Cisco Cisco ACE Application Control Engine Module
16
Release Note for the Cisco Application Control Engine Module
OL-26644-03
New Software Features in Version A5(3.0)
In earlier version of ACE, snmpget requests for objects in above MIB was timing out intermittently due
to read operations taking longer time. To overcome this, caching has been implemented. Hence, when
first snmpget query is done, the response is cached and subsequent queries received within 15 secs
interval of the 1st query are provided the same response.
to read operations taking longer time. To overcome this, caching has been implemented. Hence, when
first snmpget query is done, the response is cached and subsequent queries received within 15 secs
interval of the 1st query are provided the same response.
Ability to Allow SSL Record Parsing to a Specific Size
ACE allocates predefined number of buffers for each packet that needs to be parsed due to some L7
configuration, this is 17 by default. However, the valid SSL records can potentially occupy more than
this default number of buffers depending on the record size. For example, a record of 16400 bytes can
occupy as many as 33 buffers. This falsely triggers an error and packet drop. In order to prevent this
ACE allocates as many buffers for SSL requests as per the record size that the client legitimately sends.
This will override the default buffer size of 17 for SSL packets that get parsed.
configuration, this is 17 by default. However, the valid SSL records can potentially occupy more than
this default number of buffers depending on the record size. For example, a record of 16400 bytes can
occupy as many as 33 buffers. This falsely triggers an error and packet drop. In order to prevent this
ACE allocates as many buffers for SSL requests as per the record size that the client legitimately sends.
This will override the default buffer size of 17 for SSL packets that get parsed.
New CLI Commands
The syntax to configure the ACE SSL maximum record size is as follows:
system-defaults allow-ssl-max-record-size
Example:
system-defaults allow-ssl-max-record-size <number>
Where <number> is an integer in range 1 to 65535.
EG of usage:
switch/Admin# system-defaults allow-ssl-max-record-size 16400
Note
This will allow ACE to parse SSL records up to the size defined (<number>) without resulting in a
rejection such as a slow-loris detection.
rejection such as a slow-loris detection.
Configuration
switch/Admin(config)# ?
Configure commands:
aaa Configure aaa functions
access-group Activate context global access-list
access-list Configure access control list
action-list Configure an action list
....
ssl-proxy Configure an ssl-proxy service
sticky Configure sticky
switch-mode Activate switch-mode in the context
system-defaults System Default configuration
tacacs-server Configure TACACS+ server related parameters
telnet Telnet config commands
timeout Configure the maximum timeout duration
username Configure user information.
vm-controller Configure VM controller
switch/Admin(config)# system-defaults ?
allow-ssl-max-record-size Configure maximum SSL Record Size allowed
switch/Admin(config)# system-defaults allow-ssl-max-record-size ?
<1-65535> Enter maximum SSL Record Size allowed