https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710519#M34296 <HTML><HEAD></HEAD><BODY><P>Thank You Daniel.</P><P></P><P>Best regards,</P><P>Vladimir</P></BODY></HTML> Thu, 09 Jun 2011 14:31:08 GMT Vladimir Pavlinic 2011-06-09T14:31:08Z https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710511#M34288 <P>Hi,</P><P></P><P>I have problem setting up the SSL termination on Cisco 4710 ACE. Setup is in One-arm mode.</P><P>On ACE I need to do SSL client authentication.</P><P>We have 2 types of devices connecting to ACE.</P><P>With first one everything is working fine. But with second one i cant make client authentication to work.</P><P>When I issue "show stats crypto server", I see following counters increasing:</P><PRE>SSL alert BAD_CERTIFICATE sent:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </PRE><P></P><P>I will appriciate some explanation about this issue.</P><P></P><P>Best regards,</P><P>Vladimir</P> Mon, 30 May 2011 06:31:50 GMT https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710511#M34288 Vladimir Pavlinic 2011-05-30T06:31:50Z https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710512#M34289 <HTML><HEAD></HEAD><BODY><P>Hi Vladimir,</P><P></P><P>This counter indicates that connections are being dropped because the client certificate is not valid (or at least the ACE is not able to validate it).</P><P></P><P>I would start by finding the differences between the working and failing clients. At first sight, I wouldn't be surprised if they are using diferent CA or certificate types. Once you know better what is different, we can troubleshoot further.</P><P></P><P>Regards</P><P></P><P>Daniel</P></BODY></HTML> Mon, 30 May 2011 13:29:02 GMT https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710512#M34289 Daniel Arrondo Ostiz 2011-05-30T13:29:02Z https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710513#M34290 <HTML><HEAD></HEAD><BODY><P>Hello Vladimir,</P><P></P><P>it looks like the ACE ir refusing the certificate sent by the client for authenthication, I would check:</P><P></P><UL><LI>are the 2 devices connecting to the same VIP/authgroup?<BR /></LI><LI>I would take a capture to check if the client is actually sending the certificate and which, in the trace i would capture also a successful session from the other device for comparison.</LI><LI>I would check wich other counters are increasing together with <BR /></LI></UL><PRE>SSL alert BAD_CERTIFICATE sent</PRE><UL><LI>I would raise the logging level and check for messages like:</LI></UL><P></P><PRE style="font-family: monospace; font-size: 12px; white-space: pre-wrap; word-wrap: break-word;">%ACE-6-253003: Certificate /CN=user1 is signed by an unknown C<BR /><BR /><BR /><SPAN style="font-family: arial,helvetica,sans-serif;">Hope it helps,<BR />Francesco<BR /></SPAN><BR /><BR /><BR /></PRE></BODY></HTML> Mon, 30 May 2011 13:38:32 GMT https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710513#M34290 Francesco Casotto 2011-05-30T13:38:32Z https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710514#M34291 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P>I am trying to find differences between certificates.</P><P></P><P><!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:AllowPNG></o:AllowPNG> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;} </style> <![endif]--></P><P class="MsoPlainText">* are the 2 devices connecting to the same VIP/authgroup?</P><P class="MsoPlainText">No. Different VIP/authgroup.</P><P class="MsoPlainText"></P><P class="MsoPlainText">I will let You know of any findings.</P><P class="MsoPlainText"></P><P class="MsoPlainText">Regards,</P><P class="MsoPlainText">Vladimir</P></BODY></HTML> Thu, 02 Jun 2011 07:26:40 GMT https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710514#M34291 Vladimir Pavlinic 2011-06-02T07:26:40Z https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710515#M34292 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>We managed to correct issues with certificates. There was a problem with time synchronization.</P><P>Now SSL termination works as expected.</P><P></P><P>Aftrer fixing SSL problems, we found another problem. </P><P>After client (device) hits VIP and SSL terminates on ACE, client (end device) is expecting to recive packet from Real server before sending enything to Real.</P><P>When ACE is doing SSL termination, there is no TCP conn to REAL SERVER until the APP Data is seen from client.</P><P></P><P>Is there any way to force ACE to open tcp connection to REAL without receiving APP data after SSL termination?</P><P></P><P>Regards,</P><P>Vladimir</P></BODY></HTML> Thu, 09 Jun 2011 12:33:11 GMT https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710515#M34292 Vladimir Pavlinic 2011-06-09T12:33:11Z https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710516#M34293 <HTML><HEAD></HEAD><BODY><P>Hi Vladimir,</P><P></P><P>The moment SSL termination is done, the ACE will treat the connection as a L7 one, and therefore, it will wait to get the HTTP request before it tries to contact the server. </P><P></P><P>Normally, this should not cause any issues to the application, so, could you please let me know why this behavior is not desirable?</P><P></P><P>Daniel</P></BODY></HTML> Thu, 09 Jun 2011 13:57:25 GMT https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710516#M34293 Daniel Arrondo Ostiz 2011-06-09T13:57:25Z https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710517#M34294 <HTML><HEAD></HEAD><BODY><P>Hi Daniel,</P><P>This is normal and expected behavior for L7 on ACE.&nbsp; </P><P></P><P>Application on end device is configured to send packets only after first packet is recived from Real. </P><P>We are trying to migrate existing SSL termination from STunnel to ACE. Stunnel is not an LB and it opens TCP connection to real after SSL termination. In this case Real can send required packet to end device and everything works fine.</P><P></P><P>Our end devices are configured this way and it will take a lot of time to reconfigure them to work with ACE.</P><P>I am just searching for an answer is this behavior achievable with ACE. </P><P></P><P>Vladimir</P></BODY></HTML> Thu, 09 Jun 2011 14:16:35 GMT https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710517#M34294 Vladimir Pavlinic 2011-06-09T14:16:35Z https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710518#M34295 <HTML><HEAD></HEAD><BODY><P>I'm afraid this behavior is not configurable. With L7 connections, the ACE will always wait for the client request before opening the connection to the server. </P><P></P><P>Daniel</P></BODY></HTML> Thu, 09 Jun 2011 14:22:06 GMT https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710518#M34295 Daniel Arrondo Ostiz 2011-06-09T14:22:06Z https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710519#M34296 <HTML><HEAD></HEAD><BODY><P>Thank You Daniel.</P><P></P><P>Best regards,</P><P>Vladimir</P></BODY></HTML> Thu, 09 Jun 2011 14:31:08 GMT https://community.cisco.com/t5/application-networking/cisco-ace-ssl-termination-problem/m-p/1710519#M34296 Vladimir Pavlinic 2011-06-09T14:31:08Z