-any WAN-site-A
2 match source-address 192.168.10.106 255.255.255.255
3 match source-address 192.168.10.125 255.255.255.255
class-map type generic match-any WAN-site-B
2 match source-address 192.168.10.96 255.255.255.255
3 match source-address 192.168.10.93 255.255.255.255
class-map type management match-any icmp
2 match protocol icmp any
class-map match-any vip-ssl-10.1.41.20
2 match virtual-address 10.1.41.20 tcp eq https
policy-map type management first-match ICMP
class icmp
permit
policy-map type management first-match MGMT
class MGMT
permit
policy-map type loadbalance first-match vip-ssl-10.1.41.20
class class-default
serverfarm farm-demo
policy-map type loadbalance generic first-match lb-server
class WAN-site-A
serverfarm site-A
class WAN-site-B
serverfarm site-B
class class-default
serverfarm farm-demo
policy-map multi-match client-side
class VIP
loadbalance vip inservice
loadbalance policy lb-server
policy-map multi-match lb-vip
class vip-ssl-10.1.41.20
loadbalance vip inservice
loadbalance policy vip-ssl-10.1.41.20
loadbalance vip icmp-reply
ssl-proxy server testssl
interface vlan 400
description side-server
ip address 10.1.40.1 255.255.255.0
access-group input anyone
service-policy input ICMP
no shutdown
interface vlan 401
description side-client
ip address 10.1.41.1 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ICMP
service-policy input client-side
service-policy input lb-vip
no shutdown
interface vlan 450
description mgmt
ip address 10.1.45.1 255.255.255.0
access-group input anyone
service-policy input MGMT
no shutdown
ip route 192.168.10.0 255.255.255.0 10.1.45.10
And the proof:
ace-demo/Admin# sh serverfarm farm-demo
serverfarm : farm-demo, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: rsrv1
10.1.40.2:0 8 OPERATIONAL 0 25 19
rserver: rsrv2
10.1.40.3:0 8 OPERATIONAL 0 23 18
ace-demo/Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
admin 887 PEM Yes KEY
testcert.pem 709 PEM Yes CERT
testkey.key 497 PEM Yes KEY
ace-demo/Admin#
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 38
dropped conns : 18
client pkt count : 159 , client byte count: 12576
server pkt count : 16 , server byte count: 640
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
in other time:
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 170
dropped conns : 89
client pkt count : 703 , client byte count: 60089
server pkt count : 85 , server byte count: 3400
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
ace-demo/Admin#
ace-demo/Admin# sh stats crypto server
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 43
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 37
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 6
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto server alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 6
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 47
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 43
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
ace-demo/Admin# crypto verify testkey.key testcert.pem
Keypair in testkey.key matches certificate in testcert.pem.
ace-demo/Admin#
ace-demo/Admin# sh conn
total current connections : 0
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+Hello Alvaro,
The issue here is that your config is missing the clear text port the ACE should use to send the traffic to the backend servers; in this case port 80.
Remove the rservers from the SF "farm-demo" and then configure them back like this:
serverfarm host farm-demo
rserver rsrv1 80
inservice
rserver rsrv2 80
inservice
That should do the trick =)
HTH
Pablo -
Https health monitor not working on ACE.
Hello Guys,
Hope you are all doing well, i need some help in setting up my https health monitor for real servers.
I am configuring it on ACE appliance 4710 but the probe appears failing.
The VIP is listening on port 443 and 8080, the cert is not uploaded to ACE but eventually it will be on ACE so SSL will terminate on ACE but not at the minute.
The user don't want to enable port 80 on server so will need https health probe configuring. Following is my config for https health probe but it is failing.
probe https SSDSD-ServerAvailability-443
interval 5
passdetect interval 5
ssl version all
request method head url //ssdsd/servlet/SDLogin
expect status 200 200
As per my knowledge https is also an http probe but encrypted. Please see the detailed output below and let me know if i am missing anything.
probe : SSDSD-ServerAvailability-443
type : HTTPS
state : ACTIVE
description :
port : 443 address : 0.0.0.0
addr type : - interval : 5 pass intvl : 5
pass count: 3 fail count: 3 recv timeout: 10
SSL version : All
SSL cipher : RSA_ANY
http method : HEAD
http url : //ssdsd/servlet/SDLogin
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1
regex cache-len : 0
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ----------------------+----+--------+------+------+------+------
serverfarm : SSDSD_SF
real : SSDSD-AL2[0]
192.168.225.26 443 VIP 48611 1834 46777 FAILED
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 2
No. Probes skipped : 1 Last status code : 302
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Mon Nov 11 04:05:10 2013
Last fail time : Mon Nov 11 02:10:00 2013
Last active time : Fri Nov 8 09:09:31 2013
192.168.225.26 8080 VIP 48613 48613 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Connection reset by server
Last probe time : Mon Nov 11 04:05:14 2013
Last fail time : Fri Nov 8 08:34:10 2013
Last active time : Never
real : SSDSD-AL3[0]
192.168.225.27 443 VIP 48612 1817 46795 FAILED
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 2
No. Probes skipped : 0 Last status code : 302
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Mon Nov 11 04:05:10 2013
Last fail time : Mon Nov 11 02:10:00 2013
Last active time : Fri Nov 8 09:09:31 2013
192.168.225.27 8080 VIP 48613 48613 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Connection reset by server
Last probe time : Mon Nov 11 04:05:12 2013
Last fail time : Fri Nov 8 08:34:08 2013
Last active time : Never
PHH104-N3-ACE-1/N3#
I am confused with the last status code which shows 302 any help from your side will be a life line for me.
Regards,
Amjad Hashim.Hi Amjad,
I see the last disconnect err: "Received invalid status code" which means that ACE is not getting what is expected (code 200) for it to mark the server as passed.
Also, i see you have configured url "request method head url //ssdsd/servlet/SDLogin", why are you using two slashes "//", can you try with only one?
Also, if you configure probe on TCP PORT 443 does it pass? I see last disconnect err: connection reset by server as well and that could be due to the fact that service was there on server. Looks unlikely since above probes failed due to wrong status code which means that SSL handshake happened.
You can take a pcap on server as well as ACE to see what is going on. You might need to use private key to decrypt the captures if the failure is after SSL handshake has completed to see what status code server is sending. You can also use TCP 443 based probe as workaround till you can arrange pcaps and figure out what is wrong.
Regards,
Kanwal -
Apach1 .1.3.22+ mod_ssl /Weblogic 5.1 Browser to Apache SSL does not work
We are using Weblogic 5.1 and apache 1.3.22+mod_ssl. HTTPS requests to the apache
server for jsp do not work. However if
a HTTP request for the same jsp is made, it works.
SSL requests only work if the ServerName directive for HTTP
server and the 443 Virtual Server are commented out in httpd.conf. Is this right?Hi.
Firstly, this is not a supported configuration. The latest version of apache we
certify is 1.3.19. See the following link for supported platforms:
http://edocs.bea.com/wls/platforms/index.html#apach.
Without seeing your httpd.conf file this should work. You probably already know this,
but with WLS 5.1 https between the server and the plugin is not supported, so apache
needs to translate all http/https requests to http for WLS.
I recommend you try posting this question to the plugin newsgroup -
weblogic.developer.interest.plugin.
Thanks,
Michael
shakeel rao wrote:
We are using Weblogic 5.1 and apache 1.3.22+mod_ssl. HTTPS requests to the apache
server for jsp do not work. However if
a HTTP request for the same jsp is made, it works.
SSL requests only work if the ServerName directive for HTTP
server and the 443 Virtual Server are commented out in httpd.conf. Is this right?--
Michael Young
Developer Relations Engineer
BEA Support -
Hi,
have anyone been able to get SSL redirect working in ical and address book server?
In Apple documentation it says "redirecting ssl access redirects request for the http port and sends them to the https port". But it does not seems to work. Connecting to https port is working.
Bernt
Message was edited by: kenguruRegarding the redirect, I don't really understand why it's not possible. You can edit the non-SSL website in Web and add a 301 for /Wiki to redirect to https://myserver.com/wiki. In fact you can redirect the entire site to SSL - but that is problematic. I can understand why Mavericks server would be designed to automatically use SSL for wiki logins, if it's available. I only looked at redirects because this was not working. Without a redirect or with a redirect - I can login to Wiki via non-SSL or SSL. Where (specifically in which text file) are these redirects created using Server Admin written to? I can't find them in apache2/httpd.conf. Thanks again for your help.
-
Cisco ACE SSL Offloading not working
Dear All,
I have configured SSL offloading on ACE when i tried to test it from the PC i found that:
1. when i try to test the SSL Offloading by (https://192.168.69.110) i can reach the main page on WEB1 but i can't open any virual directory or any link inside this server (ex: https://192.168.69.110/web).
Thanks,
BaderHello Mohammed,
The behavior which you are getting is totally expected since you are NOT matching the url.
Why do not you try this?
(config-cmap-http-lb)# class-map type http loadbalance match-all MATCH-URL
(config-cmap-http-lb)# match http url /.*
class-map type http loadbalance match-all MATCH-URL
2 match http url /.*
Also you can try this one instead of the one above, since this one will be more specific:
class-map type http loadbalance match-all MATCH-URL
2 match http url /web.*
policy-map type loadbalance first-match WEB-SERVERS-LB
class MATCH-URL
sticky-serverfarm Sticky-WEB-SERVERS
class class-default
sticky-serverfarm Sticky-WEB-SERVERS
Please mark it, if it fixes your issue.
Jorge -
Can anyone help with Terminal not working properly on 2013 (late) mac pro?
New 2013 (late) mac pro. 10.9.2 osx
Using Terminal utility and giving "cat" command, I get a return message of "file or directory not found" even though the files are right there. This is a little procedure I have performed with older mac pro and laptops (also Mavericks) and never had a problem.Thank you for posting Linc. I worked it out, it is a case of user error.
-
[Solved] Gnome-Terminal Not Working
I recently installed Arch Linux and got the Gnome Gui working but when I tried to open the default terminal it started to load then quickly ended I looked a "solution" which said to type gnome-terminal into xterm so I did and it came up with:
(process:766): Gtk-WARNING **: Locale not supported by C library. Using the fall back 'C' Locale.
Error constructing proxy for org.gnome.Terminal:/org/Terminal/Factory0:for calling StartServiceByName for org.gnome.terminal: GDbus.error:org.freedeop.Dbus.Error.Spawn.ChildExited: Process org.gnome.Terminal exited with statu
and with I typed locale -a I got this:
Locale: Cannot set LC_CTYPE to default locale: No such file or directory
and it said the same thing for LC_MESSAGES and LC_COLLATE
Last edited by Satanic Command Line (2015-01-07 22:30:55)jasonwryan wrote:
Satanic Command Line wrote:Sadly none of the solutions made a difference
Not helpful. Provide some detail as to what you tried; don't be a help vampire...
I have /etc/locale.conf
# localectl set-locale LANG="en_US.UTF-8" that didn't work
(Try to regenerate locales first:
# locale-gen
And then:
# localectl set-locale LANG="en_US.UTF-8"
reboot) that didn't work
localectl set-locale didn't work
(quoting alphabeat) All you have to do is edit /etc/locale.gen(/quote) didn't work
Sorry if this is unhelpful -
Cisco IOS SSL VPN Not Working - Internet Explorer
Hi All,
I seem to be having a strange SSL VPN issue. I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7). Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage". It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens). It only seems to work with Firefox. It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
Below is the config snippet:
username vpntest password XXXXX
aaa authentication login default local
crypto pki trustpoint TP-self-signed-1873082433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1873082433
revocation-check none
rsakeypair TP-self-signed-1873082433
crypto pki certificate chain TP-self-signed-1873082433
certificate self-signed 01
--- omitted ---
quit
webvpn gateway SSLVPN
hostname Router
ip address X.X.X.X port 443
ssl encryption aes-sha1
ssl trustpoint TP-self-signed-1873082433
inservice
webvpn context SSLVPN
title "Blah Blah"
ssl authenticate verify all
login-message "Enter the magic words..."
port-forward "PortForwardList"
local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
policy group SSL-Policy
port-forward "PortForwardList" auto-download
default-group-policy SSL-Policy
gateway SSLVPN
max-users 3
inservice
I've tried:
*Enabling SSL 2.0 in IE
*Adding the site to the Trusted Sites in IE
*Adding it to the list of sites allowed to use Cookies
At a loss to figure this out. Has anyone else come across this before? Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
ThanksHi,
I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try. -
Dear Sir,
I have a windows 2003 server and an ASA 5512
I'm trying to use SSLVPN and it was all working, and I don't believe any configs on either box have been changed.
On Friday people were connecting, but now I get a message "Login Error" in the browser.
In the ASDM home 'latest ADSM Syslog Messsages' I get "AAA authentication server not accessible", followed by two messsages
AAA Marking LDAP server in group as FAILED
AAA Marking LDAP server in group as ACTIVE
When I go to configuration --> Remote Access VPN --> AAA/Local Users AAA server groups and click on my RADIUS server and click Test, it takes a while and says ERROR: AD agent Server not responding: No error
If I stop my IAS server on my Windows box i get the same error but much more quickly.
I have a sonciwall set up doing the same thing, and RADIUS seems to work happily, so I don't think it's the server config...
Do you have any ideas what may have changed?
Thanks
DaveDear Jennifer, I'm using IAS (windows RADIUS server) it was working fine, and I'm not aware anything changed...
when i 'test' the aaa server it says ERROR: AD-agent server not responding: No Error
I have an old sonicwall firewall doing the same thing and it tests successful, implying RADIUS is working OK, if you want a screenshor?
dynamic-access-policy-record DfltAccessPolicy
aaa-server tethys protocol radius
ad-agent-mode
aaa-server tethys (inside) host 10.11.1.10
timeout 5
key *****
radius-common-pw *****
aaa-server tethysLDAP protocol ldap
aaa-server tethysLDAP (inside) host 10.11.1.10
ldap-base-dn DC=tethys,DC=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=SSLVPNAdmin,CN=Users,DC=tethys, DC=net
server-type microsoft
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console tethys LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.11.1.73 255.255.255.255 inside
http 10.11.1.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint3
keypair ASDM_TrustPoint3
crl configure
crypto ca certificate chain ASDM_TrustPoint3
certificate ca 0400000000012f4ee14143
3082045a 30820342 a0030201 02020b04 00000000 012f4ee1 4143300d 06092a86
de36bf03 04003df9 ef9ea967 a4f4863e 2397b82a 71e2edfe 698867bf 265c
quit
certificate 112119e126c272d2d5aabd8bb4a6f90fe78b
308204f3 308203db a0030201 02021211 2119e126 c272d2d5 aabd8bb4 a6f90fe7
a07c90b2 5e4c1b59 56bec070 d5a77145 5b74297f 68c7d6
quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint3
telnet 10.11.1.10 255.255.255.255 inside
telnet 10.14.1.0 255.255.255.0 inside
telnet timeout 5
ssh 10.11.1.10 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
Result of the command: "sh aaa-server protocol ldap"
Server Group: tethysLDAP
Server Protocol: ldap
Server Address: 10.11.1.10
Server port: 0
Server status: ACTIVE, Last transaction at unknown
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 205
Number of authorization requests 1
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 0
Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 206
Number of unrecognized responses 0 -
SSL is not working with Apple mail 7.2 on Mac 10.9
Hi,
I am trying to create an IMAP mail account on apple mail with SSL(TLS1.0) on port 993 with our own IMAP server . Connection Doctor promopt error meessage that "Either user name or password is wrong".
On wireshrk traces we found that the commuincation is done on TLS 1.0 and Handshake is properly handled between client and server side.
Client is successfully able to send "CAPABILTY" and "LOGIN" request command to server and in-return server send successful response to the client. But After 60 seconds, Client sends a Alert message to close the session and send FIN ACK to the server . After terminating the existing sesssion client again sent a SYN request to the client and the same process repeats.Do you have any antivirus software installed? if yes, uninstall it.
Best. -
SMTP with SSL does not work after MacBook sleeps
Hi,
I have a brand new MacBook running Leopard, using Mail for a work MS Exchange account and a personal IMAP account. I connect to both mailboxes over SSL for security and this all works perfectly fine. When I close my laptop however (i.e. send it to sleep), it seems to corrupt my SSL session for the IMAP mailbox. Upon waking the MacBook up, the Exchange account work perfectly fine, as does the IMAP mailbox for receiving, although sending mail always errors out. If I quit mail, restart it and then click "Connect" on both (incoming and outgoing) of the SSL notices, everything starts working again.
Is there away to auto-Connect to IMAP mailboxes without the SSL notification or to recover SSL sessions after they time out?
Cheers,
Robalready a long thread here:
https://discussions.apple.com/message/23733407?ac_cid=tw123456#23733407
no solution yet.. -
Two-Way SSL does not work until "Use Server Certs" is selected on client
We have a web service application and a client application. Both applications are deployed in WebLogic 10.3. The web service application is secured by Two-Way SSL. When the client attempts to access the service, we got the following error logs on the server side:
<Dec 8, 2009 3:25:42 PM EST> <Warning> <Security> <BEA-090508> <Certificate chain received from ... was incomplete.>
CertPathTrustManagerUtils.certificateCallback: certPathValStype = 0
CertPathTrustManagerUtils.certificateCallback: validateErr = 4
CertPathTrustManagerUtils.certificateCallback: returning false because of built-in SSL validation errors
We got the same error even if the WebLogic 10.3 domain on the client side uses the same identity and trust keystores as the server side.
The problem was solved when we selected Environment -> Servers -> <server> -> SSL, expanded "Advanced" and selected "Use Server Certs". Could anyone tell me what "Use Server Certs" does to make the difference?
Another question is how we can invoke this web service in a Java application since "Use Server Certs" solution only works for web application deployed in weblogic."Use Server Certs" means that a client application running within Weblogic will use the WL managed server's identity certificate as its client certificate. Otherwise, the client application is responsible for selecting the keystore, and presenting the certificate as part of the handshake.
This is a great feature in 9 & 10; client SSL was much more difficult in WL 8.
If you are using a standalone client application to invoke anything over 2-way SSL, you are responsible for presenting the certificate. For instance, if you invoke the page from your browser, your browser can maintain client certificates and you'll get a popup to select which cert to use. -
I have made the ssl certificates not work
I was notified by my customer that the certificate was due to expire, and at that I started windows SBS console (advanced Mode), and under Network -> connectivity, I selected manage certificates. I tried to renew, but since they had expired, I
was unable to renew. I then tried to request new certificate with the same key. Now I am unable to access RWW since "There is a problem with this website's security certificate", and the selection of continue to this website only allows
you to close this web page.
I have been able to look at the certificate using firefox, and it shows that it was issued to the correct CN but it says that it doesn't recognize the issuer (self issued). Is it possible that the key has changed, and the public key installer
may not have been updated? If so, how do I update that?
Thank you
PatThis is a self signed certificate. It does not appear that it is expired
Certificates (Local Computer) ->personal ->certificates
mail.sbm-law.com
Tosalawyers-SBMKSERVER-CA 4/28/2016
Server Authentication
Web Server
remote.sbm-law.com
Tosalawyers-SBMKSERVER-CA 4/29/2016
Server Authentication
Web Server
remote.sbm-law.com
Tosalawyers-SBMKSERVER-CA 4/29/2016
Server Authentication
Web Server
SBMKSERVER.tosalawyers.local Tosalawyers-SBMKSERVER-CA
4/28/2015
Client Authentication
Domain Controller
SBMKSERVER.tosalawyers.local Tosalawyers-SBMKSERVER-CA
4/28/2015
Client Authentication
Domain Controller
SBMKSERVER.tosalawyers.local Tosalawyers-SBMKSERVER-CA
4/28/2015
Client Authentication
Domain Controller
Sbm-law.com/remote
Tosalawyers-SBMKSERVER-CA 4/28/2015
Server Authentication
Web Server
Sites
Tosalawyers-SBMKSERVER-CA 11/25/2012 Server Authentication
Web Server
Sites
Tosalawyers-SBMKSERVER-CA 4/29/2016
Server Authentication
Web Server
Tosalawyers-SBMKSERVER-CA
Tosalawyers-SBMKSERVER-CA 11/26/2015
<All>
Tosalawyers-SBMKSERVER-CA
Tosalawyers-SBMKSERVER-CA 4/28/2019
<All>
WMSvc-WIN-FLBUWELKL17
WMSvc-WIN-FLBUWELKL17 11/19/2020
Server Authentication
The above was taken from the manage certificates and showed friendly name containing blank or none, and with nothing in status.
Thank you
Pat -
Why is my terminal not working?
Hello(: Well Ive been trying to empty my trash using terminal but it won't let me. it says is (my name)-MacBook-Pro:~ (myname)$ and whenever i give it the command sudo rm -R and insert the trash and press enter it never asks for my password like its suppose to! Can someone please help me!
Well i heard that thats the best way to empty your trash so that it clears memory from the harddrive. I didnt know it was dangerous. Should i just empty the trash normal? Please help!!
Maybe you are looking for
-
I have an iPhone 3G and I want to iCloud all my photos I have ever taken onto my new iPad mini. The thing is, I turn on my photo stream on iCloud but none of the photos show up on my iPad mini. Am I doing something wrong?
-
Using colorTrans:ColorTransform on more than one movie clip
Hi I am very new to Flash and action script so please bare with me... I would like to be able to change the color of more than one movie clip in the same layer in the same frame. Basically I have place two different movie clips with defined instances
-
When i go to my photos and am viewing a picture it will not let me set it as my background or anything else dealing with the button in the top right corner between trash and slideshow. When i click onit it turns gray and my photo app freezes. Help Al
-
Hi Everyone , I am quite new to Flash , I have made one flash swf in flash cs3 using action script 2 My requirment is like this - if client's resolution is less than or equal to 1024*768 i have to show scroll pane of size 410 and when resoution is hi
-
Create hidden attribute in OID
Hello. I want to know how to create a custom attribute in OID which is hidden from certiain users. Is this simple to do? Thanks.