cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco ACE SSL Termination configuration issue with SSL

393
Views
0
Helpful
0
Comments

 

 

Introduction

 

SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. The ACE uses parameter maps, SSL proxy services, and class maps to build the policy maps that determine the flow of information between the client, the ACE, and the server. SSL termination is a Layer 3 and Layer 4 application because it is based on the destination IP addresses of the inbound traffic flow from the client. Before configuring your ACE for SSL operation, you must first configure it for server load balancing (SLB). This document describes a typical configuration issue.

 

 

Requirements

 

Basic understanding of working of Cisco ACE and familiarity with ACE CLI commands.

 

 

Problem

 

The Cisco ACE SSL termination doesn't seem to work as expected. Following is the device configuration.

probe http EXAMPLE_IT_HTTP
  port 8889
  interval 5
  faildetect 2
  passdetect interval 10
  passdetect count 2
  request method get url /probe/probe.html
  expect status 200 206
  expect status 300 307
  open 1
 
serverfarm host example_IT_HTTP
  failaction reassign across-interface
  predictor leastconns
  probe example_IT_HTTP
  fail-on-all
  rserver H-192.168.250.165 8889
    inservice
  rserver H-192.168.250.166 8889
    inservice
serverfarm host example_IT_HTTPS-HTTP
  failaction reassign across-interface
  predictor leastconns
  probe example_IT_HTTP
  fail-on-all
  rserver H-192.168.250.165 8889
    inservice
  rserver H-192.168.250.166 8889
    inservice

sticky ip-netmask 255.255.255.255 address both example-IT-HTTPS-HTTP
  timeout 60
  replicate sticky
  serverfarm example_IT_HTTPS-HTTP

ssl-proxy service SSL_example_IT
  key example_it.key
  cert example_it.cert
  chaingroup SSL_CHAIN_example_IT

crypto chaingroup SSL_CHAIN_example_IT
  cert example_it.ca

class-map match-all example_IT_HTTP
  2 match virtual-address XX.235.121.6 tcp eq www
class-map match-all example_IT_HTTPS-HTTP
  2 match virtual-address XX.235.121.6 tcp eq www

policy-map type loadbalance first-match example_IT_HTTP-l7slb
  class class-default
    serverfarm example_IT_HTTP
policy-map type loadbalance first-match example_IT_HTTPS-HTTP-l7slb
  class class-default
    sticky-serverfarm example-IT-HTTPS-HTTP

policy-map multi-match int41
  class example_IT_HTTP
    loadbalance vip inservice
    loadbalance policy example_IT_HTTP-l7slb
    loadbalance vip icmp-reply active primary-inservice
  class example_IT_HTTPS-HTTP
    loadbalance vip inservice
    loadbalance policy example_IT_HTTPS-HTTP-l7slb
    loadbalance vip icmp-reply active primary-inservice
    ssl-proxy server SSL_example_IT

The load balancing on http works properly but it doesn't work with SSL termination.

 

 

Description

 

The command "show stats crypto" shows all connections as zero.

ACE# sh crypto certificate all
example_it.cert:
Subject: /C=GB/ST=United Kingdom/L=London/O=XXXXXXXX/OU=XXXXXXXXX/CN=*.xxxx.com
Issuer: /C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
CA Cert: FALSE

example_it.ca:
Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
Not Before: Nov  8 00:00:00 2006 GMT
Not After: Jul 16 23:59:59 2036 GMT
CA Cert: TRUE

ACE# sh crypto session
SSL Session Cache Stats for Context     
------------------
Number of Client Sessions:                     0
Number of Server Sessions:                     0

 

 

Resolution

 

The configuration needs to be changed as following.

class-map match-all example_IT_HTTPS-HTTP
  2 match virtual-address 22.235.121.6 tcp eq www

Change it to 443 instead of www, which means port 80. Since the original configuration will never match the class "example_IT_HTTPS-HTTP" in the configuration.

 

 

Related Information

 

ACE SSL Terminator doesn't work
Configuring SSL Termination

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey