Also here is the current config. Maybe I am missing something or extra still in config.

crypto chaingroup ****-CHAINGRP

  cert chain-ROOT

  cert ****CAcert

probe tcp ****-WEB-PROBE

  port 8443

  interval 3

  passdetect interval 5

parameter-map type ssl SSL-****-ADVANCED

  cipher RSA_WITH_RC4_128_MD5

rserver host ****TC1

  ip address *.*.*.*

  inservice

rserver host ****TC2

  ip address *.*.*.*

  inservice

rserver redirect HTTP-****

  webhost-redirection https://%h/%p 301

  inservice

ssl-proxy service SSL-****-PROXY

  key ****.pem

  cert ****CAcert

  chaingroup ****-CHAINGRP

  ssl advanced-options SSL-****-ADVANCED

ssl-proxy service SSL_CLIENT

  ssl advanced-options SSL-****-ADVANCED

serverfarm host ****-FARM

  predictor leastconns

  probe ****-WEB-PROBE

  rserver ****TC1 8443

    inservice

  rserver ****TC2 8443

    inservice

serverfarm redirect HTTP-****-FARM

  rserver HTTP-****

    inservice

sticky ip-netmask 255.255.255.255 address source STICKY-SSL-****-FARM

  timeout 720

  timeout activeconns

  replicate sticky

  serverfarm ****-FARM

class-map match-any ****-HTTPS-VIP

  2 match virtual-address *.*.*.* tcp eq https

class-map match-any REDIRECT-HTTP-****

  2 match virtual-address *.*.*.* tcp eq www

policy-map type loadbalance first-match ****-HTTPS-POLICY

  class class-default

    sticky-serverfarm STICKY-SSL-****-FARM

    ssl-proxy client SSL_CLIENT

policy-map type loadbalance first-match ****-POLICY-REDIRECT

  class class-default

    serverfarm HTTP-****-FARM

policy-map multi-match ****-POLICY

  class ****-HTTPS-VIP

    loadbalance vip inservice

    loadbalance policy ****-HTTPS-POLICY

    loadbalance vip icmp-reply active

    ssl-proxy server SSL-****-PROXY

  class REDIRECT-HTTP-****

    loadbalance vip inservice

    loadbalance policy ****-POLICY-REDIRECT

    loadbalance vip icmp-reply active

    loadbalance vip advertise

service-policy input ****-POLICY

Hi Netter,

My apologies but i was not entirely right. For end to end ssl it a requirment that you create a layer 7 class map. So you would need to make changes to the configuration. Let me paste one example for you:

class-map type http loadbalance match-all SSLCLASS

  2 match http url .*

Then you need to call this class under policy map.

policy-map type loadbalance first-match ****-HTTPS-POLICY

Class SSLCLASS

Stikcy serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

class class-default

sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

Other than that it is looking fine.

Please try and let me know how it goes.

I tested with 443 backend and it worked. Couldn't test with backend 8443. But i think it should work fine.

Regards,

Kanwal

Hi Kanwal,

No joy unfortunately. This is what I have changed,

policy-map type loadbalance first-match ****-HTTPS-POLICY

  class SSLCLASS

    sticky-serverfarm STICKY-SSL-****-FARM

    ssl-proxy client SSL_CLIENT

  class class-default

    sticky-serverfarm STICKY-SSL-****-FARM

    ssl-proxy client SSL_CLIENT

policy-map type loadbalance first-match ****-POLICY-REDIRECT

  class class-default

    serverfarm HTTP-****-FARM

policy-map multi-match ****-POLICY

  class ****-HTTPS-VIP

    loadbalance vip inservice

    loadbalance policy ****-HTTPS-POLICY

    loadbalance vip icmp-reply active

    ssl-proxy server SSL-****-PROXY

  class REDIRECT-HTTP-****

    loadbalance vip inservice

    loadbalance policy ****-POLICY-REDIRECT

    loadbalance vip icmp-reply active

    loadbalance vip advertise

service-policy input ****-POLICY

sh serverfarm ****-FARM

serverfarm     : ****-FARM, type: HOST

total rservers : 2

---------------------------------

                                                ----------connections-----------

       real                  weight state        current    total      failures

   ---+---------------------+------+------------+----------+----------+---------

   rserver: ****TC1

       *.*.*.*:8443     8      OPERATIONAL  0          0          88

   rserver: ****TC2

       *.*.*.*:8443     8      OPERATIONAL  0          0          5

                   Hi Netter,

You didn't configure the L7 class map. Can you configure the L7 class map as shown in config i pasted in last post and see how it goes.

Regards,

Kanwal

Sorry Kanwal, I had it in. Here are the classes I have:

class-map match-any ****-HTTPS-VIP

  2 match virtual-address *.*.*.* tcp eq https

class-map match-any REDIRECT-HTTP-****

  2 match virtual-address *.*.*.* tcp eq www

class-map type http loadbalance match-all SSLCLASS

  2 match http url .*

Thanks again for your thorough help on this.

Hi Kanwal, This is actually the full config I have now. Does it look ok to you?

crypto chaingroup ****-CHAINGRP

cert chain-ROOT

cert ****CAcert

probe tcp ****-WEB-PROBE

port 8443

interval 3

passdetect interval 5

parameter-map type ssl SSL-****-ADVANCED

cipher RSA_WITH_RC4_128_MD5

rserver host ****TC1

ip address *.*.*.*

inservice

rserver host ****TC2

ip address *.*.*.*

inservice

rserver redirect HTTP-****

webhost-redirection https://%h/%p 301

inservice

ssl-proxy service SSL-****-PROXY

key ****.pem

cert ****CAcert

chaingroup ****-CHAINGRP

ssl advanced-options SSL-****-ADVANCED

ssl-proxy service SSL_CLIENT

ssl advanced-options SSL-****-ADVANCED

serverfarm host ****-FARM

predictor leastconns

probe ****-WEB-PROBE

rserver ****TC1 8443

inservice

rserver ****TC2 8443

inservice

serverfarm redirect HTTP-****-FARM

rserver HTTP-****

inservice

sticky ip-netmask 255.255.255.255 address source STICKY-SSL-****-FARM

timeout 720

timeout activeconns

replicate sticky

serverfarm ****-FARM

class-map match-any ****-HTTPS-VIP

2 match virtual-address *.*.*.* tcp eq https

class-map match-any REDIRECT-HTTP-****

2 match virtual-address  *.*.*.* tcp eq www

class-map type http loadbalance match-all SSLCLASS

2 match http url .*

policy-map type loadbalance first-match ****-HTTPS-POLICY

class SSLCLASS

sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

class class-default

sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

policy-map type loadbalance first-match ****-POLICY-REDIRECT

class class-default

serverfarm HTTP-****-FARM

policy-map multi-match ****-POLICY

class ****-HTTPS-VIP

loadbalance vip inservice

loadbalance policy ****-HTTPS-POLICY

loadbalance vip icmp-reply active

ssl-proxy server SSL-****-PROXY

class REDIRECT-HTTP-****

loadbalance vip inservice

loadbalance policy ****-POLICY-REDIRECT

loadbalance vip icmp-reply active

loadbalance vip advertise

service-policy input ****-POLICY

Hi Netter,

Yes this looks good.

Regards,

Kanwal

Thanks Kanwal. I now get this error though:

The connection was reset

The connection to the server was reset while the page was loading.

   *   The site could be temporarily unavailable or too busy. Try again in a few

          moments.

    *   If you are unable to load any pages, check your computer's network

          connection.

    *   If your computer or network is protected by a firewall or proxy, make sure

          that Firefox is permitted to access the Web.

I there anything else I can do? Do you think there is something still wrong with my config? I am really stuck now.

Thanks Again,

Hi Netter,

The config looks fine.

Send me the below output:

show service-policy detail.

Ensure that you don't need NAT. What is your serve's default gateway?

Is routing proper?

Regards,

Kanwal

Thanks Kanwal, here is the output. We use public addresses so I don't think I need NAT. We have another service running in this context and it is fine. The default gateway of servers with be gateway of Van: *.*.*.1.

sh service-policy ****-POLICY detail

Status     : ACTIVE

Description: -----------------------------------------

Context Global Policy:

  service-policy: ****-POLICY

    class: ****-HTTPS-VIP

      ssl-proxy server: SSL-****-PROXY

     VIP Address:    Protocol:  Port:

     193.1.174.104   tcp        eq    443 

      loadbalance:

        L7 loadbalance policy: ****-HTTPS-POLICY

        Regex dnld status    : SUCCESSFUL

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        curr conns       : 0         , hit count        : 467      

        dropped conns    : 282      

        client pkt count : 5054      , client byte count: 1206294            

        server pkt count : 2068      , server byte count: 272134             

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        L7 Loadbalance policy : ****-HTTPS-POLICY

          class/match : SSLCLASS

            ssl-proxy client : SSL_CLIENT

             LB action: :

               sticky group: STICKY-SSL-****-FARM

                  primary serverfarm: ****-FARM

                    state: UP

                  backup serverfarm : -

            hit count        : 82       

            dropped conns    : 0        

          class/match : class-default

            ssl-proxy client : SSL_CLIENT

             LB action: :

               sticky group: STICKY-SSL-****-FARM

                  primary serverfarm: ****-FARM

                    state: UP

                  backup serverfarm : -

            hit count        : 0        

            dropped conns    : 0        

    class: REDIRECT-HTTP-****

     VIP Address:    Protocol:  Port:

     *.*.*.*   tcp        eq    80  

      loadbalance:

        L7 loadbalance policy: ****-POLICY-REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : ENABLED

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        curr conns       : 0         , hit count        : 24       

        dropped conns    : 0        

        client pkt count : 99        , client byte count: 7933               

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        L7 Loadbalance policy : ****-POLICY-REDIRECT

          class/match : class-default

            LB action: :

               primary serverfarm: HTTP-****-FARM

                    state: UP

                  backup serverfarm : -

            hit count        : 6        

            dropped conns    : 0 

Hi Kanwal, the VIP is actually a different subnet to servers so maybe this is the problem. I will change the IP of the VIP and change it in the context and see if it makes any difference.

                   Hi Netter,

We are getting hits on the policy as well as on sslclass but there are drops on L3 policy map.Can you also remove SSL parameter map from both ssl client proxy as well as server and give it a try.

VIP can be different as long as there is a route to it from uplink. Once traffic matches it will be loadbalanced to servers in serverfarm. Now servers should be able to send the traffic back (if ace is their GW or servers have a route towards ace or you do NAT so that traffic comes back  to ACE).

When you establish a connection what do you see in "show conn"? You can filter using your testing client IP address or VIP. So you can use show conn . Send me that output as well.

Also, ensure that policy is applied to the correct interface vlan. It should be applied to client facing VLAN.

Regards,

Kanwal

Sorry Kanwal, how or what do I remove. Is it like line bolded below:

ssl-proxy service SSL-FILR-PROXY

  key filr.pem

  cert filrCAcert

  chaingroup FILR-CHAINGRP

NO  ssl advanced-options SSL-FILR-ADVANCED

ssl-proxy service SSL_CLIENT

NO ssl advanced-options SSL-FILR-ADVANCED

Hi Netter,

Yeah that is right.

Regards,

Kanwal