DX - Load Balancing & Application Acceleration
DX - Load Balancing & Application Acceleration

SSL Termination of ESP traffic UDP 4500 on IVE (Juniper DX)

‎02-01-2008 09:55 AM
Does any one know if this support yet? I saw a fix in the Juniper IVE 6.0 R3.1 release Notes that- which it seems to imply that it can. Thanks!
 

CS NC - When NC ran on ESP with SSL hardware acceleration on and

a device between the IVE and the client had a smaller MTU, the NC

performance degraded considerably. This is fixed. (52070)

 

6 REPLIES 6
DX - Load Balancing & Application Acceleration

Re: SSL Termination of ESP traffic UDP 4500 on IVE (Juniper DX)

‎02-04-2008 02:52 AM
 
 
Hello Tom,
 
 
This bug relates to the SA IVE device, not the DX.  I checked the bug database for the SA and it is noted in there as being fixed for 6.0R3.1.  If you are experiencing this problem and find after upgrading and testing that your NC ESP connections through a NAT device to a SA device with SSL acceleration enabled are exhibiting jitter, please open a JTAC case so the SA support team can investigate with you.  
FYI, one of the workarounds for this bug was to lower the MTU on the SA device to the same or lower as on the intermediate NAT device, another was to disable the SSLa cceleration on the SA.
 
--
Matt
DX - Load Balancing & Application Acceleration

Resend - SSL Termination of ESP traffic UDP 4500 on IVE (Juniper DX)

‎02-04-2008 09:11 AM
Re Stated:
Does any one know if this is supported yet? Load balancing the IVE DX in a cluster or forwarder?
I saw a fix in the Juniper IVE 6.0 R3.1 release Notes that- which it seems to imply that it can. Thanks!
 

CS NC - When NC ran on ESP with SSL hardware acceleration on and

a device between the IVE and the client had a smaller MTU, the NC

performance degraded considerably. This is fixed. (52070)

DX - Load Balancing & Application Acceleration

Re: Resend - SSL Termination of ESP traffic UDP 4500 on IVE (Juniper DX)

‎02-05-2008 07:13 AM
 
The DX can load balance the IVE's, this bug does not relate to the DX.    Clusters can be used for Core and/or SAM access as those use SSL, for NC ESP you need to have an SLB group as it needs to use UDP protocol, which clusters do not support.  The SLB group should have the SSL cluster set as the sticky leader, with the cluster using ClientIP stickyness, so connections go to the same target IVE that the initial SSL connection is sent to.
 
There is an old AppNote for the DX configuration with the SA devices, I will request DJ add it to the sticky thread of AppNotes.  Here is the details from that document:
 
 
Configuration Summary:
 
Create a SSL Cluster (port 443) with IVE IPs as SSL-enabled target hosts (port 443).  
 
Select ClientIP as Sticky Load Balancing method.
In the Advanced section, enable Outlook Web Access; Connection Binding and Secure Access Compatability.
 
Disable standing connections to the target hosts with:
 %set setver factory sc 0
 %write
 
Enable Layer 7 Health Checking in the Health Checking section:
 Request URL Path = "/dana-na/healthcheck/healthcheck.cgi"
 Expect String = "Cluster Enabled"
 
 
For NC we need to add a SLB group listening on port 4500.
Set protocol to UDP
Add IVE IPs as target hosts (port 4500)
Under Load Balancing, select the SSL Cluster created above as the Sticky Leader.
 
 
 
 
 
DX - Load Balancing & Application Acceleration

Re: Resend - SSL Termination of ESP traffic UDP 4500 on IVE (Juniper DX)

‎02-05-2008 07:31 AM
Sorry, I will try to be more clear. client side certificates and certificates -
 
The fix implies SSL termination, what I was refering is the termination of certificates. We use a client side certificates and a server cert on the IVE. We would like to use the wildcard certificate on the DX cluster at the very most or least. A very typical Juniper sanctioned configuration. We have only be able to set up a SLB for both protocols. The Juniper product SSL VPN can use a Microsoft Certificate Server in a simple network. IVE Training teachs this in their customer classes. 
 
Create a SSL Cluster (port 443) with IVE IPs as SSL-enabled target hosts (port 443).  
Where are the certs hosted? Just don't host it on the DX?
 
Select ClientIP as Sticky Load Balancing method.
In the Advanced section, enable Outlook Web Access; Connection Binding and Secure Access Compatability.
 
Ok
 
Disable standing connections to the target hosts with:
 %set setver factory sc 0
 
What will this do our other very specific DX Cluster and overdrive configuration?
 
Enable Layer 7 Health Checking in the Health Checking section:
 Request URL Path = "/dana-na/healthcheck/healthcheck.cgi"  Expect String = "Cluster Enabled"
 
This is first DX person that knows the IVE health check I have wanted to use for a year and half. Great!
 
For NC we need to add a SLB group listening on port 4500. Set protocol to UDP
Add IVE IPs as target hosts (port 4500) Under Load Balancing, select the SSL Cluster created above as the Sticky Leader.
 
So cookie load balancing can not be used I take it Thanks for the repsonse.
 
 
DX - Load Balancing & Application Acceleration

Re: Resend - SSL Termination of ESP traffic UDP 4500 on IVE (Juniper DX)

‎02-06-2008 01:33 AM
The same cert and key as used on the IVE should be imported into the DX if you use NC.  I believe you cannot export cert/key from the IVE so if these are not available a new pair would need to be generated and used on both devices.   A wildcard cert on the DX should work as long as it covers the same domain that is on the IVE, effectively the client HTTP request will be passed on to the IVE so the certs should match the hostname used in the HTTP request.
 
The factory setting command sets the standing connections to zero.  Standing connections are pre-established TCP connections to the target servers, which need to be disabled.   As this is a system-wide setting other clusters will be effected, though on a LAN the TCP set-up time should be neglible.   This does not disable pipelining of HTTP requests on a TCP connection, the connection binding setting is used to control this at the cluster level.
 
Cookie persistence cannot be used as an SLB group is not HTTP aware, plus the client when connecting to port 4500 for NC the client would not send the cookie as it is not HTTP.   I believe Cookie persistence can be used for CORE access only.
Highlighted
DX - Load Balancing & Application Acceleration
Solution
Accepted by topic author TomArner
‎08-26-2015 01:27 AM

Re: Resend - SSL Termination of ESP traffic UDP 4500 on IVE (Juniper DX)

‎02-06-2008 07:54 AM
Since were using a full NAT on the DX using simple persistence weights the requests to one DX from what I can tell. Using cookie insert would help this.
 
Thanks! this helps.
Announcements

DX SERIES

The Juniper Networks DX application acceleration platform delivers a complete data center acceleration solution for Web-enabled and IP-based business applications.

RSS Icon