Solved: SSL Issues

Andrew MacDonald · ‎03-04-2013

I am trying to get SSL to work. I have the configuration in place but it always just tells me there is a cert error and redirects to http. My config is below.

Thanks for any help!

-Andy

crypto chaingroup poweradvocatechain
cert pabundle.pem

access-list allow line 8 extended permit ip any any

probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
receive 5
probe tcp TCP443_PROBE
port 443
interval 5
passdetect interval 5
receive 5
connection term forced
open 2
probe tcp TCP7001_PROBE
port 7001
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
probe tcp TCP80_PROBE
interval 5
passdetect interval 5
receive 3
connection term forced
open 2

rserver host 228-WLS11host1
ip address 192.168.211.228
inservice
rserver host 229-WLS11host2
ip address 192.168.211.229
inservice

serverfarm host WLS11-7001
probe TCP7001_PROBE
rserver 228-WLS11host1 7001
inservice
rserver 229-WLS11host2 7001
inservice

sticky http-cookie ACE_COOKIE-7001 7001_STICKY
cookie insert browser-expire
replicate sticky
serverfarm WLS11-7001

ssl-proxy service prodproxy
key poweradvocate.pem
cert poweradvocate.pem
chaingroup poweradvocatechain

class-map type http loadbalance match-any L5
2 match http url /.*
class-map match-all WLS11-7001-CLASS
2 match virtual-address 192.168.211.50 tcp eq www
class-map match-all WLS11-HTTPS-CLASS
2 match virtual-address 192.168.211.50 tcp eq https

policy-map type loadbalance first-match WLS11-7001-Policy
class L5
sticky-serverfarm 7001_STICKY

policy-map multi-match WLS11-SLB
class WLS11-7001-CLASS
    loadbalance vip inservice
    loadbalance policy WLS11-7001-Policy
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 1000
class WLS11-HTTPS-CLASS
    loadbalance vip inservice
    loadbalance policy WLS11-7001-Policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 1000
    ssl-proxy server prodproxy

interface vlan 1000
ip address 192.168.211.226 255.255.255.0
access-group input allow
nat-pool 1 192.168.211.50 192.168.211.50 netmask 255.255.255.255 pat
service-policy input WLS11-SLB
no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.211.235

Jorge Bejarano · ‎03-04-2013

Andy,

Everything looks fine as you can see here:

client pkt count : 24 , client byte count: 2532

server pkt count : 12 , server byte count: 2386

VIP State: INSERVICE

VIP is in service and traffic is reaching the ACE and is being sent to the servers.

What cert error are you getting?

I think you may need to get the root, inter and server certificate separated and then upload it to the ACE.

Jorge

View solution in original post

Jorge Bejarano · ‎03-04-2013

Andy,

Can you paste the error you are getting?

You can check what you got wrong by typing the site in here, it will check it and let you know what's wrong.

http://www.sslshopper.com/ssl-checker.html

Why do you have your key, inter and cert certificates called in the same way?

Can show upload the "#show crypto files" output?

Jorge

Andrew MacDonald · ‎03-04-2013

It simply redirects me to the http page instead of going to the SSL page. The show crypto files output is below.

PA-ACE-4700-SLB/Prod-Support# show crypto files

Filename File File Expor Key/

Size Type table Cert

-----------------------------------------------------------------------

cisco-sample-cert 1082 PEM Yes CERT

cisco-sample-key 887 PEM Yes KEY

pabundle.pem 3311 PEM Yes CERT

poweradvocate.pem 3730 PEM Yes BOTH

Let me know your thoughts.

Thanks!

Jorge Bejarano · ‎03-04-2013

Andy,

I thought you said: "there is a cert error ", can you paste a screenshot of that error?

But how are you testing this?

Like this?

Https://192.168.211.50

Or

Http://192.168.211.50 and then it should be redirected to: Https://192.168.211.50?

How do you have this: WLS11-7001-Policy configured?

Can you do the following?

# clear stats all

Generate traffic and get the following:

# show service-policy WLS11-SLB class-map WLS11-HTTPS-CLASS detail

Jorge

Andrew MacDonald · ‎03-04-2013

I am testing it by going to https://192.168.211.50

the WLS-7001-Policy is defined here

policy-map type loadbalance first-match WLS11-7001-Policy

class L5

sticky-serverfarm 7001_STICKY

Eventually i want the redirect to work but now I am trying to get SSL to work. I am going one step at a time.

here is the output from the command:

PA-ACE-4700-SLB/Prod-Support# show service-policy WLS11-SLB class-map WLS11-HTTPS-CLASS detail

Status : ACTIVE

Description: -----------------------------------------

Interface: vlan 1 1000

service-policy: WLS11-SLB

class: WLS11-HTTPS-CLASS

ssl-proxy server: prodproxy

nat:

nat dynamic 1 vlan 1000

curr conns : 1 , hit count : 3

dropped conns : 0

client pkt count : 24 , client byte count: 2532

server pkt count : 12 , server byte count: 2386

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

VIP Address: Protocol: Port:

192.168.211.50 tcp eq 443

loadbalance:

L7 loadbalance policy: WLS11-7001-Policy

Regex dnld status : SUCCESSFUL

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

Persistence Rebalance: ENABLED

curr conns : 1 , hit count : 5

dropped conns : 0

client pkt count : 44 , client byte count: 4334

server pkt count : 12 , server byte count: 2386

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

L7 Loadbalance policy : WLS11-7001-Policy

class/match : L5

LB action: :

sticky group: 7001_STICKY

primary serverfarm: WLS11-7001

state:UP

backup serverfarm : -

hit count : 26

dropped conns : 0

compression : off

compression:

bytes_in : 0 bytes_out : 0

Compression ratio : 0.00%

Gzip: 0 Deflate: 0

compression errors:

User-Agent : 0 Accept-Encoding : 0

Content size: 0 Content type : 0

Not HTTP 1.1: 0 HTTP response error: 0

Others : 0

Thanks Jorge!

Jorge Bejarano · ‎03-04-2013

Andy,

Everything looks fine as you can see here:

client pkt count : 24 , client byte count: 2532

server pkt count : 12 , server byte count: 2386

VIP State: INSERVICE

VIP is in service and traffic is reaching the ACE and is being sent to the servers.

What cert error are you getting?

I think you may need to get the root, inter and server certificate separated and then upload it to the ACE.

Jorge

Andrew MacDonald · ‎03-04-2013

Hi Jorge,

I am going to upload the certs again. The weird thing is i just get a cert error from IE sayin the cert can't be verified. I click continue and then it just takes me to the http page. Its almost as if its redirecting me there. There is no cert error after i click continue however the url is just http://ace.poweradvocate.com (http://192.168.211.50)

I would think i would just be dumped into https://ace.poweradvocate.com with the cert error showing up saying it couldnt be verified.

Any thoughts on this?

Thanks!

-Andy

Jorge Bejarano · ‎03-04-2013

Andy,

Did you try to check your website with:http://www.sslshopper.com/ssl-checker.html ?

I suspect it might be related to the chaingroup at some point.

You said you tried with IE, which version? IE is always problematic.

Did you try with Chrome, Firefox, Safari?
Did you try to clear your browser cookies?
Did you try from local subnet or a remote location?

Jorge

Andrew MacDonald · ‎03-04-2013

Hi Jorge,

Havent tried the ssl check yet as its all internal. I can set up a nat rule and check it out if necessary. I have tried ie9 10 and firefox and cleared cache all to the same results. If the cert is installed wrong would it just forward over to http and ssl would be unavailable or would it just show a cert error and I would still be able to access https?

Thanks!

Jorge Bejarano · ‎03-04-2013

Andy,

I think it should not show the content.

Have you tried to access it via http only to make sure the page works just fine?
Do your servers do any additional redirect or something?
If you install the certificates in the servers directly and remove the SSL termination configuration from just to load balancing of 443 and let the servers to do the SSL termination, are you getting the same results?
If you can modify and check it out with the link which I gave that will be great.
Can you upload #show probeTCP7001_PROBE detail and #show serverfarm detail?

Jorge

Jorge Bejarano · ‎03-05-2013

Andy,

So what did you find?

Jorge

Andrew MacDonald · ‎03-05-2013

Hi Jorge,

I corrected all my certs and then realized the problem. The managed servers would redirect to /login automatically. I put in an https redirect and now the whole site is in https (which is good.) however there is one single page I want to be in http (its an auto redirect to the marketing site.) I am assuming i will have to create a seperate class map and policy map for this?

Thanks for your help.

-Andy

Jorge Bejarano · ‎03-05-2013

Andy,

Yes, it sounds you might need to match the other URI for that site and then do the redirect.

It is great everything is working now.

Jorge