Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2185
Views
0
Helpful
4
Replies

SSL Offloading not working right

Go to solution
rowelldionicio
Level 1
Level 1

‎12-05-2011 02:21 PM

I'm having trouble getting SSL Offloading to work correctly in my test environment. I built a test web server and can get HTTP to load balance just fine. In the same context I am doing SSL offloading. Within Wireshark I can see the source making it to the ACE and then the ACE communicating with the web server but the connection stops after the web server sends an ACK packet to the nat address on the ACE. The connection eventually RST. Here's the configuration:

ACE/VC_test# sh run

Generating configuration....

crypto chaingroup INTERMED_GODADDY

  cert intermediate.pem

access-list Allow_VLAN205_Traffic line 15 extended permit tcp any host 10.90.205

.10 eq https

access-list Allow_VLAN205_Traffic line 18 extended permit tcp any host 10.90.205

.10 eq www

probe icmp ICMP_PROBE

  description PROBE INTENDED FOR LOAD BALANCING TRAFFIC

  interval 2

  faildetect 2

  passdetect interval 2

  passdetect count 5

rserver host WEB01

  ip address 10.90.10.46

  inservice

rserver host WEB02

  ip address 10.90.10.47

  inservice

serverfarm host SF_test

  description TEST SERVER FARM

  probe ICMP_PROBE

  rserver WEB01

    inservice

  rserver WEB02

parameter-map type ssl SSL_TERM_PARAM

  cipher RSA_WITH_3DES_EDE_CBC_SHA

  cipher RSA_WITH_AES_128_CBC_SHA priority 2

  cipher RSA_WITH_AES_256_CBC_SHA priority 3

  rehandshake enabled

sticky http-cookie SSL_PERS SFTEST_STICKY

  cookie insert browser-expire

  serverfarm SF_test

action-list type modify http SSL_ACTIONLIST

  ssl url rewrite location "lb\.website\.org\.*"

ssl-proxy service SSL_PROXY_SSLTEST

  key lbprivatekey.pem

  cert lbservercert.pem

  chaingroup INTERMED_GODADDY

  ssl advanced-options SSL_TERM_PARAM

class-map match-all HTTPS_CLASS

  2 match virtual-address 10.90.205.10 255.255.255.0 tcp eq https

class-map type management match-any Remote-Mgmt_Class

  2 match protocol ssh any

  3 match protocol https any

  4 match protocol icmp any

  5 match protocol snmp any

  6 match protocol xml-https any

class-map match-all VIP_CLASS

  2 match virtual-address 10.90.205.10 tcp eq www

policy-map type management first-match Remote-Mgmt_Policy

  class Remote-Mgmt_Class

    permit

policy-map type loadbalance http first-match HTTP_POLICY

  class class-default

    serverfarm SF_test

policy-map type loadbalance http first-match SSL_POLICY

  class class-default

    sticky-serverfarm SFTEST_STICKY

    action SSL_ACTIONLIST

policy-map multi-match HTTPS_VIPs

  class HTTPS_CLASS

    loadbalance vip inservice

    loadbalance policy SSL_POLICY

    loadbalance vip icmp-reply active

    nat dynamic 30 vlan 205

    ssl-proxy server SSL_PROXY_SSLTEST

policy-map multi-match VIPs

  class VIP_CLASS

    loadbalance vip inservice

    loadbalance policy HTTP_POLICY

    loadbalance vip icmp-reply active

  class class-default

    nat dynamic 20 vlan 205

interface vlan 200

interface vlan 205

  description TEST

  ip address 10.90.205.11 255.255.255.0

  no normalization

  access-group input Allow_VLAN205_Traffic

  nat-pool 20 10.90.205.250 10.90.205.254 netmask 255.255.255.0 pat

  nat-pool 30 10.90.205.240 10.90.205.245 netmask 255.255.255.0 pat

  service-policy input VIPs

  service-policy input HTTPS_VIPs

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.90.205.1

Could the problem be the ssl rewrite?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pablo.nxh
Level 3
Level 3
In response to rowelldionicio

‎12-06-2011 08:56 AM

I think I spotted another problem in your configuration your HTTPS VIP is using a /24 mask instead of 32.

Remove the current line and enter the following line instead:

2 match virtual-address 10.90.205.10 255.255.255.255 tcp eq https

To answer your question... yeah makes no sense using 443 in your backend servers for what you're trying to accomplish, this would be called End-to-End SSL and it would add extra processing to your servers.

HTH

__ __

Pablo

View solution in original post

0 Helpful
4 Replies 4

Go to solution
pablo.nxh
Level 3
Level 3

‎12-05-2011 11:34 PM

Hello,

In order for SSL termination to work correctly you need to specify the clear text port used in the backend servers otherwise the ACE will make the call to the servers using the same port configured for the VIP.

Try removing the rservers from the serverfarm first and then add the clear text port number next to them, it would end up

looking like this:

serverfarm host SF_test

  description TEST SERVER FARM

  probe ICMP_PROBE

  rserver WEB01 80

    inservice

  rserver WEB02 80

HTH

__ __

Pablo

0 Helpful

Go to solution
rowelldionicio
Level 1
Level 1
In response to pablo.nxh

‎12-06-2011 08:48 AM

Unfortuantely that didn't work for me. Since SSL offloading is done at the ACE there is no reason to have the web server answering on port 443, correct?

0 Helpful

Go to solution
pablo.nxh
Level 3
Level 3
In response to rowelldionicio

‎12-06-2011 08:56 AM

I think I spotted another problem in your configuration your HTTPS VIP is using a /24 mask instead of 32.

Remove the current line and enter the following line instead:

2 match virtual-address 10.90.205.10 255.255.255.255 tcp eq https

To answer your question... yeah makes no sense using 443 in your backend servers for what you're trying to accomplish, this would be called End-to-End SSL and it would add extra processing to your servers.

HTH

__ __

Pablo

0 Helpful

Go to solution
rowelldionicio
Level 1
Level 1
In response to pablo.nxh

‎12-06-2011 09:26 AM

That did it! Now https is working. Thanks!

Is it possible to have regular HTTP on this context or is it best practice to put https on it's own context?

UPDATE: I just got HTTP load balancing as well on the same context.

0 Helpful

Review Cisco Networking for a $25 gift card

Top