Cisco ACE SSL termination problem

Vladimir Pavlinic · ‎05-29-2011

Hi,

I have problem setting up the SSL termination on Cisco 4710 ACE. Setup is in One-arm mode.

On ACE I need to do SSL client authentication.

We have 2 types of devices connecting to ACE.

With first one everything is working fine. But with second one i cant make client authentication to work.

When I issue "show stats crypto server", I see following counters increasing:

SSL alert BAD_CERTIFICATE sent:

I will appriciate some explanation about this issue.

Best regards,

Vladimir

Daniel Arrondo Ostiz · ‎05-30-2011

Hi Vladimir,

This counter indicates that connections are being dropped because the client certificate is not valid (or at least the ACE is not able to validate it).

I would start by finding the differences between the working and failing clients. At first sight, I wouldn't be surprised if they are using diferent CA or certificate types. Once you know better what is different, we can troubleshoot further.

Regards

Daniel

Francesco Casotto · ‎05-30-2011

Hello Vladimir,

it looks like the ACE ir refusing the certificate sent by the client for authenthication, I would check:

are the 2 devices connecting to the same VIP/authgroup?
I would take a capture to check if the client is actually sending the certificate and which, in the trace i would capture also a successful session from the other device for comparison.
I would check wich other counters are increasing together with

SSL alert BAD_CERTIFICATE sent

I would raise the logging level and check for messages like:

%ACE-6-253003: Certificate /CN=user1 is signed by an unknown C


Hope it helps,
Francesco

Vladimir Pavlinic · ‎06-02-2011

Hi All,

I am trying to find differences between certificates.

* are the 2 devices connecting to the same VIP/authgroup?

No. Different VIP/authgroup.

I will let You know of any findings.

Regards,

Vladimir

Vladimir Pavlinic · ‎06-09-2011

Hi,

We managed to correct issues with certificates. There was a problem with time synchronization.

Now SSL termination works as expected.

Aftrer fixing SSL problems, we found another problem.

After client (device) hits VIP and SSL terminates on ACE, client (end device) is expecting to recive packet from Real server before sending enything to Real.

When ACE is doing SSL termination, there is no TCP conn to REAL SERVER until the APP Data is seen from client.

Is there any way to force ACE to open tcp connection to REAL without receiving APP data after SSL termination?

Regards,

Vladimir

Daniel Arrondo Ostiz · ‎06-09-2011

Hi Vladimir,

The moment SSL termination is done, the ACE will treat the connection as a L7 one, and therefore, it will wait to get the HTTP request before it tries to contact the server.

Normally, this should not cause any issues to the application, so, could you please let me know why this behavior is not desirable?

Daniel

Vladimir Pavlinic · ‎06-09-2011

Hi Daniel,

This is normal and expected behavior for L7 on ACE.

Application on end device is configured to send packets only after first packet is recived from Real.

We are trying to migrate existing SSL termination from STunnel to ACE. Stunnel is not an LB and it opens TCP connection to real after SSL termination. In this case Real can send required packet to end device and everything works fine.

Our end devices are configured this way and it will take a lot of time to reconfigure them to work with ACE.

I am just searching for an answer is this behavior achievable with ACE.

Vladimir

Daniel Arrondo Ostiz · ‎06-09-2011

I'm afraid this behavior is not configurable. With L7 connections, the ACE will always wait for the client request before opening the connection to the server.

Daniel

Vladimir Pavlinic · ‎06-09-2011

Thank You Daniel.

Best regards,

Vladimir