SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. The ACE uses parameter maps, SSL proxy services, and class maps to build the policy maps that determine the flow of information between the client, the ACE, and the server. SSL termination is a Layer 3 and Layer 4 application because it is based on the destination IP addresses of the inbound traffic flow from the client. Before configuring your ACE for SSL operation, you must first configure it for server load balancing (SLB). This document describes a typical configuration issue.
Basic understanding of working of Cisco ACE and familiarity with ACE CLI commands.
The Cisco ACE SSL termination doesn't seem to work as expected. Following is the device configuration.
probe http EXAMPLE_IT_HTTP port 8889 interval 5 faildetect 2 passdetect interval 10 passdetect count 2 request method get url /probe/probe.html expect status 200 206 expect status 300 307 open 1
class-map match-all example_IT_HTTP 2 match virtual-address XX.235.121.6 tcp eq www class-map match-all example_IT_HTTPS-HTTP 2 match virtual-address XX.235.121.6 tcp eq www
policy-map type loadbalance first-match example_IT_HTTP-l7slb class class-default serverfarm example_IT_HTTP policy-map type loadbalance first-match example_IT_HTTPS-HTTP-l7slb class class-default sticky-serverfarm example-IT-HTTPS-HTTP
policy-map multi-match int41 class example_IT_HTTP loadbalance vip inservice loadbalance policy example_IT_HTTP-l7slb loadbalance vip icmp-reply active primary-inservice class example_IT_HTTPS-HTTP loadbalance vip inservice loadbalance policy example_IT_HTTPS-HTTP-l7slb loadbalance vip icmp-reply active primary-inservice ssl-proxy server SSL_example_IT
The load balancing on http works properly but it doesn't work with SSL termination.
The command "show stats crypto" shows all connections as zero.
ACE# sh crypto certificate all example_it.cert: Subject: /C=GB/ST=United Kingdom/L=London/O=XXXXXXXX/OU=XXXXXXXXX/CN=*.xxxx.com Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4 CA Cert: FALSE
example_it.ca: Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 Not Before: Nov 8 00:00:00 2006 GMT Not After: Jul 16 23:59:59 2036 GMT CA Cert: TRUE
ACE# sh crypto session SSL Session Cache Stats for Context ------------------ Number of Client Sessions: 0 Number of Server Sessions: 0
The configuration needs to be changed as following.
class-map match-all example_IT_HTTPS-HTTP 2 match virtual-address 220.127.116.11 tcp eq www
Change it to 443 instead of www, which means port 80. Since the original configuration will never match the class "example_IT_HTTPS-HTTP" in the configuration.
Hello All,How we can check real time traffic logs between host to host in ACI just like we can check in catalyst switches by enabling netflow on SVI interface or add ACL log input on SVI interface or in monitor captures.Appreciate your help on this.
On June 12th, the Cisco Customer Connection program is hosting an online NDA briefing covering the planned roadmap for Cisco Nexus Switching hardware. Registration closes at 9am on June 11th, so don't wait!
Join the Customer Connection program to re...
On June 11th, the Cisco Customer Connection program is hosting an online NDA briefing covering the planned roadmap for Cisco Hyperconverged Infrastructure products. Registration closes at 9am on June 10th, so don't wait!
Join the Customer Connection...
I am playing with new cisco cml 2.0 lab simulator and seeing strange behavior not sure if its real issue or limitation of cisco lab.dist1 and dist2 is my vPC (NSOX 9000v) peers, and tor1 is IOSv switch configured for port-channel.dist1interface Vlan100
Hi, I am not able re-sequence the ACL on Nexus 7000.Getting below error.---------------------------------------resequence ip access-list testACLin 11 2ERROR: This operation is not allowed when user session is active Please help.