cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
773
Views
0
Helpful
7
Replies

SSL Termination Not Working

krishnadas.R_2
Level 1
Level 1

Hi,

I have tried configuring SSL termination on ACE. soft ver is Version 3.0(0)A1(4a)

Connectivity was working fine with HTTP and the website was accessible from the Internet. After I put the SSL configs, the connectivity is not working, browser is throwing an error "Secure Connection Failed" "(Error code: ssl_error_rx_record_too_long)"

I am using a trial certificate from thawte for testing. Attached the running-config and the statistics.

Any help/advice is really appreciated.

Thanks,

kris

7 Replies 7

jason.espino
Level 1
Level 1

Hello kris,

Looking at your configuration your layer 4 class-map does not define/allow HTTP connections to establish to the vip address.

class-map match-all ERDMZ80

3 match virtual-address 10.1.151.100 tcp eq http

class-map match-all ERDMZ443

3 match virtual-address 10.1.151.100 tcp eq https

Regarding your SSL configuration it looks correct if the cert is self-signed, but you can also try to separate the configuration for HTTP and HTTPS traffic for the same VIP.

class-map match-all ERDMZ80

3 match virtual-address 10.1.151.100 tcp eq http

class-map match-all ERDMZ443

3 match virtual-address 10.1.151.100 tcp eq https

policy-map type loadbalance first-match ERDMZ-VIP

class class-default

sticky-serverfarm ERDMZ-STICKY

policy-map multi-match ERDMZ-POLICY

class ERDMZ80

loadbalance vip inservice

loadbalance policy ERDMZ-VIP

loadbalance vip icmp-reply

class ERDMZ443

loadbalance vip inservice

loadbalance policy ERDMZ-VIP

loadbalance vip icmp-reply

ssl-proxy server ERproxy-1

- Jason

Hi Jason,

Many Thanks for taking time in looking into the configs.

I have separated the configs for HTTP and SSL, however it is not working.. I am thinking of installing a new trial certificate from some other CA, shall update you the result.

Thanks,

Kris

ciscocsoc
Level 4
Level 4

Hi Kris,

I'd normally expect to see a chaingroup with the Thawte CA and any intermediate certificates. Or is this test certificate self-signed?

Can you show the crypto file listing of the certificate(s) and key(s)? (sh crypto files)

Kind Regards

Cathy

HiCathy,

The certificate I am using is a trial one from Thawte.

Here is the output,

ICT_ACE1/ERzone# sh crypto files

Filename File File Expor Key/

Size Type table Cert

-----------------------------------------------------------------------

ER-Key.pem 887 PEM Yes KEY

ER-Cert.pem 1903 PEM Yes CERT

ICT_ACE1/ERzone#

I am not sure if the error is because I have installed a wrong certificate type? Do we need to install specific type of certificate for Cisco Devices? I have verified the that the certificate and key does match using crypto verify..

Waiting for the reply.

Thanks,

-Kris

Hi Kris,

You need to import Thawte Test CA Root.pem, add it to a chaingroup and then associate the chaingroup to the SSL server. The ACE needs to see the whole certificate chain.

Kind Regards

Cathy

Hi Cathy,

Thanks for the advice,

I have done it as you suggested, still the browser is showing the same error..

Attached is the current running config, pls have a look.

Thanks

Kris

You shouldn't have an SSL server in the policy for HTTP traffic.

class ERDMZ80

loadbalance vip inservice

loadbalance policy ERDMZ-VIP

loadbalance vip icmp-reply

ssl-proxy server ERproxy-1 <---delete

The error indicates an issue with the FQDN so you need to check the DNS name against the name you quote when generating the certificate.

Cathy

Review Cisco Networking for a $25 gift card