- Cisco Community
- Technology and Support
- Data Center and Cloud
- Application Networking
- Re: Cisco WAAS SSL enabled - Internet sites not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Cisco WAAS SSL enabled - Internet sites not working
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2013 11:01 AM
Hi,
I have implemented Cisco WAVE 594 - 2 Devices in datacenter (one is central manager and other is Core Edge WAVE) and also deployed WAVE 7541 in Zonal Offices for WAAS Optimization. At present, i am able to see the optimization traffic between Datacenter and Zonal offices. Also i have installed SSL certificate, private key in Core WAVE (datacenter) and SSL certificate, Private key in Zonal Edge WAVE & initialize the passphrase in Central manager. I am able to see the SSL optimization traffic also. Only issue is when i enable SSL in all Cisco WAVE devices.
When Zonal office want to access the internet sites request will send to datacenter where proxy server is in place behind the Core WAVE devices. Users are in Zonal office not able to access the https sites like axisbank or icicibank. They are getting the homepage of that sites session timeout will be happening when SSL enabled in Cisco WAVE devices. Is there any fix for this issue.
Regds...
Prabhu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-07-2013 03:52 PM
Hi Prabhu,
If your connections go towards a proxy server, do HTTPS connections use a different port(instead of 443)?
If this is the case, do you have a Custom policy configure for this?
Does your WAAS count with a DNS server configure and able to reach it?
Kindly advise.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2013 10:02 PM
Hi Adriana,
HTTPS connection use the same port for http traffic i;e port 8080 for proxy.
When we enable TFO + LZ compression for all the traffic going towards proxy, SSL sites are opening. But when we enable TFP + LZ + DRE https sites are not opening.
Would you guide with how to configure a separate policy for https traffic tunnel through http and destined to proxy server.
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2013 09:28 AM
Hi Prabhu,
If both HTTP and HTTPS traffic use the same port towards the proxy, we cannot configure a different policy for each. This is not a recommended setup. Can you change the port for HTTPS connections?
Remember that WAAS cannot treat the traffic in the same way, are the SSL connections matching the default HTTP clasifier?
Which policy do you use for testing (Adding and Removing DRE)? Does this policy have the HTTPAO enable?
You mentioned at the beginning of the post that you enabled SSL accelerated service, did you upload Server certiifcate and Key for the failing domains? If the clients are failing to open public domains you may check on the DNS responses.
Eventough your traffic uses the same port for HTTP and HTTPS connections, WAAS is capable to identify the secure connection and will try to hand off the connections to the SSLAO , the SSLAO needs a Domain resolution to look if it has the specific domain configured within a SSL accelerated service, if its not the case, then the SSL connection will be treated as the 443 clasifier (TFO only). If the DNS response takes long to response, the HTTP will report that failed handing the connection to SSLAO.
Kindly let me know which policy and its configuration is your SSL connection matching, you can identify this with the following command:
sh stat conn | inc :8080
sh stat conn conn-id < --- This command when you identify the SSH connections on the sh stat conn, the conn-id is the number at the beginning , Left hand.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-14-2013 12:47 AM
Hi Adriana,
Thanks for your response.
Which policy do you use for testing (Adding and Removing DRE)? Does this policy have the HTTPAO enable?
Ans : I have made a seperate customized policy in WAVE device with TFO+DRE+LZ. Now all users are able to access the https site without any issue.
You mentioned at the beginning of the post that you enabled SSL accelerated service, did you upload Server certiifcate and Key
Ans : One more issue i faced after installed the SSL Certificate & Key in WAVE where server is residing. Enabled full optimization in policy for SSL, Central manager enabled passphrase key and Core WAVE device enabled SSL features, enabled full optimization in policy for SSL.
I am able to see the optimization traffic for the server ip 10.111.0.14 both http(80) and https(443)
Server IP : 10.111.0.14
I hope after installed the SSL certificate in WAVE device all traffic to 10.111.0.14 must be 443 but seeing same server 10.111.0.14 getting http traffic 80.
Please find the logs for your reference.
WAVE-7541#sh statistics connection | in TSDL
416014 10.97.139.157:1127 10.111.0.14:443 e4:d3:f1:d0:75:00 TSDL 00.0%
WAVE-7541#sh statistics connection conn-id 416014
Connection Id: 416014
Peer Id: e4:d3:f1:d0:75:00
Connection Type: EXTERNAL SERVER
Start Time: Mon Jan 14 13:43:30 2013
Source IP Address: 10.97.139.157
Source Port Number: 1127
Destination IP Address: 10.111.0.14
Destination Port Number: 443
Application Name: SSL
Classifier Name: HTTPS
Map Name: basic
Directed Mode: FALSE
Preposition Flow: FALSE
Policy Details:
Configured: TCP_OPTIMIZE + DRE + LZ
Derived: TCP_OPTIMIZE + DRE + LZ
Peer: TCP_OPTIMIZE + DRE + LZ
Negotiated: TCP_OPTIMIZE + DRE + LZ
Applied: TCP_OPTIMIZE + DRE + LZ
Accelerator Details:
Configured: None
Derived: None
Applied: SSL
Hist: None
Original Optimized
-------------------- --------------------
Bytes Read: 922 1061
Bytes Written: 519 1967
Total Reduction Ratio: 00.000%
DRE : 416014
Conn-ID: 416014 10.97.139.157:1127 -- 10.111.0.14:443 Peer No: 0 Status: Activ
e
------------------------------------------------------------------------------
Open at 01/14/2013 13:43:30, Still active
Encode:
Overall: msg: 1, in: 204 B, out: 212 B, ratio: 0.00%
DRE: msg: 1, in: 204 B, out: 244 B, ratio: 0.00%
DRE Bypass: msg: 0, in: 0 B
LZ: msg: 1, in: 244 B, out: 212 B, ratio: 13.11%
LZ Bypass: msg: 0, in: 0 B
Avg latency: 0.089 ms, Avg msg size: 204 B
Message size distribution:
0-1K=0% 1K-5K=0% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
Decode:
Overall: msg: 1, in: 255 B, out: 211 B, ratio: 0.00%
DRE: msg: 1, in: 265 B, out: 211 B, ratio: 0.00%
DRE Bypass: msg: 0, in: 0 B
LZ: msg: 1, in: 255 B, out: 265 B, ratio: 3.77%
LZ Bypass: msg: 0, in: 0 B
Avg latency: 0.050 ms, Avg msg size: 211 B
Message size distribution:
0-1K=0% 1K-5K=0% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
Connection details:
Encode bypass due to:
last partial chunk: chunks: 1, size: 64 B
Nacks: total 0
R-tx: total 0
Encode LZ latency: 0.051 ms per msg, avg msg size: 244 B
Decode LZ latency: 0.021 ms per msg, avg msg size: 265 B
Cache write detail:
Disk size saving due to unidirectional mode: 0 B
TFO : 416014
Conn-ID: 416014 10.97.139.157:1127 -- 10.111.0.14:443 Peer No: 0 Status: Activ
e
------------------------------------------------------------------------------
Open at 01/14/2013 13:43:30, Still active
Conn-Type: EXTSERVER Policy: DRE+LZ
EOT state:
Write: req: N, ack: N, Read: req: N, ack: N
Socket states
AO : read-shut: N, write-shut: N, close: N, fd: 2451
read-inKQ: Y, write-inKQ: N, choke: N, envoy: Y
WAN: read-shut: N, write-shut: N, close: N, fd: 2450
read-inKQ: Y, write-inKQ: N, choke: N, envoy: Y
DRE Classification: local: BI, remote: BI, applied: BI
DRE hints:
local : DRE mode: 0 latency: 0 plz-off: 0, lz-off: 0, dre-off: 0
remote : DRE mode: 0 latency: 0 plz-off: 0, lz-off: 0, dre-off: 0
active : DRE mode: 0 latency: 0 plz-off: 0, lz-off: 0, dre-off: 0
Scheduler: class_id: 0 dscp: 0
Encode-Flow Decode-Flow
Read
Total bytes: 204 316
Total number: 1 3
Average size: 204 105
Schd latency(ms): 0.02 0.03
Stop latency(ms): 0.00 0.00
Read latency(ms): 0.01 0.01
Flow-ctrl stop: 0 0
Peer-choke: 0 0
Processed ack frames: 1
Decoder pending queue:
Maximum size: 0
Current size: 0
Average size: 0
Flow-ctrl stop: 0
Encode/Decode:
Number of calls: 1 1
Latency(ms): 0.09 0.05
Send data/ack frames: 1 1
Writer pending queue
Maximum size: 0 0
Current size: 0 0
Average size: 0 0
Flow-ctrl stop: 0 0
Write
Total bytes: 289 211
Total number: 3 1
Avergage size: 96 211
Latency(ms): 0.00 0.00
SSL : 416014
Time Statistics were Last Reset/Cleared: Mon Jan 14
13:43:30 2013
Total Bytes Read: 0
0
Total Bytes Written: 0
0
Memory address: 0x7c3ce0
LAN bytes read: 922
Number of reads on LAN fd: 4
LAN bytes written out: 519
Number of writes on LAN fd: 3
WAN bytes read: 1061
Number of reads on WAN fd: 29
WAN bytes written out: 1967
Number of writes on WAN fd: 9
LAN handshake bytes read: 677
LAN handshake bytes written out: 274
WAN handshake bytes read: 647
WAN handshake bytes written out: 1075
AO bytes read: 211
Number of reads on AO fd: 1
AO bytes written out: 204
Number of writes on AO fd: 1
DRE bytes read: 289
Number of reads on DRE fd: 3
DRE bytes written out: 316
Number of writes on DRE fd: 3
Number of renegotiations requested by server: 0
Number of SSL renegotiations attempted: 0
Flow state: 0x00080000
LAN work items: 1
LAN conn state: READ
LAN SSL state: SSLOK (0x3)
WAN work items: 0
WAN conn state: READ
WAN SSL state: SSLOK (0x3)
W2W work items: 1
W2W conn state: READ
W2W SSL state: SSLOK (0x3)
AO work items: 1
AO conn state: READ
DRE work items: 1
DRE conn state: READ
Hostname in HTTP CONNECT:
IP Address in HTTP CONNECT:
TCP Port in HTTP CONNECT:
WAVE-7541#sh statistics connection optimized
395996 10.98.63.177:51553 10.111.0.14:80 e4:d3:f1:d0:75:d4 THDL 74.3%
Connection ID : 395996
WAVE-7541#sh statistics connection conn-id 395996
Connection Id: 395996
Peer Id: e4:d3:f1:d0:75:d4
Connection Type: EXTERNAL SERVER
Start Time: Mon Jan 14 12:59:43 2013
Source IP Address: 10.98.63.177
Source Port Number: 51553
Destination IP Address: 10.111.0.14
Destination Port Number: 80
Application Name: Web
Classifier Name: HTTP
Map Name: basic
Directed Mode: FALSE
Preposition Flow: FALSE
Policy Details:
Configured: TCP_OPTIMIZE + DRE + LZ
Derived: TCP_OPTIMIZE + DRE + LZ
Peer: TCP_OPTIMIZE + DRE + LZ
Negotiated: TCP_OPTIMIZE + DRE + LZ
Applied: TCP_OPTIMIZE + DRE + LZ
Accelerator Details:
Configured: HTTP
Derived: HTTP
Applied: HTTP
Hist: None
Original Optimized
-------------------- --------------------
Bytes Read: 10467 2914
Bytes Written: 8651 1991
Total Reduction Ratio: 74.344%
HTTP : 395996
Time Statistics were Last Reset/Cleared: Mon Jan 14
12:59:43 2013
Total Bytes Read: 8651
10467
Total Bytes Written: 8651
10467
Total Bytes Buffered: 0
0
Total Internal Bytes Read: 164
Total Internal Bytes Written: 164
Bit Flags for I/O state: 80
Internal object pointer: 143006328
Fast connections: 0
DRE : 395996
Conn-ID: 395996 10.98.63.177:51553 -- 10.111.0.14:80 Peer No: 5 Status: Active
------------------------------------------------------------------------------
Open at 01/14/2013 12:59:43, Still active
Encode:
Overall: msg: 42, in: 10631 B, out: 1489 B, ratio: 85.99%
DRE: msg: 42, in: 10467 B, out: 9059 B, ratio: 13.45%
DRE Bypass: msg: 41, in: 164 B
LZ: msg: 42, in: 9469 B, out: 1489 B, ratio: 84.28%
LZ Bypass: msg: 0, in: 0 B
Avg latency: 0.070 ms, Avg msg size: 253 B
Message size distribution:
0-1K=97% 1K-5K=2% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
Decode:
Overall: msg: 41, in: 2423 B, out: 8815 B, ratio: 72.51%
DRE: msg: 41, in: 9033 B, out: 8651 B, ratio: 0.00%
DRE Bypass: msg: 41, in: 164 B
LZ: msg: 41, in: 2423 B, out: 9443 B, ratio: 74.34%
LZ Bypass: msg: 0, in: 0 B
Avg latency: 0.042 ms, Avg msg size: 215 B
Message size distribution:
0-1K=100% 1K-5K=0% 5K-15K=0% 15K-25K=0% 25K-40K=0% >40K=0%
Connection details:
Encode bypass due to:
last partial chunk: chunks: 48, size: 6737 B
skipped frame header: messages: 41, size: 164 B
Nacks: total 0
R-tx: total 0
Encode LZ latency: 0.028 ms per msg, avg msg size: 225 B
Decode LZ latency: 0.014 ms per msg, avg msg size: 230 B
Cache write detail:
Disk size saving due to unidirectional mode: 0 B
TFO : 395996
Conn-ID: 395996 10.98.63.177:51553 -- 10.111.0.14:80 Peer No: 5 Status: Active
------------------------------------------------------------------------------
Open at 01/14/2013 12:59:43, Still active
Conn-Type: EXTSERVER Policy: DRE+LZ
EOT state:
Write: req: N, ack: N, Read: req: N, ack: N
Socket states
AO : read-shut: N, write-shut: N, close: N, fd: 1492
read-inKQ: Y, write-inKQ: N, choke: N, envoy: Y
WAN: read-shut: N, write-shut: N, close: N, fd: 1330
read-inKQ: Y, write-inKQ: N, choke: N, envoy: N
DRE Classification: local: BI, remote: BI, applied: BI
DRE hints:
local : DRE mode: 0 latency: 0 plz-off: 0, lz-off: 0, dre-off: 0
remote : DRE mode: 0 latency: 0 plz-off: 0, lz-off: 0, dre-off: 0
active : DRE mode: 0 latency: 0 plz-off: 0, lz-off: 0, dre-off: 0
Scheduler: class_id: 0 dscp: 0
Encode-Flow Decode-Flow
Read
Total bytes: 10631 2914
Total number: 42 45
Average size: 253 64
Schd latency(ms): 0.02 0.03
Stop latency(ms): 0.00 0.00
Read latency(ms): 0.01 0.01
Flow-ctrl stop: 0 0
Peer-choke: 0 0
Processed ack frames: 3
Decoder pending queue:
Maximum size: 0
Current size: 0
Average size: 0
Flow-ctrl stop: 0
Encode/Decode:
Number of calls: 42 41
Latency(ms): 0.07 0.04
Send data/ack frames: 42 2
Writer pending queue
Maximum size: 0 0
Current size: 0 0
Average size: 0 0
Flow-ctrl stop: 0 0
Write
Total bytes: 1991 8815
Total number: 45 41
Avergage size: 44 215
Latency(ms): 0.01 0.01
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
