cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
639
Views
0
Helpful
1
Replies

how to tell is SSL is being terminated on the ACE

axfalk
Level 1
Level 1

Hi,

We've inherited a pair of ACE30 modules running A5(2.1) that have a config that appears to be terminating SSL, however there's no ssl-proxy statement in the class statement under the multi match policy. The servers in the corresponding  serverfarm are listening on port 8080, which is not a secure port, so it looks like ACE should be terminating the SSL and passing these connection on the clear text port.

However, we have no documentation for this app, nor the folks who had written it. Is there a way to definitevly determine if the ACE is terminating the SSL or the back-end servers do?

 

Thanks.

 

 

1 Accepted Solution

Accepted Solutions

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi,

From the configuration you should be able to find out if the ACE is configured for SSL termination or not. You should see ssl-proxy server <name> statement under policy multi-match. If not, then ACE is not doing SSL termination. ssl-proxy client <name> under L7 policy map would indicate that ACE is configured for SSL initiation. Both would show that ACE is configured for End-to-End SSL.

You can also check "show stats crypto server/client" to see the statistics. A quick packet capture on server would also show if the traffic passed to it  by ACE is decrypted or encrypted or you can also take pcap on ACE itself to see that.

Let me know if you have any questions.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

View solution in original post

1 Reply 1

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi,

From the configuration you should be able to find out if the ACE is configured for SSL termination or not. You should see ssl-proxy server <name> statement under policy multi-match. If not, then ACE is not doing SSL termination. ssl-proxy client <name> under L7 policy map would indicate that ACE is configured for SSL initiation. Both would show that ACE is configured for End-to-End SSL.

You can also check "show stats crypto server/client" to see the statistics. A quick packet capture on server would also show if the traffic passed to it  by ACE is decrypted or encrypted or you can also take pcap on ACE itself to see that.

Let me know if you have any questions.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Review Cisco Networking for a $25 gift card