04-19-2011 04:23 AM
Hi,I'm new to ACE Loadbalancers and am trying to configure them to eventually loadbalance two web servers running https. The intention is to let the web servers perform the SSL termination so I believe that the best way to do this is to set up the ACE is to use "SSL Initiation".
I've set up our ACE 4710 to perform SSL Initiation similar to a sample config in a recent Cisco ACE course:
ssl-proxy service backend_ssl
class-map match-all external-vip
2 match virtual-address 198.133.219.25 tcp eq http
policy-map type loadbalance first-match slb-logic
class class-default
serverfarm ext-servers
ssl-proxy client backend_ssl
policy-map multi-match client-vips
class external-vip
loadbalance vip inservice
loadbalance policy slb-logic
A question, the above sample is a direct copy and paste of the powerpoint slide. Should the match statement end with "eq https" instead of "eq http"? I assumed that it did and have changed it accordingly.
Our tests to the url associated to the VIP ip seems to reset the browser session. The browser never seems to prompt relating to any certificate errors.
In order to try and get some details from the test I've tried implementing a packet capture using the following access list:
access-list test line 8 extended permit tcp any host 192.168.1.12 eq https
access-list test line 16 extended permit tcp host 192.168.1.12 eq https any
Where 192.168.1.12 is the web server ip.
And setting up the following packet capture:
capture cap1 all access-list test
When I start/stop the capture and perform the test I still cannot see any packets being captured.
In summary:
Incidentally "show probe 443" seem to indicate that the web server is up and running on https.
Thanks in advance.
Andy.
04-19-2011 05:31 AM
Hi Andrew,
could you please paste here the output of "show run int"?
If you do "show service-policy client-vips" multiple times during the attempts is ther eany counter incrementing?
Thanks,
Alessandro
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
04-19-2011 06:52 PM
Thanks for your prompt reply.
Yes, the hitcounts are incrementing by 10 with every attempt:
# show service-policy client-vips class-map slb-logic
Status : ACTIVE
-----------------------------------------
Interface: vlan 1 43
service-policy: client-vips
class: external-vip
loadbalance:
L7 loadbalance policy: slb-logic
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 712
dropped conns : 711
client pkt count : 2194 , client byte count: 191859
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
However, I noticed that "dropped conns" also increased by the same amount, how can I get more info on that?
04-20-2011 12:25 AM
Hi Andrew,
just to be sure that I understandinf what the final set up will be:
the client is supposed to initiate the connection in clear text to the VIP and then the ACE will initiate the SSL connection to the serverfarm.
This is not a very common set up but I think it can be done.
If this is what you want to achieve, why you expect the client to handle the SSL connection?
If you could clarify then I may help better here
Looking forward to hearing from you
Alessandro
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
04-21-2011 01:58 AM
Hi Alessandro, thanks for your continued assistance. Basically the user intention is for the ACE to not handle any SSL at all and have the backed web server handle SSL.
Having only recently done the course my understanding is that there are 3 ways for the ACE to process SSL:
•SSL Termination
•SSL Initiation
•End-to-End SSL
My understanding is that there is no way for the ACE to be entirely uninvolved with SSL so I figured that this would be best addressed using SSL Inititation. This could be an incorrect assumption on my part.
The initial settings I supplied above were from the Cisco course slides on SSL Inititation.
Hopefully this clarifies things a little.
04-25-2011 01:41 PM
Hey Andrew,
You can perform SSL initiation on ACE, and that is a totally normal configuration. The only thing that you would have to change is your class-map, SSL is only going to be in the back-end, not between client and ace, so you can change your class-map to match http instead of https.your cleints will initiate a connection on 80 and the ace will intercept it w/ a class-map, and send it to the serverfarm on port 443
class-map match-all external-vip
2 match virtual-address 198.133.219.25 tcp eq http
the ace can also just load balance ssl w/o actualy performing it, in this case just match on https and remove the proxy-service, and remove the prioxy-service from your L7 class-map.
class-map match-all external-vip
2 match virtual-address 198.133.219.25 tcp eq https
policy-map type loadbalance first-match slb-logic
class class-default
serverfarm ext-servers
policy-map multi-match client-vips
class external-vip
loadbalance vip inservice
loadbalance policy slb-logic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide