https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852159#M16635 <HTML><HEAD></HEAD><BODY><P>the trace does not match the config you sent.</P><P>Can't find the same ip addresses.</P><P>In the trace, it is also clear the module is spoofing the HTTPS connection.</P><P>Not sure why.</P><P>So I would need a 'show tech' to confirm what is happening.</P><P></P><P>Also get 'show service-policy <NAME> detail' before and after a connection attempt to see if you hit the right service-policy.</NAME></P><P></P><P>Gilles.</P></BODY></HTML> Sun, 17 Feb 2008 12:55:00 GMT Gilles Dufour 2008-02-17T12:55:00Z https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852155#M16631 <P>Does the ACE allow HTTPS passthrough?</P><P></P><P>Here's what I've tried to do without success.</P><P></P><P>rserver host nuxi</P><P> description TEST SERVER</P><P> ip address 10.10.2.100</P><P> probe ping-probe</P><P> inservice</P><P></P><P>serverfarm host https-test</P><P> description TEST SERVER FARM</P><P> failaction purge</P><P> predictor leastconns</P><P> probe imap-probe</P><P> rserver nuxi 443</P><P> inservice</P><P></P><P>class-map match-all VIP-HTTPS</P><P> 2 match virtual-address 10.10.1.1 tcp eq 443 </P><P></P><P>policy-map type loadbalance first-match HTTPS-POLICY</P><P> class class-default</P><P> serverfarm https-test</P><P></P><P>policy-map multi-match CLIENT-VIPS</P><P> class VIP-HTTPS</P><P> loadbalance vip inservice</P><P> loadbalance policy HTTPS-POLICY</P><P> loadbalance vip icmp-reply active</P><P></P><P></P> Thu, 14 Feb 2008 18:12:24 GMT https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852155#M16631 meckel 2008-02-14T18:12:24Z https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852156#M16632 <HTML><HEAD></HEAD><BODY><P>yes, ACE allows https to go be loadbalanced without being terminated.</P><P>Get a sniffer trace to see what is going on.</P><P>Does http work ?</P><P>Gilles.</P></BODY></HTML> Thu, 14 Feb 2008 20:34:43 GMT https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852156#M16632 Gilles Dufour 2008-02-14T20:34:43Z https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852157#M16633 <HTML><HEAD></HEAD><BODY><P>Hi Gilles,</P><P></P><P>Yes, HTTP works. I had a trace but didn't save it. I thought perhaps it was a bug with the version we are running - 3.0(0)A1(5a).</P><P></P><P>We reverted everything back to an old LDA and are planning to try with the ACE again soon; this time with SSL termination though.</P><P></P><P>Since you say it should work, I'll schedule some time to try and make SSL pass through work on our next attempt. And save the trace.</P><P></P><P>Thanks,</P><P>Milo</P></BODY></HTML> Thu, 14 Feb 2008 22:05:10 GMT https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852157#M16633 meckel 2008-02-14T22:05:10Z https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852158#M16634 <HTML><HEAD></HEAD><BODY><P>Gilles,</P><P></P><P>I've attached a trace file.</P><P></P><P>Thanks,</P><P>Milo</P><P></P><P> </P><P></P></BODY></HTML> Fri, 15 Feb 2008 23:20:21 GMT https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852158#M16634 meckel 2008-02-15T23:20:21Z https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852159#M16635 <HTML><HEAD></HEAD><BODY><P>the trace does not match the config you sent.</P><P>Can't find the same ip addresses.</P><P>In the trace, it is also clear the module is spoofing the HTTPS connection.</P><P>Not sure why.</P><P>So I would need a 'show tech' to confirm what is happening.</P><P></P><P>Also get 'show service-policy <NAME> detail' before and after a connection attempt to see if you hit the right service-policy.</NAME></P><P></P><P>Gilles.</P></BODY></HTML> Sun, 17 Feb 2008 12:55:00 GMT https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852159#M16635 Gilles Dufour 2008-02-17T12:55:00Z https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852160#M16636 <HTML><HEAD></HEAD><BODY><P>Gilles,</P><P></P><P>Sorry about that. It's a production context and complex. Here is the revelent portion of the current config. The show tech is attached.</P><P></P><P>probe http sys-stat</P><P> description WEB SERVER PROBE</P><P> faildetect 2</P><P> passdetect count 1</P><P> receive 60</P><P> request method get url /manager/html</P><P> expect status 401 401</P><P></P><P>rserver host systemsStatus1-test</P><P> description TEST SYSTEMS STATUS WEB SERVER</P><P> ip address 134.114.6.149</P><P> probe ping-probe</P><P> inservice</P><P></P><P>rserver host systemsStatus2-test</P><P> description TEST SYSTEMS STATUS WEB SERVER</P><P> ip address 134.114.6.150</P><P> probe ping-probe</P><P> inservice</P><P> </P><P>serverfarm host systemsStatus-test</P><P> description TEST SYSTEMS STATUS WEB SERVER FARM</P><P> failaction purge</P><P> predictor leastconns</P><P> probe sys-stat</P><P> retcode 100 500 check count</P><P> rserver systemsStatus1-test</P><P> inservice</P><P> rserver systemsStatus2-test</P><P> inservice</P><P> </P><P>sticky ip-netmask 255.255.255.255 address source GROUP_2_TEST</P><P> timeout 480</P><P> replicate sticky</P><P> serverfarm systemsStatus-test</P><P> </P><P>policy-map multi-match CLIENT-VIPS</P><P> class-map match-all VIP-SYSTAT-HTTP-TEST</P><P> description system status test web server</P><P> 2 match virtual-address 134.114.6.148 any </P><P></P><P>!==========================</P><P></P><P>ace-its-a/PSOFT# sh service-policy CLIENT-VIPS detail | be VIP-SYSTAT-HTTP-TEST</P><P> class: VIP-SYSTAT-HTTP-TEST</P><P> VIP Address: Port:</P><P> 134.114.6.148 any</P><P> loadbalance:</P><P> L7 loadbalance policy: SYSTAT-HTTP-POLICY-TEST</P><P> VIP Route Metric : 77</P><P> VIP Route Advertise : DISABLED</P><P> VIP ICMP Reply : ENABLED-WHEN-ACTIVE</P><P> VIP State: INSERVICE</P><P> curr conns : 0 , hit count : 395 </P><P> dropped conns : 379 </P><P> client pkt count : 1325 , client byte count: 109445 </P><P> server pkt count : 1357 , server byte count: 781489 </P><P> L7 Loadbalance policy : SYSTAT-HTTP-POLICY-TEST</P><P> class/match : class-default</P><P> LB action : </P><P> -</P><P> hit count : 392 </P><P> dropped conns : 376 </P><P></P><P></P><P> </P><P></P></BODY></HTML> Mon, 18 Feb 2008 15:44:13 GMT https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852160#M16636 meckel 2008-02-18T15:44:13Z https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852161#M16637 <HTML><HEAD></HEAD><BODY><P>the problem is this line :</P><P></P><P>retcode 100 500 check count </P><P></P><P>Because of that, you need to use the serverfarm only for http as the ace module will interpret all traffic as http in order to detect the retcode.</P><P></P><P>Create another serverfarm and rule for https or remove the retcode line.</P><P></P><P>Gilles.</P></BODY></HTML> Mon, 18 Feb 2008 16:38:51 GMT https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852161#M16637 Gilles Dufour 2008-02-18T16:38:51Z https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852162#M16638 <HTML><HEAD></HEAD><BODY><P>Gilles,</P><P></P><P>No Sh--!! Yup, removing that line from the serverfarm fixed it. That's a nice way to start a Monday!!</P><P></P><P>Thank you,</P><P>Milo</P></BODY></HTML> Mon, 18 Feb 2008 16:59:01 GMT https://community.cisco.com/t5/application-networking/ace-ssl-pass/m-p/852162#M16638 meckel 2008-02-18T16:59:01Z