Solved: SSL Termination Issue on ACE

kalugotla1 · ‎04-29-2011

I configured SSL on my ACE.Applied it to the loadbalancer my current vip.

When I hit the VIP IP as HTTPS. .IT is displaying page cannot be displayed . But with out the SSL the loadbalancing works fine

This is the config I have on my ACE

crypto csr-params test123
country US
state CAlifornia

locality Torrance

organization-name USA

organization-unit ITprobe tcp ftp_tcp
common-name USA serial-number 1
email randy.alpha@gmail.com

access-list ALL line 8 extended permit ip any any

probe tcp ftp_tcp
port 21
interval 10
passdetect interval 5
passdetect count 1
open 1

rserver host server1
ip address 10.128.149.86
inservice
rserver host server2
ip address 10.128.149.171
inservice

serverfarm host FTPFARM
predictor leastconns
probe ftp_tcp
rserver server1
inservice
rserver server2
inservice

ssl-proxy service proxy-1
key rsa.pem
cert trialcert.pem

sticky ip-netmask 255.255.255.255 address source sticky_FTPFARM
timeout 20
timeout activeconns
replicate sticky
serverfarm FTPFARM

class-map match-all L4-MAP-FTPFARM
2 match virtual-address 10.128.149.173 any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit

policy-map type loadbalance first-match L7-FTPFARM
class class-default
sticky-serverfarm sticky_FTPFARM

policy-map multi-match L4-PolicyMapMulti-FTP
class L4-MAP-FTPFARM
    loadbalance vip inservice
    loadbalance policy L7-FTPFARM
    nat dynamic 2 vlan 817

interface vlan 817
ip address 10.128.149.55 255.255.255.0
peer ip address 10.128.149.56 255.255.255.0
access-group input ALL
nat-pool 2 10.128.149.173 10.128.149.173 netmask 255.255.255.255 pat
service-policy input remote_mgmt_allow_policy
service-policy input L4-PolicyMapMulti-FTP
no shutdown

ip route 0.0.0.0 0.0.0.0 10.128.149.1

Thompso7540_2 · ‎05-02-2011

did that command take? It should be:

ace1/Admin(config)# policy-map multi-match L4-PolicyMapMulti-FTP
ace1/Admin(config-pmap)# class L4-MAP-FTPFARM
ace1/Admin(config-pmap-c)# ssl-proxy server proxy-1

View solution in original post

thompso7540 · ‎04-29-2011

You have to apply your ssl proxy service to your l4 policy map

Sent from Cisco Technical Support iPhone App

kalugotla1 · ‎05-02-2011

I applied the ssl proxy to the my policy multimatch

ace1/Admin(config)# policy-map multi-match L4-PolicyMapMulti-FTP
ace1/Admin(config-pmap)# class L4-MAP-FTPFARM
ace1/Admin(config-pmap-c)# ssl-proxy service proxy-1
ace1/Admin(config-ssl-proxy)# exit
ace1/Admin(config)# exit

But when I give a sh run all I see under the L4 policy map is

policy-map multi-match L4-PolicyMapMulti-FTP
class L4-MAP-FTPFARM
    loadbalance vip inservice
    loadbalance policy L7-FTPFARM
    nat dynamic 2 vlan 817

When I try to access the server with the VIP IP using HTTPS still getting the message (Message Cannot Be Displayed).But works great with HTTP

Please advise.

Thompso7540_2 · ‎05-02-2011

did that command take? It should be:

ace1/Admin(config)# policy-map multi-match L4-PolicyMapMulti-FTP
ace1/Admin(config-pmap)# class L4-MAP-FTPFARM
ace1/Admin(config-pmap-c)# ssl-proxy server proxy-1