Solved: Configuring Cisco ACE to NOT Offload SSL Traffic

glenne nelson · ‎08-31-2011

HI,

I'm load balacing a pair of servers behind the ACE and want to load balance https traffic. The servers have self signed certificates and I do NOT want the ACE to do SSL Offload. Normal port 80 traffic works o.k but I cannot get a connection [via the VIP] for port 443 traffic. Most of the configurations I've seen for the ACE shows how to offload SSL traffic but nothing too intuitive about just passing it through to the real servers.

Is there anything specific I need to do get this to work? Do you need to create a separate class map for port 443 traffic pointing to the VIP

Below is a sample configuration [the ip addreses have been sanitised for security]. This is just one on-going iteration

Message was edited by: glenne nelson

pablo.nxh · ‎09-01-2011

Hi Glenn,

Gotcha! If you'll be using SSL termination in a near future then the "long" configuration is definitely required.

Just checked your recent config and the problem is that you mixed up your servers with port 80 and port 443 within the serverfarm so some connection will hit the VIP on port 443 and will be balanced correctly to port 443 to the backend but some of them will be balanced to the backend port 80 which is something will never work because your servers can't provide secured content over a clear text port.

- Configure a separate SF for HTTPS:

serverfarm host SP-HTTPS

predictor leastconns

probe SP-HTTPS

rserver SP1 443

inservice

rserver SP2 443

inservice

- Create a new sticky group to match this new SF (If app dependable or testing purposes).

sticky ip-netmask 255.255.255.255 address source STICKY-HTTPS

timeout 1

serverfarm SP-HTTPS

- Remove the port 80 SF from the first-match policy and configure the new sticky-farm

policy-map type loadbalance first-match VIP-SPDEV-HTTPS

class class-default

sticky-serverfarm STICKY-HTTPS

Policy multi-match looks in good shape so no need to modify anthing in there.

Once you're ready to move to SSL termination it would be a matter of getting the SSL proxy-service configured and do a little modifications under the multi-match policy.

HTH

__ __

Pablo

View solution in original post

glenne nelson · ‎08-31-2011

Added class map pointing to VIP for port 443 and associated policy map and can now get to sites [intermittently]. Still ongoing to tidy things up.

Jorge Bejarano · ‎08-31-2011

Hello,

Basically, you would like to load balance traffic coming on port 443 as you would do with port 80 with applying ssl termination, is that correct?

glenne nelson · ‎09-01-2011

Hi Jorge,

If you meant WITHOUT applying ssl termination, that is correct. I want to load balance traffic coming from port 443 as I would from port 80 WITHOUT ssl termination. on the ACE.

Regards

Glenne

pablo.nxh · ‎08-31-2011

Glenn,

Based on your config there are two ways to do this... The easiest way would be:

- Assuming you'll be using the same rservers currently used for www then from the serverfarm SP-WEB remove the port 80 configured next to the rserver name and put them back without it.

no rserver SP1 80

no rserver SP2 80

rserver SP1 80

inservice

rserver SP2 80

inservice

- Assuming also that you'll be using the same VIP "192.168.y.130" as I see already a line in ACL "LB_ALLOW_VIPS" permitting port 443 you could match the new VIP under the same class-map but you first need to do it a match-any instead of a match-all, you can run this "script" on the ACE and that should do the trick (this would disrupt the service for port 80 momentarily) [Make sure you replace the "y" with the real number].

******************************************************

policy-map multi-match L4-LB-POLICY

no class VIP-SPDEV-HTTP

exit

no class-map match-all VIP-SPDEV-HTTP

class-map match-any VIP-SPDEV-HTTP

2 match virtual-address 192.168.y.130 tcp eq www

3 match virtual-address 192.168.y.130 tcp eq https

exit

policy-map multi-match L4-LB-POLICY

class VIP-SPDEV-HTTP

loadbalance vip inservice

loadbalance policy VIP-SPDEV-HTTP

loadbalance vip icmp-reply active

******************************************************

The long way would be creating a new serverfarm, a new class-map to match the VIP with port 443, a new first-match policy and lastly add the VIP (class) and under the policy multi-match.

Based on the way you applied the probes seems like the first option is the way you wanna take.

HTH

__ __

Pablo

glenne nelson · ‎09-01-2011

Hi Pablo,

Thanks for your response, as it happens I originally went for adding a line to the class map but fell foul by not changing the match all to match any, so I ended up going the long way round [see attached]. I eventually will be using the ACE to SSL Offload and this seems the easiest way for changing the configuration later. I'm getting intermittent connectivity now via port 443 but I guess that is because of a number of factors: I didn't create another server farm, the "sticky" configuration may need to be modified as well as the rservers entries for 80 and 443. But this is still work in progress. Any more pointers, however, will be appreciated.

Regards

Glenne.

pablo.nxh · ‎09-01-2011

Hi Glenn,

Gotcha! If you'll be using SSL termination in a near future then the "long" configuration is definitely required.

Just checked your recent config and the problem is that you mixed up your servers with port 80 and port 443 within the serverfarm so some connection will hit the VIP on port 443 and will be balanced correctly to port 443 to the backend but some of them will be balanced to the backend port 80 which is something will never work because your servers can't provide secured content over a clear text port.

- Configure a separate SF for HTTPS:

serverfarm host SP-HTTPS

predictor leastconns

probe SP-HTTPS

rserver SP1 443

inservice

rserver SP2 443

inservice

- Create a new sticky group to match this new SF (If app dependable or testing purposes).

sticky ip-netmask 255.255.255.255 address source STICKY-HTTPS

timeout 1

serverfarm SP-HTTPS

- Remove the port 80 SF from the first-match policy and configure the new sticky-farm

policy-map type loadbalance first-match VIP-SPDEV-HTTPS

class class-default

sticky-serverfarm STICKY-HTTPS

Policy multi-match looks in good shape so no need to modify anthing in there.

Once you're ready to move to SSL termination it would be a matter of getting the SSL proxy-service configured and do a little modifications under the multi-match policy.

HTH

__ __

Pablo

glenne nelson · ‎09-02-2011

Hi Pablo,

Superb !!! all working now [see attacched]. Added a few lines for redirecting port 80 requests to port 443 so I guess the STICKY-HTTP lines are not needed. Still some tidying up to do with access lists, probes, TCP REUSE et al but you've put me in good shape to go forward. Just need to try out SSL Offload now before deploying on our Sharepoint Developement servers [been using a couple of test VM's].

Much appreciated

Regards

Glenne