08-30-2010 02:48 PM
Fellow Networkers,
Could someone kindly provide an explanation in regard to the https probe (standard https probe provided with ACE) operation?
What I'm trying to determine/uderstand is how does the ACE interpert the expected status code, since I am not terminating SSL in the ACE or is it even neccessary for me to include the expected status code.
When the probe is being applied, does the ACE look for the handshaking routine (client hello, etc) to built the session ID, and then sends an "get" to check the status code? I'm trying to understand if the ACE is not terminating the SSL, is the return code status encrypted or not encrypted.
One of our server admin would like to send an specific request, like the command below, and I wasn't sure if it would work. Unfortunatly i do not have a spare ACE module to do some testing.
request method head url /aims/enterprise/user
Example:
!
!
probe https generic-HTTPs
interval 5
passdetect interval 5
receive 5
expect status 200 405
!
serverfarm host generic-HTTPS
predictor leastconns
probe generic-HTTPs
rserver RSRV1
inservice
rserver RSRV2
inservice
If you need any additional information, please let me know.
Thanks,
raman
Solved! Go to Solution.
08-31-2010 12:22 AM
When you configure https probe on ACE, a connection is established between ACE and rserver
by 3 way handshake. And then ssl handshake is processed between ACE and rserver.
After receiving Finished message from rserver, ACE sends http request to rserver.
If you configure 'request method head url /aims/enterprise/user' on the probe generic-HTTPs,
this http request becomes head request.
If you configure 'expect status 200 405', ACE checks status code is valid. If you don't configure
'expect status' command, ACE only check whether status code is returned or not.
Since probe process works between ACE and rserver configured probe, you don't need 'ssl-proxy
service' config.
As an example, I attached capture trace of https probe with the following configuration.
I got this trace with NAM module on the same chassis and then filtered with tcp.port==443.
Since I also attached private key, you can decode the capture trace with wireshark.
Edit -> Preference -> Protocols -> SSL
RSA key list: 192.168.72.254,443,http,c:\key_probe-ssl.pem
SSL debug file: c:\ssl_debug.txt
### config
ACE20a/Admin# sh run probe
Generating configuration....
probe https probe-ssl
interval 5
passdetect interval 5
receive 5
request method head url /aims/enterprise/user
expect status 200 200
ACE20a/Admin#
ACE20a/Admin# sh run rserver
Generating configuration....
rserver host rserver-ssl
ip address 192.168.72.254
inservice
ACE20a/Admin# sh run serverfarm
Generating configuration....
serverfarm host sf-ssl
probe probe-ssl
rserver rserver-ssl
inservice
Regards,
Yuji
08-31-2010 12:22 AM
When you configure https probe on ACE, a connection is established between ACE and rserver
by 3 way handshake. And then ssl handshake is processed between ACE and rserver.
After receiving Finished message from rserver, ACE sends http request to rserver.
If you configure 'request method head url /aims/enterprise/user' on the probe generic-HTTPs,
this http request becomes head request.
If you configure 'expect status 200 405', ACE checks status code is valid. If you don't configure
'expect status' command, ACE only check whether status code is returned or not.
Since probe process works between ACE and rserver configured probe, you don't need 'ssl-proxy
service' config.
As an example, I attached capture trace of https probe with the following configuration.
I got this trace with NAM module on the same chassis and then filtered with tcp.port==443.
Since I also attached private key, you can decode the capture trace with wireshark.
Edit -> Preference -> Protocols -> SSL
RSA key list: 192.168.72.254,443,http,c:\key_probe-ssl.pem
SSL debug file: c:\ssl_debug.txt
### config
ACE20a/Admin# sh run probe
Generating configuration....
probe https probe-ssl
interval 5
passdetect interval 5
receive 5
request method head url /aims/enterprise/user
expect status 200 200
ACE20a/Admin#
ACE20a/Admin# sh run rserver
Generating configuration....
rserver host rserver-ssl
ip address 192.168.72.254
inservice
ACE20a/Admin# sh run serverfarm
Generating configuration....
serverfarm host sf-ssl
probe probe-ssl
rserver rserver-ssl
inservice
Regards,
Yuji
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide