ACE certificate issue

craig bache · ‎03-24-2011

Hi

I am having an issue with connecting to a server farm Internal-FARM. The issue is when trying to connect to it either with IP or DNS name Firefox gives the error below: I am able to ping the vip. The ACE is running in routed mode running SSL termination.

Unable to connect

Firefox can't establish a connection to the server at

* The site could be temporarily unavailable or too busy.

Internet explorer gives a similar error.

This had been working fine. The only changes made to the ACE modules is to generate a new key file and csr using the :

crypto generate key 2048 RSAKEY2048.PEM

crypto generate csr PARAMS-1 RSAKEY2048.PEM

------Current ssl-proxy ------ that was working.

ssl-proxy service proxy-Internal
key key.pem
cert tempcert1.pem

service-policy input loadbalance

policy-map multi-match loadbalance

>

class Internal-Classify
    loadbalance vip inservice
    loadbalance policy Internal-vip
    loadbalance vip icmp-reply
    ssl-proxy server proxy-Internal

>

policy-map type loadbalance first-match Internal-vip
class class-default
sticky-serverfarm SGROUP3

>

class-map match-any Internal-Classify
3 match virtual-address x.x.x.x tcp eq https

>

sticky ip-netmask 255.255.255.255 address both SGROUP3
timeout 61
replicate sticky
serverfarm Internal-FARM

The serverfarm and rservers are in service, but I can see the following on the show service-policy detail

class: Internal-Classify
      ssl-proxy server: proxy-Internal
     VIP Address:    Protocol: Port:
     x.x.x.x   tcp        eq    443
      loadbalance:
        L7 loadbalance policy: Internal-vip
        VIP Route Metric     : 77
        VIP Route Advertise : DISABLED
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        curr conns       : 0         , hit count: 277 ---------------------------- Both counters are incrementing "hit count" and "dropped cons"
        dropped conns    : 113 -------------------------------------------------------------
        client pkt count : 5548      , client byte count: 659303
        server pkt count : 7866      , server byte count: 10409414
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : Internal-vip
          class/match : class-default
             LB action: :
               sticky group: SGROUP3
                  primary serverfarm: Internal-FARM
                    state: UP
                  backup serverfarm : -
            hit count        : 174
            dropped conns    : 0

Regards Craig

Cesar Roque · ‎03-24-2011

Hello Craig,

Did you verify the cert and key match? If not try with the command

# crypto verify key.pem tempcert1.pem

In addition, please copy the serverfarm configuration

--------------------- Cesar R ANS Team

craig bache · ‎03-25-2011

Hi

Thank you for the response, the key has passed the verify command. Please see the following output.

sh serverfarm Internal-FARM detail
serverfarm     : Internal-FARM, type: HOST
total rservers : 4
active rservers: 4
description    : -
state          : ACTIVE
predictor      : LEASTCONNS
   slowstart    : 0 secs
failaction     : -
back-inservice    : 0
partial-threshold : 0
num times failover       : 0
num times back inservice : 1
total conn-dropcount : 0
Probe(s) :
    http-probe, type = HTTP

---------------------------------
                                                ----------connections-----------
       real                  weight state        current    total      failures
   ---+---------------------+------+------------+----------+----------+---------
   rserver: WEB01
       x.x.x.x:8881     8      OPERATIONAL 0          65         11
         description          : -
         max-conns            : -         , out-of-rotation count : -
         min-conns            : -
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         load value           : 0

   rserver: WEB02
       x.x.x.x:8881     8      OPERATIONAL 0          36         0
         description          : -
         max-conns            : -         , out-of-rotation count : -
         min-conns            : -
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         load value           : 0

   rserver: WEBLIVE1
       x.x.x.:8881     8      OPERATIONAL 0          48         8
         description          : -
         max-conns            : -         , out-of-rotation count : -
         min-conns            : -
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         load value           : 0

   rserver: WEBLIVE2
       x.x.x.x:8881     8      OPERATIONAL 0          6          0
         description          : -
         max-conns            : -         , out-of-rotation count : -
         min-conns            : -
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         load value           : 0

running config serverfarm

serverfarm host Internal-FARM
predictor leastconns
probe http-probe
rserver WEB01 8881
    inservice
rserver WEB02 8881
    inservice
rserver WEBLIVE1 8881
    inservice
rserver WEBLIVE2 8881
    inservice

Regards Craig

amacuz · ‎03-25-2011

Hi Craig,

1) could remove the leastconns predictor?

2) could you take the SSLcapture from the client and check where the SSL phase complete correctly and who stops, in case the connection?

If you eventually get an TLS ALERT ERROR, decrypt the trace with the private key and see more in detail which error it is.

Alessandro