Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
873
Views
0
Helpful
1
Replies

HTTPS certificate problem on MPLS

connect101
Level 1
Level 1

‎03-30-2011 05:41 AM

Hi everyone,

We are currently migrating our network from IP to MPLS and we encounter an issue with a only one application using security certificat through HTTPS. All other services are OK such as HTTP, FTP, Mailing, etc.

Network description :

The network architecture is composed by 4 core routers (which play the role of P and PE at the same time) and 2 borders routers (B1 and B2) linked to Internet via STM1 - POS interfaces.

Each borders are both connected to two core routers (C1 and C2) by GigabitEthernet links.

Please also note that there is a DPI (Deep Packet Inspector, model Arbor 100) between each border and core.

Core routers C1,C2, C3 and C4 are connected to each other by GigabitEthernet links.

B1 and B2 are linked to Internet by STM1 (POS) using eBGP.

OSPF is used as the infrastructures routing protocol between all equipments.

(cf the network diagram attached)

Configuration :

When migrating to MPLS, we fixed interfaces MTU at 9216 and the MPLS MTU at 1512 on all concerned interfaces from Core to Border routers.

Below is a sample configuration.

mpls ip

mpls label protocol ldp

mpls ldp router-id loopback0

interface GigabitEthernet1/1

mtu 9216

ip ospf authentication message-digest

ip ospf message-digest-key 1 md5 XXXXXXXXXXX

ip ospf network point-to-point

ip ospf cost 1

ip ospf hello-interval 1

mpls mtu 1512

mpls ip

Problem :

The service application uses a server on the local network (linked via CE router) which send https requests and files to a server located in the Internet.

When MPLS is activated only on the Core-To-Core interfaces (C1, C2, C3 and C4) the application is working properly.

But when the MPLS is expanded on Core-To-Border / Border-To-Core interfaces, this specific application fails as it appears that the certificate server sees a corrupted frame, some bits have been added to the normal frame. But all other services (HTTP, FTP, everything,)

Below are major differences between Border and Core routers connection schemes:

­

  •     A DPI equipment between Core and Border,
  • GibabitEthernet are used for links Border-To-Core and Core-To-Core, STM1(POS) is used for links Border-To-Internet (IP)
  • ­    The MTU size on STM1 interface is fixed at 4470, MTU size of 9216 is assigned to GE interfaces (Border-To-Core, Core-To-Core)

Regards.

Labels:
Preview file
384 KB
0 Helpful
1 Reply 1

Luc De Ghein
Cisco Employee
Cisco Employee

‎04-04-2011 11:24 PM

Hi,

Would it be possible to disable the functionality of the DPI (passthrough mode?) and test again?

MPLS labels or not on the packet should not make a difference wrt HTTPS only (in theory).

Since you mention corrupted frames, taking a packet capture should show you if this is true or not.

Thanks,

Luc

0 Helpful
Customers Also Viewed These Support Documents