Solved: SSL/TLS Handshake Failure with SSL Termination

xiaolonguk · ‎10-11-2010

Guys

Im wondering if you can help, I have two ACE 4710 configured in FT with 3 contexts, running bridged mode. Everything is working fine, however I cant seem to get SSL working in ssl proxy/termination mode.

When i do a show stats crypto server, I can see that the client has attempted to connect, but there is an SSL/TLS handshake failure, further down the screen it tells me there have been numerous SSL alert INTERNAL_ERRORs.

If i look at the service-policy I get N number of hits, and N number of dropped connections. Ive no idea where this is going wrong.

At the moment the config on the context is dirt simple, so clearly im missing something

serverfarm host CUSTxxx-vFARM
predictor reponse app-request-to-resp samples 4
probe CUSTxx-HTTP-PROBE
   rserver SCEXTWB01 80
    inservice
rserver SCEXTWB02 0
    inservice
exit

sticky http-cookie SessionID CUSTxxx-vFARM-STICKY
cookie insert browser-expire
timeout 1800
replicate sticky
serverfarm CUSTxxx-vFARM
exit

rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice

action-list type modify http CUSTxxx-HTTPS-REWRITE
ssl url rewrite location ???? sslport 443 clearport 80

ssl-proxy service CUSTxxx-SSL-SERVICE
key CUSTxxx-key.pem
cert CUSTxxx-cert.pem

serverfarm redirect REDIRECT-vFARM
rserver REDIRECT-TO-HTTPS
inservice

class-map match-all CUSTxxx-HTTP
2 match virtual-address ???? tcp eq 80
exit

class-map match-all CUSTxxx-HTTPS
2 match virtual-address ???? tcp eq 443
exit

policy-map type loadbalance http first-match CUSTxxx-HTTPS-POLICY
class class-default
action CUSTxxx-HTTPS-REWRITE
sticky-serverfarm CUSTxxx-vFARM-STICKY

policy-map type loadbalance first-match REDIRECT-TO-HTTPS-POLICY
class class-default
serverfarm REDIRECT-vFARM

policy-map multi-match VIP-POLICY
class CUSTxxx-HTTP
loadbalance vip inservice
loadbalance policy REDIRECT-TO-HTTPS-POLICY

class CUSTxxx-HTTPS
    loadbalance vip inservice
    loadbalance policy CUSTxxx-HTTPS-POLICY
    loadbalance vip icmp-reply active
    ssl-proxy server CUSTxxx-SSL-SERVICE
    advanced-options tcp-parameter-map
    appl-parameter http advanced-options http-parameter-map
exit

Gilles Dufour · ‎10-12-2010

Do you have ssl resource allocated for the context ?

Did you verify key and cert match ? (crypto verify ....)

Do you have a sniffer trace showing the problem ?

Gilles.

View solution in original post

Pablo · ‎10-11-2010

Hi,

The configuration looks in good shap, the only thing that seems to be misconfigured is the PAT for rserver SCEXTWB02, perhaps you hit the VIP and got a stuck to this server so any subsequent request will fail as port 0 is not your clear text TCP port

serverfarm host CUSTxxx-vFARM
predictor reponse app-request-to-resp samples 4
probe CUSTxx-HTTP-PROBE
   rserver SCEXTWB01 80
    inservice
rserver SCEXTWB02 0
    inservice
exit

Once you've changed the port, clear the browser cache and try to connect again, if still no luck, paste the output of show service-policy VIP-POLICY and show serverfarm CUSTxxx-vFARM detail

HTH

__ __

Pablo

xiaolonguk · ‎10-12-2010

Hi

As requested. If I run this up in firefox i get the following error.

Peer reports it experienced an internal error.

(Error code: ssl_error_internal_error_alert)

I can see from a show stats crypto server, that the client is trying to connect using TLS, and the cipher count does increase, however nothing works. If i set an SSL parameter-map to nail this to SSL, i get a message about no common agreeable ciphers.

Context Global Policy:
service-policy: VIP-POLICY
    class: CUST01-HTTP
      loadbalance:
        L7 loadbalance policy: CUST01-HTTP-POLICY
        Regex dnld status    : QUEUED
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: ENABLED
        curr conns       : 0         , hit count        : 11
        dropped conns    : 0
        client pkt count : 1054      , client byte count: 54164
        server pkt count : 1405      , server byte count: 1940545
        conn-rate-limit      : -         , drop-count : -
        bandwidth-rate-limit : -         , drop-count : -
      compression:
        bytes_in : 0                          bytes_out : 0
        Compression ratio : 0.00%
                Gzip: 0               Deflate: 0
      compression errors:
        User-Agent : 0               Accept-Encoding    : 0
        Content size: 0               Content type       : 0
        Not HTTP 1.1: 0               HTTP response error: 0
        Others      : 0
        Parameter-map(s):
          http-parameter-map
          tcp-parameter-map
    class: CUST01-HTTPS
      ssl-proxy server: CUST01-HTTPS-SERVICE
      loadbalance:
        L7 loadbalance policy: CUST01-HTTPS-POLICY
        VIP ICMP Reply       : ENABLED
        VIP State: INSERVICE
        Persistence Rebalance: ENABLED
        curr conns       : 0         , hit count        : 107
        dropped conns    : 2
        client pkt count : 427       , client byte count: 29603
        server pkt count : 3         , server byte count: 629
        conn-rate-limit      : -         , drop-count : -
        bandwidth-rate-limit : -         , drop-count : -
      compression:
        bytes_in : 0                          bytes_out : 0
        Compression ratio : 0.00%
                Gzip: 0               Deflate: 0
      compression errors:
        User-Agent : 0               Accept-Encoding    : 0
        Content size: 0               Content type       : 0
        Not HTTP 1.1: 0               HTTP response error: 0
        Others      : 0
        Parameter-map(s):
          http-parameter-map
          tcp-parameter-map

---------------------------------
                                                ----------connections-----------
       real                  weight state        current    total      failures
   ---+---------------------+------+------------+----------+----------+---------
   rserver: SCEXTWB01
       10.20.30.1:80         8      OPERATIONAL 0          6          0
         description          : -
         max-conns            : -         , out-of-rotation count : -
         min-conns            : -
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         average response time (usecs) : 0

   rserver: SCEXTWB02
       10.20.30.2:80         8      OPERATIONAL 0          4          0
         description          : -
         max-conns            : -         , out-of-rotation count : -
         min-conns            : -
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         average response time (usecs) : 0

Gilles Dufour · ‎10-12-2010

Do you have ssl resource allocated for the context ?

Did you verify key and cert match ? (crypto verify ....)

Do you have a sniffer trace showing the problem ?

Gilles.

xiaolonguk · ‎10-12-2010

Giles

That got it, it was the resource call, howeevr what is confusing me is the resource class is defined for 20% of all the boxes capabilities. I even created a seperate resource allocation for SSL and it didnt work. If I remove the member allocation it works a treat.

How can I keep my resource allocations in place to protect the other contexts and still have ssl?

Gilles Dufour · ‎10-12-2010

Weird, because you always need to be a member of some resource class.

Could you get a 'show resource usage' and 'show resource allocation'.

Thanks,

Gilles.