03-04-2013 08:18 AM
I am trying to get SSL to work. I have the configuration in place but it always just tells me there is a cert error and redirects to http. My config is below.
Thanks for any help!
-Andy
crypto chaingroup poweradvocatechain
cert pabundle.pem
access-list allow line 8 extended permit ip any any
probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
receive 5
probe tcp TCP443_PROBE
port 443
interval 5
passdetect interval 5
receive 5
connection term forced
open 2
probe tcp TCP7001_PROBE
port 7001
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
probe tcp TCP80_PROBE
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
rserver host 228-WLS11host1
ip address 192.168.211.228
inservice
rserver host 229-WLS11host2
ip address 192.168.211.229
inservice
serverfarm host WLS11-7001
probe TCP7001_PROBE
rserver 228-WLS11host1 7001
inservice
rserver 229-WLS11host2 7001
inservice
sticky http-cookie ACE_COOKIE-7001 7001_STICKY
cookie insert browser-expire
replicate sticky
serverfarm WLS11-7001
ssl-proxy service prodproxy
key poweradvocate.pem
cert poweradvocate.pem
chaingroup poweradvocatechain
class-map type http loadbalance match-any L5
2 match http url /.*
class-map match-all WLS11-7001-CLASS
2 match virtual-address 192.168.211.50 tcp eq www
class-map match-all WLS11-HTTPS-CLASS
2 match virtual-address 192.168.211.50 tcp eq https
policy-map type loadbalance first-match WLS11-7001-Policy
class L5
sticky-serverfarm 7001_STICKY
policy-map multi-match WLS11-SLB
class WLS11-7001-CLASS
loadbalance vip inservice
loadbalance policy WLS11-7001-Policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
class WLS11-HTTPS-CLASS
loadbalance vip inservice
loadbalance policy WLS11-7001-Policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 1000
ssl-proxy server prodproxy
interface vlan 1000
ip address 192.168.211.226 255.255.255.0
access-group input allow
nat-pool 1 192.168.211.50 192.168.211.50 netmask 255.255.255.255 pat
service-policy input WLS11-SLB
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.211.235
Solved! Go to Solution.
03-04-2013 05:24 PM
Andy,
Everything looks fine as you can see here:
client pkt count : 24 , client byte count: 2532
server pkt count : 12 , server byte count: 2386
VIP State: INSERVICE
VIP is in service and traffic is reaching the ACE and is being sent to the servers.
What cert error are you getting?
I think you may need to get the root, inter and server certificate separated and then upload it to the ACE.
Jorge
03-04-2013 03:02 PM
Andy,
Can you paste the error you are getting?
You can check what you got wrong by typing the site in here, it will check it and let you know what's wrong.
http://www.sslshopper.com/ssl-checker.html
Why do you have your key, inter and cert certificates called in the same way?
Can show upload the "#show crypto files" output?
Jorge
03-04-2013 04:46 PM
It simply redirects me to the http page instead of going to the SSL page. The show crypto files output is below.
PA-ACE-4700-SLB/Prod-Support# show crypto files
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
cisco-sample-cert 1082 PEM Yes CERT
cisco-sample-key 887 PEM Yes KEY
pabundle.pem 3311 PEM Yes CERT
poweradvocate.pem 3730 PEM Yes BOTH
Let me know your thoughts.
Thanks!
03-04-2013 04:55 PM
Andy,
I thought you said: "there is a cert error ", can you paste a screenshot of that error?
But how are you testing this?
Like this?
Https://192.168.211.50
Or
Http://192.168.211.50 and then it should be redirected to: Https://192.168.211.50?
How do you have this: WLS11-7001-Policy configured?
Can you do the following?
# clear stats all
Generate traffic and get the following:
# show service-policy WLS11-SLB class-map WLS11-HTTPS-CLASS detail
Jorge
03-04-2013 05:15 PM
I am testing it by going to https://192.168.211.50
the WLS-7001-Policy is defined here
policy-map type loadbalance first-match WLS11-7001-Policy
class L5
sticky-serverfarm 7001_STICKY
Eventually i want the redirect to work but now I am trying to get SSL to work. I am going one step at a time.
here is the output from the command:
PA-ACE-4700-SLB/Prod-Support# show service-policy WLS11-SLB class-map WLS11-HTTPS-CLASS detail
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 1 1000
service-policy: WLS11-SLB
class: WLS11-HTTPS-CLASS
ssl-proxy server: prodproxy
nat:
nat dynamic 1 vlan 1000
curr conns : 1 , hit count : 3
dropped conns : 0
client pkt count : 24 , client byte count: 2532
server pkt count : 12 , server byte count: 2386
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
VIP Address: Protocol: Port:
192.168.211.50 tcp eq 443
loadbalance:
L7 loadbalance policy: WLS11-7001-Policy
Regex dnld status : SUCCESSFUL
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
Persistence Rebalance: ENABLED
curr conns : 1 , hit count : 5
dropped conns : 0
client pkt count : 44 , client byte count: 4334
server pkt count : 12 , server byte count: 2386
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : WLS11-7001-Policy
class/match : L5
LB action: :
sticky group: 7001_STICKY
primary serverfarm: WLS11-7001
state:UP
backup serverfarm : -
hit count : 26
dropped conns : 0
compression : off
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
Thanks Jorge!
03-04-2013 05:24 PM
Andy,
Everything looks fine as you can see here:
client pkt count : 24 , client byte count: 2532
server pkt count : 12 , server byte count: 2386
VIP State: INSERVICE
VIP is in service and traffic is reaching the ACE and is being sent to the servers.
What cert error are you getting?
I think you may need to get the root, inter and server certificate separated and then upload it to the ACE.
Jorge
03-04-2013 06:25 PM
Hi Jorge,
I am going to upload the certs again. The weird thing is i just get a cert error from IE sayin the cert can't be verified. I click continue and then it just takes me to the http page. Its almost as if its redirecting me there. There is no cert error after i click continue however the url is just http://ace.poweradvocate.com (http://192.168.211.50)
I would think i would just be dumped into https://ace.poweradvocate.com with the cert error showing up saying it couldnt be verified.
Any thoughts on this?
Thanks!
-Andy
03-04-2013 07:47 PM
Andy,
Did you try to check your website with:http://www.sslshopper.com/ssl-checker.html ?
I suspect it might be related to the chaingroup at some point.
You said you tried with IE, which version? IE is always problematic.
Jorge
03-04-2013 07:53 PM
Hi Jorge,
Havent tried the ssl check yet as its all internal. I can set up a nat rule and check it out if necessary. I have tried ie9 10 and firefox and cleared cache all to the same results. If the cert is installed wrong would it just forward over to http and ssl would be unavailable or would it just show a cert error and I would still be able to access https?
Thanks!
03-04-2013 08:10 PM
Andy,
I think it should not show the content.
Jorge
03-05-2013 02:59 PM
Andy,
So what did you find?
Jorge
03-05-2013 06:13 PM
Hi Jorge,
I corrected all my certs and then realized the problem. The managed servers would redirect to /login automatically. I put in an https redirect and now the whole site is in https (which is good.) however there is one single page I want to be in http (its an auto redirect to the marketing site.) I am assuming i will have to create a seperate class map and policy map for this?
Thanks for your help.
-Andy
03-05-2013 08:45 PM
Andy,
Yes, it sounds you might need to match the other URI for that site and then do the redirect.
It is great everything is working now.
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide