ACE10 SSL cache timeout

benediktsv · ‎02-27-2012

Hi all

I'm running a ACE10 blade doing SSL offloading.

sample config from our setup:

ssl-proxy service SSL-NGINX01-WILD

key wildcard.xxx.com.pem

cert wildcard.xxx.com.pem

chaingroup xxxx.COM

policy-map multi-match XXX

class VIP-NGINX-XXX

ssl-proxy server SSL-NGINX01-WILD

So, as I understand it, the LB is working as a reverse proxy, stripping the SSL header and we then have a serverfarm using unencrypted on port 80.

Okay..this is all working.

We now have a question from our developers about the SSL Cache timeout

I have been reading:

"

For example, to set the session cache timeout to 600 seconds, enter:

host1/Admin(config-parammap-ssl)# session-cache timeout 600

To disable the timer and allow the SSL full handshake to occur for each new connection with the ACE, enter:

host1/Admin(config-parammap-ssl)# no session-cache timeout

"

Is there any way of seeing the default timeout ? (no show crypto command show me anything)

and furthermore:

ACE_1/xxx(config)# parameter-map type ssl TEST_SSL

ACE_1/xxx(config-parammap-ssl)# ?

Configure ssl parameters:

cipher Configure ssl cipher

close-protocol Configure close-protocol behavior

do EXEC command

end Exit from configure mode

exit Exit from this submode

no Negate a command or set its defaults

version Configure ssl version

hmm.. not very many options, we are actually running a bit old version on the ACE10 - is this a version issue ? running 3.0(0)A1(6.3c)

help !

- Benedikt

kitanaka · ‎02-27-2012

Hello Benedikt,

The configuration guide says "By default, SSL session ID reuse is disabled on the ACE. ".

There is no default time-out but it is disabled by default.

By the way, if you set "0" for the time-out, ssl session won't be purged until its cache gets full.

Upon that, the least-recent entry will be removed, which is done system wide not context local.

Hope this helps you.

Regards,

Kim.

benediktsv · ‎02-28-2012

So - if I understand this correctly..

In my version - where I actually cant configure this - there is no SSL cache / reuse in place ?

So the SSL client has to perform a full exchange every time ??

we are just starting to use the SSL offloading on this platform...

and btw.. is there any good command that I can use to see the max SSL TPS the LB has seen ?

- Benedikt

kitanaka · ‎02-29-2012

Hello Benedikt,

No matter which version you may be using you need to configure "session-cache timeout " explicitly so that the ACE stores SSL sessions in the cache memory.

1) Upon the configured time expired, the session information gets removed frm the cache

or

2) it will be removed upon the cache memory is full and it is the least-recent session information in the cache.

If you configure "session-cache timeout 0", the removal of 1) will not happen.

If you do not configure the command, SSL session reuse feature is disabled, which means full SSL exchange

is performed everytime.

About the maximum SSL TPS the LB has seen, you can use following command. Check the value of "Peak" of "ssl-connection rate".

switch/Admin# show resource usage summary

Allocation

Resource Current Peak Min Max Denied

-------------------------------------------------------------------------------

Context: Summary

conc-connections 73 73 100 7999900 0

mgmt-connections 0 0 100 99900 0

proxy-connections 0 0 0 1048572 0

xlates 0 0 0 1048572 0

bandwidth 0 0 2500000 622500000 0

throughput 0 0 1250000 498750000 0

mgmt-traffic rate 0 0 1250000 123750000 0

connection rate 0 0 100 599900 0

ssl-connections rate 0 0 0 1000 0 <====

* The output above is ACE30 but ACE10 should have the same.

Regards,

Kim

benediktsv · ‎02-29-2012

Thank you Kim for your help

I missed the show resource command! although I have been running the ACE for some time.

but:

ACE_1/xxx(config)# parameter-map type ssl TEST_SSL

ACE_1/xxx(config-parammap-ssl)# ?

Configure ssl parameters:

cipher Configure ssl cipher

close-protocol Configure close-protocol behavior

do EXEC command

end Exit from configure mode

exit Exit from this submode

no Negate a command or set its defaults

version Configure ssl version

ACE_1/xxx(config-parammap-ssl)# session-cache timeout 2

^

% invalid command detected at '^' marker.

As seen here, there is no option on the SSL parameter map to put in the session timeout. (wrong place?)

but we are running 3.0.0 actually. I'm now looking at what version to upgrade to - the LB is running a very mission critical application, and has been very stable - so we have been lazy upgrading the image. I have asked our "gold" partner to help us chose a good image for the ACE10 - I'm actually in Iceland and our partner has little experience in the ACE platform - so I hope they are asking someone that knows this - we just want to be quite sure we wont go into some unstable image.

Any thoughts on what software is super stable on the ACE10 ?

- Benedikt

kitanaka · ‎02-29-2012

Hello Benedikt,

The command was introduced in A2(1.0) with ACE module. Sorry for missing this, I should have checked it earlier.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/parammap.html#wp1185539

A general idea is that the newer build is more stable, having more bug fixes and enhancements.

I suggest you to consider choosing the latest build for ACE10 on the CCO, which is A2(3.5), unless you have a specific preference to some other version.

There is a plan of A2(3.6), which would be the last build for ACE10, in some point of this year.

You can upgrade to A2(3.5) for now and once A2(3.6) is published, consider to use A2(3.6).

Please check "Software Version A2(3.5) Open Caveats" in the release note to see

those open issues are acceptable with your environment.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_x/Release/Note/RACEA2_3_X.html#wp747942

Thanks and regards,

Kim.