ACE SSL end-to-end

djhurley · ‎06-01-2012

Hi

I am attempting to configure an ACE4710 to perform SSL end-to-end confguration. i.e. SSL termination - load balance - SSL initiate to backend server

The configuration appears to work fine in a test lab using any old web server, however when I peform the same configuration in the production environment it does not work. It appeatrs from a capture run on the ace that the ace is reseting the tcp connections after communicating with the back end server.

The main difference I can think of in this environment is that the cert and key pair the ace is using where exported from the backend server, i.e. both the ace and the backend server have the same certificates and keys. Is this allowed? Any tips on how to troubleshoot why the ace resets the connection.

Regards

Dave

pablo.nxh · ‎06-01-2012

Hi Dave,

Using the cert and key pair in the ACE and the backend server at the same time shouldn't be a problem. Do you have the same design routing wise in your lab and production? Perhaps NAT is configured in the lab ACE but not in production.

If you can share a sanitize copy of the relevant portion of your configs we can take a look.

Cheers

__ __

Pablo

djhurley · ‎06-01-2012

Hi Pablo

Here is the sanitised config, neither the lab nor production environments use any nat. The SSL config is only required for the port 4443 vserver.

Regards

Dave

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.06.01 00:23:28 =~=~=~=~=~=~=~=~=~=~=~=
h run [J [J [J [J [J [Jterm [J [J [J [J [Jterm len 0

CORP-CIV-ACE-PRI/Lync# sh run

Generating configuration....

logging enable
logging timestamp
logging trap 5
logging monitor 3

access-list cap line 8 extended permit ip host 10.249.3.221 host 10.249.140.10
access-list permit_any line 1 extended permit ip any any

probe icmp ICMP
probe tcp TCP-443
port 443
probe tcp TCP-4443
port 4443
probe tcp TCP-80
port 80

rserver host LYNCDR01
ip address 10.249.141.7
conn-limit max 4000000 min 4000000
probe ICMP
inservice
rserver host LYNCDR02
ip address 10.249.141.8
conn-limit max 4000000 min 4000000
probe ICMP
inservice

serverfarm host LYNCDIR01-443
predictor response syn-to-close
probe TCP-443
rserver LYNCDR01
    inservice
rserver MLYNCDR02
    inservice
serverfarm host LYNCDIR01-4443
predictor response syn-to-close
probe TCP-4443
rserver LYNCDR01 4443
    inservice
rserver LYNCDR02 4443
    inservice

sticky ip-netmask 255.255.255.255 address source S-LYNCDIR01-443
replicate sticky
serverfarm LYNCDIR01-443
sticky ip-netmask 255.255.255.255 address source S-LYNCDIR01-4443
replicate sticky
serverfarm LYNCDIR01-4443
sticky http-cookie MS-WSMAN S-LYNCDIR01-4443-COOKIE
cookie insert
replicate sticky
serverfarm LYNCDIR01-4443
sticky http-cookie MS-WSMAN S-LYNCPOOL01-443-COOKIE
cookie insert
replicate sticky
serverfarm LYNCPOOL01-4443

ssl-proxy service LYNCDIRSSL
key kcomlyncdir01.pfx
cert kcomlyncdir01.pfx

ssl-proxy service SSL-dir-client

class-map match-all LYNCDIR01-443
2 match virtual-address 10.249.140.10 tcp eq https
class-map match-all LYNCDIR01-4443
2 match virtual-address 10.249.140.10 tcp eq 4443

policy-map type management first-match mgmt-pm
class class-default
permit

policy-map type loadbalance first-match LYNCDIR01-443-l7slb
class class-default
    sticky-serverfarm S-LYNCDIR01-443
policy-map type loadbalance first-match LYNCDIR01-4443-l7slb
class class-default
    sticky-serverfarm S-LYNCDIR01-4443
    ssl-proxy client SSL-dir-client

policy-map multi-match int404

class LYNCDIR01-443
    loadbalance vip inservice
    loadbalance policy LYNCDIR01-443-l7slb
    loadbalance vip icmp-reply
class LYNCDIR01-4443
    loadbalance vip inservice
    loadbalance policy LYNCDIR01-4443-l7slb
    loadbalance vip icmp-reply
    ssl-proxy server LYNCDIRSSL

interface vlan 141
ip address 10.249.141.28 255.255.255.224
alias 10.249.141.30 255.255.255.224
peer ip address 10.249.141.29 255.255.255.224
access-group input permit_any
no shutdown
interface vlan 404
ip address 10.249.140.125 255.255.255.128
alias 10.249.140.124 255.255.255.128
peer ip address 10.249.140.126 255.255.255.128
access-group input permit_any
service-policy input mgmt-pm
service-policy input int404
no shutdown

ip route 0.0.0.0 0.0.0.0 10.249.140.123

CORP-CIV-ACE-PRI/Lync#
[J [J
CORP-CIV-ACE-PRI/Lync# exit

kusagar · ‎06-01-2012

Hi Dave,

I doubt ssl-proxy service.

ssl-proxy service LYNCDIRSSL

key kcomlyncdir01.pfx

cert kcomlyncdir01.pfx

Verify the key and cert using crypto verify command and confirm its a valid pair.

Jorge Bejarano · ‎06-02-2012

Hello Dave,

What version you are running?

Yes, you can check your certs and keys with:

Show crypto files—Displays certificates and keys stored under a context.

This example provides sample output:

switch/C1#show crypto files
Filename                                 File  File    Expor      Key/
                                         Size  Type    table      Cert
-----------------------------------------------------------------------
inter.pem                                1992  PEM     Yes        CERT
rsakey.pem                               891   PEM     Yes         KEY
slot2-1tier.pem                          1923  PEM     Yes        CERT
slot2-2tier.pem                          1762  PEM     Yes        CERT

Crypto verify key certificate—Verifies that the Certificate and key match.

This example provides sample output:

switch/C1#crypto verify rsakey.pem slot2-2tier.pem
Keypair in rsakey.pem matches certificate in slot2-2tier.pem

Here you have a sample about how a END-TO-END SSL should look like:

class-map match-all L4-CLASS-HTTPS

2 match virtual-address 172.16.0.15 tcp eq https

policy-map multi-match VIPs

class L4-CLASS-HTTPS

loadbalance vip inservice

loadbalance policy HTTPS-POLICY

loadbalance vip icmp-reply

loadbalance vip advertise active

appl-parameter http advanced-options http_parameter_map

ssl-proxy server CISCO-SSL-PROXY

policy-map type loadbalance http first-match HTTPS-POLICY

class class-default

serverfarm SF-1

ssl-proxy client CLIENT-SSL-PROXY

serverfarm host SF-1

rserver S1 443

inservice

rserver S2 443

inservice

rserver S3 443

inservice

rserver S4 443

inservice

rserver host S1

ip address 192.168.0.200

inservice

rserver host S2

ip address 192.168.0.201

inservice

rserver host S3

ip address 192.168.0.202

inservice

rserver host S4

ip address 192.168.0.203

inservice

ssl-proxy service CLIENT-SSL-PROXY

ssl-proxy service CISCO-SSL-PROXY

key rsakey.pem

cert slot2-2tier.pem

chaingroup Chaingroup1

ssl advanced-options PARAMETER_SSL

crypto chaingroup Chaingroup1

cert inter.pem

parameter-map type http http_parameter_map

persistence-rebalance

set content-maxparse-length 8192

set header-maxparse-length 8192

parameter-map type ssl PARAMETER_SSL

session-cache timeout 300

queue-delay timeout 1

Here you have a link about it:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/endtoend.pdf

Can you upload these outputs?

# show stats loadbalance

# show stats http

For the details which I included on the http parameter, here you have some additional details:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1245246

Setting the Maximum Number of Bytes to Parse for Content

By default, the maximum number of bytes that the ACE parses to check for content is 4096. If a content string exceeds the default value, the ACE drops the packet and sends a RST (reset) to the client browser. You can increase the number of bytes that the ACE parses using the set content-maxparse-length command in HTTP parameter map configuration mode. The syntax of this command is as follows:

set content-maxparse-length bytes

The bytes argument is the maximum number of bytes to parse for the total length of a content string. Enter an integer from 1 to 65535. The default is 4096 bytes.

For example, to set the content maximum parse length to 8192, enter:

host1/Admin(config-parammap-http)# set content-maxparse-length 8192

Setting the Maximum Number of Bytes to Parse for Cookies, HTTP Headers, and URLs

By default, the maximum number of bytes that the ACE parses to check for a cookie, HTTP header, or URL is 4096. If a cookie, HTTP header, or URL exceeds the default value, the ACE drops the packet and sends a RST (reset) to the client browser. You can increase the number of bytes that the ACE parses using the set header-maxparse-length command in HTTP parameter-map configuration mode. The syntax of this command is as follows:

set header-maxparse-length bytes

The bytes argument is the maximum number of bytes to parse for the total length of all cookies, HTTP headers, and URLs. Enter an integer from 1 to 65535. The default is 4096 bytes.

For example, to set the HTTP header maximum parse length to 8192, enter:

host1/Admin(config-parammap-http)# set header-maxparse-length 8192

Jorge

djhurley · ‎07-10-2012

Hi

The answer to this one is that the http header was greater than 4K so needed to use a parameter map to increase the header size that the ace would look at.

Thanks for the advice

Jorge Bejarano · ‎07-10-2012

It sounds great the information was useful for you.

Please mark it, if you consider it helped you.

:-D