SSL Problems

networker99 — Mon, 14 Jun 2010 17:27:42 GMT

I have having issues using SSL termination. When I configure regular http all works fine, but when I switch to SSL termination I see resets in the packet capture (capture run on the client machine). I ran the crypto verify command to confirm the key and the cert match which they did.

Any ideas ?

Thanks

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

boot system image:c4710ace-mz.A3_2_4.bin

hostname MYLOADBALANCER
interface gigabitEthernet 1/1
description LB INSIDE
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport access vlan 3126
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
ft-port vlan 100
no shutdown

crypto csr-params mycompany
country US
state NJ
organization-name myorganization
organization-unit Information Services
common-name *.mydomain.org

access-list ALL line 8 extended permit ip any any

parameter-map type ssl mydomain.org
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_EXPORT1024_WITH_RC4_56_MD5
cipher RSA_EXPORT1024_WITH_DES_CBC_SHA
cipher RSA_EXPORT1024_WITH_RC4_56_SHA

rserver host mywebserver
ip address 192.168.48.78
inservice

serverfarm host test_servers
rserver mywebserver
inservice

ssl-proxy service mydomain.org
key mydomain
cert STAR.mydomain.ORG.crt
ssl advanced-options mydomain.org

class-map type management match-any remote_access
201 match protocol xml-https any
202 match protocol icmp any
203 match protocol telnet any
204 match protocol ssh any
205 match protocol http any
206 match protocol https any
207 match protocol snmp any
class-map match-all test.mydomain.org
2 match virtual-address 1.1.1.3 tcp eq https

policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit

policy-map type loadbalance first-match test.mydomain.org-l7slb
class class-default
serverfarm test_servers

policy-map multi-match int1000-n2
class test.mydomain.org
    loadbalance vip inservice
    loadbalance policy test.mydomain.org-l7slb
    ssl-proxy server mydomain.org

interface vlan 1000
description inside interface
ip address 2.2.2.2 255.255.255.0
peer ip address 2.2.2.3 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input int1000-n2
no shutdown
interface vlan 3126
description "outside interface"
ip address 1.1.1.1 255.255.255.0
peer ip address 1.1.1.2 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input int1000-n2
no shutdown

ft interface vlan 100
ip address 192.168.5.106 255.255.255.252
peer ip address 192.168.5.105 255.255.255.252
no shutdown

ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 100
query-interface vlan 1000
ft group 1
peer 1
associate-context Admin
inservice

ip route 0.0.0.0 0.0.0.0 1.1.1.5

Re: SSL Problems

Pablo — Mon, 14 Jun 2010 17:47:27 GMT

Hi There,

The problem is that you need to specify the clear text port that your backend server is using otherwise the ACE will try to forward the decrypted traffic on port 443.

Try this out:

serverfarm host test_servers

rserver mywebserver 80

inservice

Hope this helps.

__ __

Pablo

Cisco TAC

Re: SSL Problems

networker99 — Mon, 14 Jun 2010 20:05:39 GMT

Is there a way to set an SSL redirection so that requests sent to https://mydomain.com

get redirected to https://mydomain.com/folder1

Re: SSL Problems

Pablo — Mon, 14 Jun 2010 20:46:03 GMT

Hi,

Sure you need to do L7 LB decision, something like this:

rserver redirect Redirect
webhost-redirection https://mydomain.com/folder1 301
inservice

serverfarm redirect Redirect
rserver Redirect
inservice

class-map type http loadbalance match-any Folder
2 match http url /folder1

policy-map type loadbalance first-match test.mydomain.org-l7slb

class Folder

serverfarm test_servers

class class-default

serverfarm Redirect

HTH

__ __

Pablo

Cisco TAC

topic Re: SSL Problems in Application Networking

SSL Problems

Re: SSL Problems

Re: SSL Problems

Re: SSL Problems