Re: ACE4710 : Unable to perform end to end SSL

nikmathu · ‎11-10-2011

Hi

I have to load balance traffic between 2 servers sitting behind the LB. The webservices are on HTTPS/8443.

I followed the end to end configuration guide for SSL. No success.

Here is my configuration -

rserver host nms1

ip address 10.29.36.31

conn-limit max 4000000 min 4000000

probe nms-tcp-8443

inservice

serverfarm host nms-farm

probe nms-http-probe

rserver nms1 8443

conn-limit max 4000000 min 4000000

inservice

class-map type http loadbalance match-any SSL

2 match http url .*

class-map match-any SSL_C1

2 match virtual-address 10.29.36.42 tcp eq 8443

3 match virtual-address 10.29.36.42 tcp any

policy-map type loadbalance first-match SSL_BACK

class SSL

serverfarm nms-farm

class class-default

serverfarm nms-farm

ssl-proxy client SSL_CLIENT

policy-map multi-match L7_1

class SSL_C1

loadbalance vip inservice

loadbalance policy SSL_BACK

loadbalance vip icmp-reply

ssl-proxy server SSL_SERVER

seadmz-ace-c11/Admin# show service-policy

Policy-map : L7_1

Status : ACTIVE

-----------------------------------------

Interface: vlan 1 1000

service-policy: L7_1

class: SSL_C1

ssl-proxy server: SSL_SERVER

loadbalance:

L7 loadbalance policy: SSL_BACK

Regex dnld status : SUCCESSFUL

VIP ICMP Reply : ENABLED

VIP State: INSERVICE

VIP DWS state: DWS_DISABLED

Persistence Rebalance: ENABLED

curr conns : 0 , hit count : 87

dropped conns : 83

client pkt count : 507 , client byte count: 56753

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

compression:

bytes_in : 0 bytes_out : 0

Compression ratio : 0.00%

Gzip: 0 Deflate: 0

compression errors:

User-Agent : 0 Accept-Encoding : 0

Content size: 0 Content type : 0

Not HTTP 1.1: 0 HTTP response error: 0

Others : 0

So essentially, I am doing the following - VIP is 10.29.36.42 and rserver is 10.29.36.31

Need help with debugging this issue !

thanks

Nikhil

Daniel Arrondo Ostiz · ‎11-11-2011

Hi Nikhil,

The problem with your config is here:

class-map type http loadbalance match-any SSL

2 match http url .*

class-map match-any SSL_C1

2 match virtual-address 10.29.36.42 tcp eq 8443

3 match virtual-address 10.29.36.42 tcp any

policy-map type loadbalance first-match SSL_BACK

class SSL

serverfarm nms-farm

class class-default

serverfarm nms-farm

ssl-proxy client SSL_CLIENT

Basically, you are matching all connections with the SSL class, and this one is not configured for SSL initiation. It should work if you remove this class and leave only the class-default entry.

Anyway, according to your configuration, you are not doing any L7 processing of the traffic. Unless you are planning to do L7, just forget about the end-to-end SSL and just do L4 load-balancing of the traffic.

I hope this helps

Daniel

Message was edited by: Daniel Arrondo Ostiz

nikmathu · ‎11-11-2011

Thanks for this Daniel. I am first trying to get a barebones end to end SSL working. Will then try to apply L7 policies.

I could get the regular L3/4 LB working .

BUT, the end to end SSL is not working even after fixing what you suggested. I was wondering if you could let me know how to debug SSL on the ACE !

thanks

nikhil

Daniel Arrondo Ostiz · ‎11-13-2011

Hi Nikhil,

First of all, start with the divide and conquer approach to check which of the parts of the configuration is failing. Try the following scenarios:

HTTP L7 load-balancing
SSL termination
SSL initiation

Once you know which part of the config is failing, you can troubleshoot that one in more detail.

Most likely you are facing an issue with the certificates, so, I would suggest the commands below:

"crypto verify " to confirm that the server certificate and key (for the ssl termination part) match
"show crypto certificate all" to see the details of the imported certificates

Just as a reminder, for the termination part, the certificate to be imported needs to be the one from the server, while for the initiation part it will be the one of the CA

Regards

Daniel