ACE SSL Terminator doesn't work

gianluca811 — Fri, 07 Nov 2014 09:25:03 GMT

Hi,

I should implement a balancing HTTP and for HTTPS an SSL terminator on my ACE.

Public IP 22.235.121.6 port 80 --> balanced on 192.168.250.165-166 on port 8889

Public IP 22.235.121.6 port 443 --> my ace terminate ssl and balance the traffic in clear text to 192.168.250.165-166 on port 8889

This is the configuration:

probe http EXAMPLE_IT_HTTP
  port 8889
  interval 5
  faildetect 2
  passdetect interval 10
  passdetect count 2
  request method get url /probe/probe.html
  expect status 200 206
  expect status 300 307
  open 1
 
serverfarm host example_IT_HTTP
  failaction reassign across-interface
  predictor leastconns
  probe example_IT_HTTP
  fail-on-all
  rserver H-192.168.250.165 8889
    inservice
  rserver H-192.168.250.166 8889
    inservice
serverfarm host example_IT_HTTPS-HTTP
  failaction reassign across-interface
  predictor leastconns
  probe example_IT_HTTP
  fail-on-all
  rserver H-192.168.250.165 8889
    inservice
  rserver H-192.168.250.166 8889
    inservice

sticky ip-netmask 255.255.255.255 address both example-IT-HTTPS-HTTP
  timeout 60
  replicate sticky
  serverfarm example_IT_HTTPS-HTTP

ssl-proxy service SSL_example_IT
  key example_it.key
  cert example_it.cert
  chaingroup SSL_CHAIN_example_IT

crypto chaingroup SSL_CHAIN_example_IT
  cert example_it.ca

class-map match-all example_IT_HTTP
  2 match virtual-address 22.235.121.6 tcp eq www
class-map match-all example_IT_HTTPS-HTTP
  2 match virtual-address 22.235.121.6 tcp eq www

policy-map type loadbalance first-match example_IT_HTTP-l7slb
  class class-default
    serverfarm example_IT_HTTP
policy-map type loadbalance first-match example_IT_HTTPS-HTTP-l7slb
  class class-default
    sticky-serverfarm example-IT-HTTPS-HTTP

policy-map multi-match int41
  class example_IT_HTTP
    loadbalance vip inservice
    loadbalance policy example_IT_HTTP-l7slb
    loadbalance vip icmp-reply active primary-inservice
  class example_IT_HTTPS-HTTP
    loadbalance vip inservice
    loadbalance policy example_IT_HTTPS-HTTP-l7slb
    loadbalance vip icmp-reply active primary-inservice
    ssl-proxy server SSL_example_IT

the balancing on http work properly, but doesn't work the ssl termination, when I try to connect from my client in https I don't see request on the server 192.168.250.165-166 coming.

Some show:

balancer# sh crypto certificate all
example_it.cert:
Subject: /C=GB/ST=United Kingdom/L=London/O=XXXXXXXX/OU=XXXXXXXXX/CN=*.xxxx.com
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
Not Before: Apr 11 00:00:00 2014 GMT
Not After: Apr 12 23:59:59 2015 GMT
CA Cert: FALSE

example_it.ca:
Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Not Before: Nov  8 00:00:00 2006 GMT
Not After: Jul 16 23:59:59 2036 GMT
CA Cert: TRUE

balancer# sh crypto session
SSL Session Cache Stats for Context     
------------------
Number of Client Sessions:                     0
Number of Server Sessions:                     0
balancer#

balancer# sh crypto files
Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
cisco-sample-cert                        1082  PEM     Yes        CERT
cisco-sample-key                         887   PEM     Yes         KEY
example_it.ca                              7444  PEM     Yes        CERT
example_it.cert                            1812  PEM     Yes        CERT
example_it.key                             1675  PEM     Yes         KEY

balancer#
 
 
 
balancer# crypto verify example_it.key example_it.cert
Keypair in example_it.key matches certificate in example_it.cert.
balancer#

the show stats crypto client/server give me all 0

Someone can help me to understand why is not working ?

for further information please ask me

Thanks a lot

Hi,The problem is here:class

Kanwaljeet Singh — Fri, 07 Nov 2014 19:48:05 GMT

Hi,

The problem is here:

class-map match-all example_IT_HTTPS-HTTP
2 match virtual-address 22.235.121.6 tcp eq www

You should change it to 443 instead of WWW which means port 80.

You will never match this class "example_IT_HTTPS-HTTP".

Regards,

Kanwal

Note: Please mark answers if they are helpful.

that's correct. I

gianluca811 — Mon, 10 Nov 2014 11:06:36 GMT

that's correct.

I changed

class-map match-all example_IT_HTTPS-HTTP
2 match virtual-address 22.235.121.6 tcp eq www

class-map match-all example_IT_HTTPS-HTTP
2 match virtual-address 22.235.121.6 tcp eq https

and now it is working

thanks a lot

topic Hi,The problem is here:class in Application Networking

ACE SSL Terminator doesn't work

Hi,The problem is here:class

that's correct. I