cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5306
Views
0
Helpful
7
Replies

ACE 4710 - SSL pass through, reason why sorry-server farm won't work

jbracey
Level 1
Level 1

Hello All:

I'm looking for some documentation I can share with a customer to explain why I can't configure them a back-up sticky server farm when we're not terminating SSL on the the ACE (we pass SSL from the client through to the rservers, sticking the client to the rserver by source IP address).  I've not been able to find anything that addresses this particular scenario in my googling so far.  I remember discussing this in my training class with the instructor, but I can't find any reference to it.  Have any of you run into this and have a link they can share?

Thanks in advance.

7 Replies 7

Cesar Roque
Level 4
Level 4

Hi,

This should be possible with this configuration:

serverfarm host backup

  rserver test2 443

    inservice

  rserver test3 443

    inservice

serverfarm host test

  rserver test 443

    inservice

  rserver test1 443

    inservice

sticky ip-netmask 255.255.255.255 address source test

  serverfarm test backup backup sticky

Here is the doc about it:

http://tools.cisco.com/squish/D041b

---------------------

Cesar R

--------------------- Cesar R ANS Team

Thanks for the reply Cesar.  I've actually attempted that configuration (see below) with no success.  All we get are browser errors when the backup serverfarm is active:

Chrome:

SSL connection error

Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.

Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

Firefox:

Secure Connection Failed

          An error occurred during a connection to service.company.com.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

  The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

  Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

Here's the config I have for this service:

probe http SERVICE-HTTP_PROBE

  port 80

  interval 15

  passdetect interval 60

  request method get url /webapps/portal/healthCheck

  expect status 200 200

  connection term forced

  open 1

probe https SERVICE-MAINTENANCE-PAGE

  port 443

  interval 15

  passdetect interval 60

  ssl version all

  request method get url /server.html

  expect status 200 200

  connection term forced

  open 1

rserver host SERVER1

  ip address 192.168.0.173

  inservice

rserver host SERVER2

  ip address 192.168.0.174

  inservice

rserver redirect SORRY

  webhost-redirection http://www.company.com/sorry.shtml 302

  inservice

rserver redirect SERVICE-REDIRECT

  webhost-redirection https://servicecompany.com 302

  inservice

serverfarm redirect SORRY-FARM

  rserver LEARN-SORRY

    inservice

serverfarm redirect SERVICE-REDIRECT

  rserver SERVICE-REDIRECT

    inservice

serverfarm host SERVICE-SSL

  predictor leastconns

  probe LEARN-HTTP_PROBE

  probe LEARN-MAINTENANCE-PAGE

  rserver SERVER1 443

    inservice

  rserver SERVER2 443

    inservice

parameter-map type http CASE_PARAM

  case-insensitive

  persistence-rebalance

sticky ip-netmask 255.255.255.255 address source SERVICE-SSL_STICKY

  replicate sticky

  serverfarm SERVICE-SSL backup SORRY-FARM

class-map match-all SERVICE-REDIRECT_CLASS

  2 match virtual-address 10.10.10.24 tcp eq www

class-map match-all SERVICE-SSL_CLASS

  2 match virtual-address 10.10.10.24 tcp eq https

policy-map type loadbalance first-match SERVICE-REDIRECT_CLASS-l7slb

  class class-default

    serverfarm SERVICE-REDIRECT

policy-map type loadbalance first-match SERVICE-SSL_POLICY

  class class-default

    sticky-serverfarm SERVICE-SSL_STICKY

policy-map multi-match POLICY

  class SERVICE-SSL_CLASS

    loadbalance vip inservice

    loadbalance policy SERVICE-SSL_POLICY

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options CASE_PARAM

  class SERVICE-REDIRECT_CLASS

    loadbalance vip inservice

    loadbalance policy SERVICE-REDIRECT_CLASS-l7slb

    loadbalance vip icmp-reply active primary-inservice

    appl-parameter http advanced-options CASE_PARAM

service-policy input POLICY

Hi,

The problem is that the backup serverfarm is actually  a redirect, this is not going to work unless you have SSL termination configured in the ACE. 

----------------------

Cesar R

--------------------- Cesar R ANS Team

Exactly!  Do you know if there's some documentation somewhere that outlines why this doesn't work?  Just looking for some backup.  I wasn't coming up with anything in the Cisco documentation.

Thanks again!

Hi,

Not really, there is nothing in the documentation about this specifically

----------------------

Cesar R

--------------------- Cesar R ANS Team

Hi

You won't find such thing in ACE documentation (at least explicitly, it may be mentioned in some example, though) as it's not ACE related. It's how HTTPS works. Basically HTTPS it's just  HTTP inside SSL tunnel. You can't send/receive any HTTP commands before SSL tunnel is built. So, you have your redirection servefarm , which is basically "small HTTP server" which always replies HTTP 302 message on any request it receives. However it can't receive any request or send any replies when HTTPS is used, as SSL tunnel needs to be built first.

So, it's how protocol works, it's not about product itself.

I guess you can give a link to this discussion to your customer

Thanks Borys!  That makes a lot of sense to me.  Thanks for the explanation.  I guess it's documented now .

Review Cisco Networking for a $25 gift card