cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2592
Views
0
Helpful
5
Replies
Highlighted
Beginner

ACE SSL Initiation config and troubleshooting

Hi,I'm new to ACE Loadbalancers and am trying to configure them to eventually loadbalance two web servers running https. The intention is to let the web servers perform the SSL termination so I believe that the best way to do this is to set up the ACE is to use "SSL Initiation".

I've set up our ACE 4710 to perform SSL Initiation similar to a sample config in a recent Cisco ACE course:


ssl-proxy service backend_ssl


class-map match-all external-vip

  2 match virtual-address 198.133.219.25 tcp eq http


policy-map type loadbalance first-match slb-logic

  class class-default

    serverfarm ext-servers

    ssl-proxy client backend_ssl


policy-map multi-match client-vips

  class external-vip

    loadbalance vip inservice

    loadbalance policy slb-logic

A question, the above sample is a direct copy and paste of the powerpoint slide. Should the match statement end with "eq https" instead of "eq http"? I assumed that it did and have changed it accordingly.

Our tests to the url associated to the VIP ip seems to reset the browser session. The browser never seems to prompt relating to any certificate errors.

In order to try and get some details from the test I've tried implementing a packet capture using the following access list:

access-list test line 8 extended permit tcp any host 192.168.1.12 eq https
access-list test line 16 extended permit tcp host 192.168.1.12 eq https any

Where 192.168.1.12 is the web server ip.

And setting up the following packet capture:

capture cap1 all access-list test

When I start/stop the capture and perform the test I still cannot see any packets being captured.

In summary:

  • Are the above settings sufficient at a minimum to set up the SSL Initiation?
  • Have we set up the capture correctly?
  • Are there alternate options to troubleshoot and analyse our test sessions?
  • Other ACE posts mention performing a "trace". How do we set one up and analyse the results?

Incidentally "show probe 443" seem to indicate that the web server is up and running on https.

Thanks in advance.

Andy.

5 REPLIES 5
Highlighted
Beginner

Hi Andrew,

could you please paste here the output of "show run int"?

If you do "show service-policy client-vips" multiple times during the attempts is ther eany counter incrementing?

Thanks,

Alessandro

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Highlighted

Thanks for your prompt reply.

Yes, the hitcounts are incrementing by 10 with every attempt:

# show service-policy client-vips class-map slb-logic

Status     : ACTIVE
-----------------------------------------
Interface: vlan 1 43
  service-policy: client-vips
    class: external-vip
      loadbalance:
        L7 loadbalance policy: slb-logic
        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
        VIP State: INSERVICE
        Persistence Rebalance: ENABLED
        curr conns       : 0         , hit count        : 712      
        dropped conns    : 711      
        client pkt count : 2194      , client byte count: 191859             
        server pkt count : 0         , server byte count: 0                  
        conn-rate-limit      : 0         , drop-count : 0        
        bandwidth-rate-limit : 0         , drop-count : 0        
      compression:
        bytes_in  : 0                  
        bytes_out : 0                  
        Compression ratio : 0.00%

However, I noticed that "dropped conns" also increased by the same amount, how can I get more info on that?

Highlighted

Hi Andrew,

just to be sure that I understandinf what the final set up will be:

the client is supposed to initiate the connection in clear text to the VIP and then the ACE will initiate the SSL connection to the serverfarm.

This is not a very common set up but I think it can be done.

If this is what you want to achieve, why you expect the client to handle the SSL connection?

If you could clarify then I may help better here

Looking forward to hearing from you

Alessandro

--

If   this helps you and/or answers your question please mark the question  as  "answered" and/or rate it, so other users can easily find it.

Highlighted

Hi Alessandro, thanks for your continued assistance. Basically the user intention is for the ACE to not handle any SSL at all and have the backed web server handle SSL.

Having only recently done the course my understanding is that there are 3 ways for the ACE to process SSL:

•SSL Termination
•SSL Initiation
•End-to-End SSL

As per: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/ssl/guide/overview.html#wp1011355

My understanding is that there is no way for the ACE to be entirely uninvolved with SSL so I figured that this would be best addressed using SSL Inititation. This could be an incorrect assumption on my part.

The initial settings I supplied above were from the Cisco course slides on SSL Inititation.

Hopefully this clarifies things a little.

Highlighted

Hey Andrew,

   You can perform SSL initiation on ACE, and that is a totally normal configuration. The only thing that you would have to change is your class-map, SSL is only going to be in the back-end, not between client and ace, so you can change your class-map to match http instead of https.your cleints will initiate a connection on 80 and the ace will intercept it w/ a class-map, and send it to the serverfarm on port 443

class-map match-all external-vip

  2 match virtual-address 198.133.219.25 tcp eq http


the ace can also just load balance ssl w/o actualy performing it, in this case just match on https and remove the proxy-service, and remove the prioxy-service from your L7 class-map.

class-map match-all external-vip

  2 match virtual-address 198.133.219.25 tcp eq https


policy-map type loadbalance first-match slb-logic

  class class-default

    serverfarm ext-servers


policy-map multi-match client-vips

  class external-vip

    loadbalance vip inservice

    loadbalance policy slb-logic

Content for Community-Ad