11-04-2010 12:09 PM
I am working with a ACE 4710 in the one arm configuration. I am trying to enable SSL and well to be honest...am just not getting it.
below is the config...
crypto chaingroup prd_SSLChainGroup
cert sub_root_2.crt
cert root.crt
crypto csr-params prdSSL
country US
state ST
locality SMALL TOWN
organization-name SOME ORG
common-name www.name.int
access-list allow line 8 extended permit ip any any
probe icmp PROBE_SERVICE_ICMP
interval 60
passdetect interval 5
receive 5
parameter-map type ssl prd_SSL_Parmeter_Map
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_EXPORT1024_WITH_RC4_56_MD5
cipher RSA_EXPORT1024_WITH_DES_CBC_SHA
cipher RSA_EXPORT1024_WITH_RC4_56_SHA
rserver host 21-XYZ8-PA-prd-S02
ip address a.b.c.21
rserver host 25-XYZ8host1
ip address a.b.c.25
rserver host 26-XYZ8host2
ip address a.b.c.26
rserver host 27-XYZ8host3
ip address a.b.c.27
rserver host 29-XYZ10host1
ip address a.b.c.29
rserver host 30-XYZ10host2
ip address a.b.c.30
rserver host 31-XYZ10host3
ip address a.b.c.31
rserver host 32-XYZ8-PA-prd-S03
ip address a.b.c.32
rserver host 33-XYZ8-PA-prd-S04
ip address a.b.c.33
inservice
rserver host PA-prd-VS05
serverfarm host XYZ10-7001
probe PROBE_SERVICE_ICMP
rserver 21-XYZ8-PA-prd-S02 7001
rserver 25-XYZ8host1 7001
rserver 26-XYZ8host2 7001
rserver 27-XYZ8host3 7001
rserver 29-XYZ10host1 7001
rserver 30-XYZ10host2 7001
rserver 31-XYZ10host3 7001
rserver 32-XYZ8-PA-prd-S03 7001
rserver 33-XYZ8-PA-prd-S04 7001
inservice
ssl-proxy service prd_SSLProxy
key KEYPAIR.PEM
cert mycert.pem
ssl advanced-options prd_SSL_Parmeter_Map
sticky http-cookie ACE_COOKIE-7001 7001_STICKY
cookie insert browser-expire
replicate sticky
serverfarm XYZ10-7001
class-map match-any XYZ10-HTTP-80-CLASS
2 match virtual-address a.b.c.10 tcp eq www
class-map match-any XYZ10-HTTPS-CLASS
2 match virtual-address a.b.c.10 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
serverfarm XYZ10-7001
policy-map type loadbalance first-match HTTPS
class class-default
serverfarm XYZ10-7001
policy-map multi-match XYZ10-SLB
class XYZ10-HTTPS-CLASS
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip icmp-reply
nat dynamic 1 vlan 1000
ssl-proxy server prd_SSLProxy
class XYZ10-HTTP-80-CLASS
loadbalance vip inservice
loadbalance policy HTTP
loadbalance vip icmp-reply
nat dynamic 1 vlan 1000
interface vlan 1000
ip address a.b.c.11 255.255.255.0
access-group input allow
nat-pool 1 a.b.c.200 a.b.c.203 netmask 255.255.255.0 pat
service-policy input XYZ10-SLB
no shutdown
ip route 0.0.0.0 0.0.0.0 a.b.c.1
I did see these errors in the debug SSL output...
2010 Nov 4 04:45:01.732206 ssl mgr: (ctx:1)ssl_pki_verify: key in KEYPAIR.PEM does not match cert in root_2.crt
2010 Nov 4 04:45:01.812870 ssl mgr: (ctx:1)ssl_pki_verify: key in KEYPAIR.PEM does not match cert in sub_root_2.crt
but as they are the ROOT and SUB Root...I was not to concerned about it
Any thoughts
Solved! Go to Solution.
11-04-2010 02:23 PM
Once you have imported the cert and generated a key, check your certs en keys using the command crypto verify and replace
the crypto files if command failed.
I couldn't find something specific to the chaingroup in this link but you might find it useful :
Your config looks fine to me.
11-04-2010 03:59 PM
Hi Cody,
Did you already assign the resources for the Context in question?
Is HTTP working fine?
__ __
Pablo
11-04-2010 02:23 PM
Once you have imported the cert and generated a key, check your certs en keys using the command crypto verify and replace
the crypto files if command failed.
I couldn't find something specific to the chaingroup in this link but you might find it useful :
Your config looks fine to me.
11-04-2010 03:18 PM
the cert looks good
the isse seems to be like the SSL proxy service is not working on the ACE.
11-04-2010 03:59 PM
Hi Cody,
Did you already assign the resources for the Context in question?
Is HTTP working fine?
__ __
Pablo
11-04-2010 04:32 PM
The HTTP works fine....now I am not sure about assigning the resources to the Context...can you explain more please.
11-04-2010 05:15 PM
Cody,
When dealing with virtualization ACE hardware resources are allocated to individual contexts under the control of
resource-level controls configured in the Admin context.
resource-class LB
limit-resource all minimum 10.00 maximum unlimited
context Production
member LB
You can dig further on resource usage and configuration here: http://xrl.us/bh6v6g
Let us know if this does the trick.
HTH
__ __
Pablo
11-04-2010 05:27 PM
we did this...and upgrade A4.1 ...and it is almost working....
11-05-2010 04:02 AM
When we did the upgrade to 4.1, all the mapping of the SSL proxy was removed...once those setting were replaced, we were good....
Finally....Yeah....thank you all your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide