05-29-2011 11:31 PM
Hi,
I have problem setting up the SSL termination on Cisco 4710 ACE. Setup is in One-arm mode.
On ACE I need to do SSL client authentication.
We have 2 types of devices connecting to ACE.
With first one everything is working fine. But with second one i cant make client authentication to work.
When I issue "show stats crypto server", I see following counters increasing:
SSL alert BAD_CERTIFICATE sent:
I will appriciate some explanation about this issue.
Best regards,
Vladimir
05-30-2011 06:29 AM
Hi Vladimir,
This counter indicates that connections are being dropped because the client certificate is not valid (or at least the ACE is not able to validate it).
I would start by finding the differences between the working and failing clients. At first sight, I wouldn't be surprised if they are using diferent CA or certificate types. Once you know better what is different, we can troubleshoot further.
Regards
Daniel
05-30-2011 06:38 AM
Hello Vladimir,
it looks like the ACE ir refusing the certificate sent by the client for authenthication, I would check:
SSL alert BAD_CERTIFICATE sent
%ACE-6-253003: Certificate /CN=user1 is signed by an unknown C
Hope it helps,
Francesco
06-02-2011 12:26 AM
Hi All,
I am trying to find differences between certificates.
* are the 2 devices connecting to the same VIP/authgroup?
No. Different VIP/authgroup.
I will let You know of any findings.
Regards,
Vladimir
06-09-2011 05:33 AM
Hi,
We managed to correct issues with certificates. There was a problem with time synchronization.
Now SSL termination works as expected.
Aftrer fixing SSL problems, we found another problem.
After client (device) hits VIP and SSL terminates on ACE, client (end device) is expecting to recive packet from Real server before sending enything to Real.
When ACE is doing SSL termination, there is no TCP conn to REAL SERVER until the APP Data is seen from client.
Is there any way to force ACE to open tcp connection to REAL without receiving APP data after SSL termination?
Regards,
Vladimir
06-09-2011 06:57 AM
Hi Vladimir,
The moment SSL termination is done, the ACE will treat the connection as a L7 one, and therefore, it will wait to get the HTTP request before it tries to contact the server.
Normally, this should not cause any issues to the application, so, could you please let me know why this behavior is not desirable?
Daniel
06-09-2011 07:16 AM
Hi Daniel,
This is normal and expected behavior for L7 on ACE.
Application on end device is configured to send packets only after first packet is recived from Real.
We are trying to migrate existing SSL termination from STunnel to ACE. Stunnel is not an LB and it opens TCP connection to real after SSL termination. In this case Real can send required packet to end device and everything works fine.
Our end devices are configured this way and it will take a lot of time to reconfigure them to work with ACE.
I am just searching for an answer is this behavior achievable with ACE.
Vladimir
06-09-2011 07:22 AM
I'm afraid this behavior is not configurable. With L7 connections, the ACE will always wait for the client request before opening the connection to the server.
Daniel
06-09-2011 07:31 AM
Thank You Daniel.
Best regards,
Vladimir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide