cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1994
Views
0
Helpful
5
Replies

ACE10 SSL cache timeout

benediktsv
Level 1
Level 1

Hi all

I'm running a ACE10 blade doing SSL offloading.

sample config from our setup:

ssl-proxy service SSL-NGINX01-WILD

  key wildcard.xxx.com.pem

  cert wildcard.xxx.com.pem

  chaingroup xxxx.COM

policy-map multi-match XXX

class VIP-NGINX-XXX

  ssl-proxy server SSL-NGINX01-WILD

So, as I understand it, the LB is working as a reverse proxy, stripping the SSL header and we then have a serverfarm using unencrypted on port 80.

Okay..this is all working.

We now have a question from our developers about the SSL Cache timeout

I have been reading:

"

For example, to set the session cache timeout to 600 seconds, enter:

host1/Admin(config-parammap-ssl)# session-cache timeout 600


To disable the timer and allow the SSL full handshake to occur for each new connection with the ACE, enter:

host1/Admin(config-parammap-ssl)# no session-cache timeout

"

Is there any way of seeing the default timeout ? (no show crypto command show me anything)

and furthermore:

ACE_1/xxx(config)# parameter-map type ssl TEST_SSL

ACE_1/xxx(config-parammap-ssl)# ?

Configure ssl parameters:

  cipher          Configure ssl cipher

  close-protocol  Configure close-protocol behavior

  do              EXEC command

  end             Exit from configure mode

  exit            Exit from this submode

  no              Negate a command or set its defaults

  version         Configure ssl version

hmm.. not very many options, we are actually running a bit old version on the ACE10 - is this a version issue ? running 3.0(0)A1(6.3c)

help !

- Benedikt

5 Replies 5

kitanaka
Level 1
Level 1

Hello Benedikt,

The configuration guide says "By default, SSL session ID reuse is disabled on the ACE. ".

There is no default time-out but it is disabled by default.

By the way, if you set "0" for the time-out, ssl session won't be purged until its cache gets full.

Upon that, the least-recent entry will be removed, which is done system wide not context local.

Hope this helps you.

Regards,

Kim.

So - if I understand this correctly..

In my version - where I actually cant configure this - there is no SSL cache / reuse in place ?

So the SSL client has to perform a full exchange every time ??

we are just starting to use the SSL offloading on this platform...

and btw.. is there any good command that I can use to see the max SSL TPS the LB has seen ?

- Benedikt

Hello Benedikt,

No matter which version you may be using you need to configure "session-cache timeout " explicitly so that the ACE stores SSL sessions in the cache memory.

1) Upon the configured time expired, the session information gets removed frm the cache

or

2) it will be removed upon the cache memory is full and it is the least-recent session information in the cache.

If you configure "session-cache timeout 0", the removal of 1)  will not happen.

If you do not configure the command, SSL session reuse feature is disabled, which means full SSL exchange

is performed everytime.

About the maximum SSL TPS the LB has seen, you can use following command. Check the value of "Peak" of "ssl-connection rate".

switch/Admin# show resource usage summary

                                                     Allocation

        Resource         Current       Peak        Min        Max       Denied

-------------------------------------------------------------------------------

Context: Summary

  conc-connections             73         73        100    7999900          0

  mgmt-connections              0          0        100      99900          0

  proxy-connections             0          0          0    1048572          0

  xlates                        0          0          0    1048572          0

  bandwidth                     0          0    2500000  622500000          0

    throughput                  0          0    1250000  498750000          0

    mgmt-traffic rate           0          0    1250000  123750000          0

  connection rate               0          0        100     599900          0

  ssl-connections rate          0          0          0       1000          0 <====

* The output above is ACE30 but ACE10 should have the same.

Regards,

Kim

Thank you Kim for your help

I missed the show resource command! although I have been running the ACE for some time.

but:

ACE_1/xxx(config)# parameter-map type ssl TEST_SSL

ACE_1/xxx(config-parammap-ssl)# ?

Configure ssl parameters:

  cipher          Configure ssl cipher

  close-protocol  Configure close-protocol behavior

  do              EXEC command

  end             Exit from configure mode

  exit            Exit from this submode

  no              Negate a command or set its defaults

  version         Configure ssl version

ACE_1/xxx(config-parammap-ssl)# session-cache timeout 2

                                 ^

% invalid command detected at '^' marker.

As seen here, there is no option on the SSL parameter map to put in the session timeout. (wrong place?)

but we are running 3.0.0 actually. I'm now looking at what version to upgrade to - the LB is running a very mission critical application, and has been very stable - so we have been lazy upgrading the image. I have asked our "gold" partner to help us chose a good image for the ACE10 - I'm actually in Iceland and our partner has little experience in the ACE platform  - so I hope they are asking someone that knows this - we just want to be quite sure we wont go into some unstable image.

Any thoughts on what software is super stable on the ACE10 ?

- Benedikt

Hello Benedikt,

The command was introduced in A2(1.0) with ACE module. Sorry for missing this, I should have checked it earlier.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/parammap.html#wp1185539

A general idea is that the newer build is more stable, having more bug fixes and enhancements.

I suggest you to consider choosing the latest build for ACE10 on the CCO, which is A2(3.5), unless you have a specific preference to some other version.

There is a plan of A2(3.6), which would be the last build for ACE10,  in some point of this year.

You can upgrade to A2(3.5) for now and once A2(3.6) is published, consider to use A2(3.6).

Please check "Software Version A2(3.5) Open Caveats" in the release note to see

those open issues are acceptable with your environment.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_x/Release/Note/RACEA2_3_X.html#wp747942

Thanks and regards,

Kim.

Review Cisco Networking for a $25 gift card