Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1197
Views
0
Helpful
2
Replies

ACE ssl termination issue

hedyeh razazan
Level 1
Level 1

‎07-30-2013 12:00 AM

Hi,

I have two ACE 4710 which configured az virtual context and active/active, i configured ssl termination and Load balancing.

  load balancong works fine but with ssl termination, after the main page (web server login page)  display and i enter username and password, error page display, in the ACE ,"show conn" command  shows connection established,

can any one help me plz?

i create certificate with openssl, with these command:

openssl genrsa –out key.pem 1024

openssl req -new -x509 -nodes -sha1 -days 365  -key key.pem –out cert.pem

my configuration:

access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

rserver host NS1
  ip address 192.168.1.11
  inservice
rserver host NS2
  ip address 192.168.1.12
  inservice


ssl-proxy service proxy-1
  key key.pem
cert cert.pem

serverfarm host NS
  rserver NS1 80
    inservice
  rserver NS2 80
    inservice

class-map match-all NS-vip
  match virtual-address 192.168.215.138 tcp eq https

policy-map type management first-match remote-access
  class class-default
    permit

policy-map type loadbalance http first-match slb
  class class-default
    serverfarm NS

policy-map multi-match NS-vips
  class NS-vip
    loadbalance vip inservice
    loadbalance policy slb
    ssl-proxy server proxy-1

interface vlan 75
  ip address 192.168.215.132 255.255.255.224
  access-group input everyone
  service-policy input NS-vips
  no shutdown

Labels:
0 Helpful
2 Replies 2

Jorge Bejarano
Level 4
Level 4

‎07-31-2013 04:14 PM

Hedyeh,

Have you tried to bypass the ACE? What results do you have if you do that?

What do you see with #show service-policy class-map detail

Please apply the following change:

parameter-map type http http-parameterTAC  ---> This parameter should be applied in multimatch policy.

  case-insensitive

  persistence-rebalance

  set header-maxparse-length 65535

  set content-maxparse-length 65535

  length-exceed continue

policy-map multi-match MULTI-TAC

    class VIP-TAC

    loadbalance vip inservice

    loadbalance policy VIP-TAC-L7

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 112

    appl-parameter http advanced-options http-parameterTAC ---> applied  parameter

    ssl-proxy server VIP-TAC-SSL

Additionally, you might be missing the intermediate certificate, then maybe you can try to use a chaingroup with the intermediate certificate:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/chaingrp.html

Hope this helps!

Jorge

0 Helpful

Cesar Roque
Level 4
Level 4

‎08-02-2013 12:19 PM

Hi Hedyeh,

Do you have simultaneous captures on both sides showing this issue?

Have you tried with stickiness configured?

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card