Tcp configuration issues with ssl terminate – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual
Page 147
Brocade Virtual ADX Security Guide
135
53-1003250-01
Configuration examples for SSL Termination Mode
6
State or province (full name) [California] California
Locality name (city) [city]San Jose
Organization name (Company name) [Brocade] Brocade
Organizational unit name (department) [Web administration] Web Administration
Common name (your domain name) [www.brocade.com] www.brocade.com
Email address [[email protected]] [email protected]
transfer_ssl_object_buf_to_bp : The object buffer length is 492
transfer_ssl_object_buf_to_bp: The message length is 622
Create SSL profile with required settings example
Virtual ADX(config)#ssl profile myprofile
Virtual ADX(config-ssl-profile-myprofile)#keypair-file rsakey-file
Virtual ADX(config-ssl-profile-myprofile)#certificate-file mycert
Virtual ADX(config-ssl-profile-myprofile)#cipher-suite all
Virtual ADX(config-ssl-profile-myprofile)#exit
Define HTTP ports on real servers example
Virtual ADX(config)#server real rs1 10.1.1.1
Virtual ADX(config-rs-rs1)#port http
Virtual ADX(config-rs-rs1)#exit
Virtual ADX(config)#server real rs2 10.1.1.2
Virtual ADX(config-rs-rs2)#port http
Virtual ADX(config-rs-rs2)#exit
Within virtual server: Define SSL port, specify server profile and enable SSL terminate example
Virtual ADX(config)#server virtual-name-or-ip vip1 10.1.1.7
Virtual ADX(config-vs-vip1)#port ssl
Virtual ADX(config-vs-vip1)#port ssl ssl-terminate myprofile
Bind SSL in virtual server to real server HTTP ports example
Virtual ADX(config-vs-vip1)#bind ssl rs1 http rs2 http
NOTE
In the SSL Termination mode, for enabling VRRPE for VIP address, it is necessary to use a different
source-nat-ip for SSL traffic. For performing this function, use the following command syntax:
server source-nat-ip ip mask gateway port-range range
TCP configuration issues with SSL Terminate
When SSL terminate is enabled, the Brocade Virtual ADX uses TCP full stack.
NOTE
When using TCP full stack with SSL Terminate enabled, the Brocade Virtual ADX cannot buffer GET
requests with 20K byte sizes, however, the pseudo stack will be able to.
In such case, the Nagle Algorithm and delayed ACK mechanism are ON by default. There are
instances where both of these features should be disabled.
For example, a customer may be experiencing slow response time because the Brocade Virtual ADX
is sending one packet at a time, and waiting for an ACK from the server before sending the next
packet. The server is sending ACKs with a delay of 200 ms, causing a delay of 200 ms between
every successive packet. This results in extremely poor performance. Packet traces taken from the
client and server sides explain this situation in detail, as shown in the following figures.
shows the client ptrace information.
shows the server ptrace information.