topic ACE SSL Termination (40) Handshake Failure in Application Networking

ACE SSL Termination (40) Handshake Failure

networker99 — Wed, 10 Mar 2010 20:02:32 GMT

I have configured the ACE 4710 as a network load balancer and this is working well for most sites. Now I have installed the SSL cert and the https version of the site will not be displayed. Ran Wireshark protocol analyser and it indicates a RST packet was recieved with error (40) Handshake failure.. any ideas?

Re: ACE SSL Termination (40) Handshake Failure

Sean Merrow — Wed, 10 Mar 2010 21:33:56 GMT

Hello,

Too hard to say without any data. Would it be possible to upload your config, the capture, and let us know what version of software you are running?

Thanks,

Sean

Re: ACE SSL Termination (40) Handshake Failure

networker99 — Wed, 10 Mar 2010 22:21:13 GMT

Here you go.. plus I have check the cert against the keys and all is okay

Re: ACE SSL Termination (40) Handshake Failure

Gilles Dufour — Thu, 11 Mar 2010 09:26:35 GMT

Try maybe without "ssl advanced-options mywebsite.org" under your ssl proxy.

Also, we need a sniffer trace to see the failure and a show tech captured after the problem occured.

Gilles.

Re: ACE SSL Termination (40) Handshake Failure

Sean Merrow — Thu, 11 Mar 2010 14:19:50 GMT

Hello,

Unless your real server is listening on port 443 for clear-text, then your current config needs to be modified for this to work. Unless the rserver within the serverfarm specifies a port number, then the port number used on the frontend will also be used on the backend. You are using 443 on the frontend, but only doing SSL termination, not SSL intiation. Therefore, you need to specify the clear-text port that the rserver is listening on. For example, assuming your rserver is listening on the default www port of 80, your serverfarm should look like this:

serverfarm host WEBFARM
description Web farm for WEBFARM
rserver website.orgtest 80
inservice

Hope this helps,

Sean

Re: ACE SSL Termination (40) Handshake Failure

networker99 — Thu, 11 Mar 2010 16:49:07 GMT

Thanks for the reply.. had worked this out earlier this morning.. thanks again!..

Is there a way on the load balancer to redirect requests to http://mywebsite.com to https://mywebsite.com automatically?

Re: ACE SSL Termination (40) Handshake Failure

Sean Merrow — Thu, 11 Mar 2010 17:04:07 GMT

Hello,

Yes there is. See the attachment. It will show you how to get the ACE to take care of this. Since your backend server is listening on a clear-text port, any HTTP 301 or 302 redirect that comes from the server will likely have a Location header value of http://xxxx So, you'll see the action-list in the attachment will force the ACE to re-write the http:// in that header to https:// as well.

Hope it helps,

Sean

Re: ACE SSL Termination (40) Handshake Failure

networker99 — Thu, 11 Mar 2010 18:04:21 GMT

Many thanks.. however I still have a slight issue. It is regarding the line:

webhost-redirection https://%h%p 301

This only works if I put

webhost-redirection https://www.mywebsite.com 301 and not https://%h%p

therefore this is fine if someone goes to http://www.mywebsite.com and they get redirected to https://www.mywebsite.com but if they go to http://www.mywebsite.com/contactus.html they get redirected to https://www.mywebsite.com

Thanks!

Re: ACE SSL Termination (40) Handshake Failure

Sean Merrow — Thu, 11 Mar 2010 19:11:53 GMT

Interesting that it doesn't work. The %h just says to keep whatever hostname the client used in the original request, but just change the http:// to https://. The %p simply means to keep the same path as the original request. You don't have to use them, or you can just use one of them if you want. So in your case, perhaps your answer is:

webhost-redirection https://www.mywebsite.com%p 301

Now, if someone requests http://www.mywebsite.com/contactus they will be redirected to https://www.mywebsite.com/contactus

However, since the hostname in the original request is the same as the hostname in the redirect, I would've expected the %h to work.

Sean

Re: ACE SSL Termination (40) Handshake Failure

networker99 — Thu, 11 Mar 2010 19:23:37 GMT

Funny.. I re-entered the commands and now it works.. maybe a typo??!! thanks ago!!!!!

One last question. Can you direct me on how to set up the health checking so that a webserver will be taken out of the farm if it returns a specific string in the html?

Re: ACE SSL Termination (40) Handshake Failure

Sean Merrow — Thu, 11 Mar 2010 20:00:27 GMT

Hello,

Well, that's a new one to me. I've yet to see someone want to remove a server from the rotation when it has a string in the content. Usually, we see customers that want to remove a server from rotation when it doesn't have the string in the body.

A common HTTP keepalive would be something like this:

probe http HTTP-KEEPALIVE
interval 10
faildetect 3
passdetect interval 30
passdetect count 2
receive 3
open 3
request method get url /keepalive.html
expect status 200 200 <-- this is required when 'expect regex' is not used

Here, as long as it gets a HTTP 200 OK Response, it will pass. In addition to, or in place of, the expect status, you can also use the expect regex. Click the link for details on how to configure that. If you use expect regex, then the response from the server must include the Content-Length header.

probe http HTTP-KEEPALIVE
   interval 10
   faildetect 3
   passdetect interval 30
   passdetect count 2
   receive 3
   open 3
   request method get url /keepalive.html
   expect regex Hello

expect status 200 200 <-- this is now optional when the 'expect regex' is used

In the above example, the rserver will be pulled out of rotation if the response does not contain Hello in its response. I'm not aware of a way to get the ACE to pull the server out of rotation if it does have this string.

Not sure if this helps or not.

Sean

Re: ACE SSL Termination (40) Handshake Failure

networker99 — Thu, 11 Mar 2010 20:04:24 GMT

Maybe I explained it wrong..

If there are two servers that provide website search results for a front end web server . If the SQL/search service dies on one I only want the other to be queried.

Re: ACE SSL Termination (40) Handshake Failure

Sean Merrow — Thu, 11 Mar 2010 20:42:38 GMT

You can apply multiple probes to each global rserver. By default, both of them would have to pass for the rserver to be considered healthy. Each probe below can have a unique IP address.

host1/Admin(config)# rserver WWW-SERVER1
host1/Admin(config-rserver-host)# ip address 192.168.12.15
host1/Admin(config-rserver-host)# probe SQL_PROBE
host1/Admin(config-rserver-host)# probe WWW_PROBE

For example, in the example above, the WWW_PROBE configuration would not have an IP address associated and therefore would inherit the IP address of the rserver. For the SQL_PROBE, you could specifically configure the IP address of the SQL server in the probe configuration. So both the SQL server and the WWW server would have to be healthy in order for this server to be included in the load balancing rotation.

Sean

Re: ACE SSL Termination (40) Handshake Failure

networker99 — Thu, 11 Mar 2010 20:51:18 GMT

I guess what I am asking is how can it detect application errors rather than web errors?

Re: ACE SSL Termination (40) Handshake Failure

Sean Merrow — Fri, 12 Mar 2010 16:35:29 GMT

Hello,

Unfortunately, the ACE cannot passively monitor application traffic for specific errors or patterns to determine when an rserver should or should not be in the load balancing rotation. The only options I'm aware of are all the probes described in the Configuring Health Monitoring document, which includes several application-layer probes. Obviously, the HTTP and/or HTTPS probes should cover you for your web servers. For the SQL servers, you might be able to accomplish it with a TCP probe and expect regex. Otherwise, you would need to get creative with using TCL scripts for probing. This is documented in the Using Toolkit Command Language (TCL) Scripts with the ACE documentation.

HTH,

Sean