08-13-2013 08:58 AM
The avdirecto http works great. The SSL termination gives tcp resets. They are both pointing the same real server. The plan is to have everything South of the ACE in clear. See attached config. I would greatly appreciate someone sanity checking the config. Is there an issue where the return traffic doesn't match the SSL policy and gets dropped due to lack of state?
Solved! Go to Solution.
08-13-2013 12:30 PM
You have 2 things to fix ->
1.) Once the traffic is decrypted, it goes to the server. The TCP port number it uses should be whatever your server is listening for on http. I would assume port 80. However, in your serverfarm that links to the SSL configuration, you have no port number. That means ACE looks at the class map for the port number to utilize, which is port 443. It isnt common for a server to listen for HTTP traffic on port 443. Modify the serverfarm like this :
serverfarm host AVDirecto
description AV Directo Server Farm
probe icmp-probe
rserver avdirecto01 80 <- Add the port here.
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver avdirecto02 80 <- Add the port here.
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
parameter-map type ssl AVWildcard_PM
cipher RSA_WITH_AES_128_CBC_SHA
ssl-proxy service AVWildcard_PS
key AV_Wildcard_Key.p12
cert AV_Wildcard_Key.p12
ssl advanced-options AVWildcard_PM
serverfarm host AVDirecto
description AV Directo Server Farm
probe icmp-probe
rserver avdirecto01 80 <- Add the port here.
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver avdirecto02 80 <- Add the port here.
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
Keep in mind, you need to remove the rserver, then add it back in with the port.
The second issue is the cipher list. You don't need a cipher list, and by specifying a single cipher, you are limiting the client to use only 1. Although most clients support 128 bit CBC SHA encryption, some don't, and it might be part of the failure. With no cipher list, ace defaults to using all ciphers possible. (uses the highest supported between the client and itself)
ssl-proxy service AVWildcard_PS
key AV_Wildcard_Key.p12
cert AV_Wildcard_Key.p12
ssl advanced-options AVWildcard_PM <- remove this
parameter-map type ssl AVWildcard_PM <- then remove this.
cipher RSA_WITH_AES_128_CBC_SHA
That should be it!
Chris
08-13-2013 12:30 PM
You have 2 things to fix ->
1.) Once the traffic is decrypted, it goes to the server. The TCP port number it uses should be whatever your server is listening for on http. I would assume port 80. However, in your serverfarm that links to the SSL configuration, you have no port number. That means ACE looks at the class map for the port number to utilize, which is port 443. It isnt common for a server to listen for HTTP traffic on port 443. Modify the serverfarm like this :
serverfarm host AVDirecto
description AV Directo Server Farm
probe icmp-probe
rserver avdirecto01 80 <- Add the port here.
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver avdirecto02 80 <- Add the port here.
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
parameter-map type ssl AVWildcard_PM
cipher RSA_WITH_AES_128_CBC_SHA
ssl-proxy service AVWildcard_PS
key AV_Wildcard_Key.p12
cert AV_Wildcard_Key.p12
ssl advanced-options AVWildcard_PM
serverfarm host AVDirecto
description AV Directo Server Farm
probe icmp-probe
rserver avdirecto01 80 <- Add the port here.
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver avdirecto02 80 <- Add the port here.
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
Keep in mind, you need to remove the rserver, then add it back in with the port.
The second issue is the cipher list. You don't need a cipher list, and by specifying a single cipher, you are limiting the client to use only 1. Although most clients support 128 bit CBC SHA encryption, some don't, and it might be part of the failure. With no cipher list, ace defaults to using all ciphers possible. (uses the highest supported between the client and itself)
ssl-proxy service AVWildcard_PS
key AV_Wildcard_Key.p12
cert AV_Wildcard_Key.p12
ssl advanced-options AVWildcard_PM <- remove this
parameter-map type ssl AVWildcard_PM <- then remove this.
cipher RSA_WITH_AES_128_CBC_SHA
That should be it!
Chris
08-13-2013 01:04 PM
Awesome! I'm going to try it in a few minutes. I'll let you know the outcome and rate it.
08-13-2013 01:48 PM
Works like a champ! Thank you sir! I owe you a beer!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide