Cisco Cisco ACE Application Control Engine Module

9

ACE as a client will send a client hello with only TLS_EMPTY_RENEGOTIATION_INFO_SCSV 
(0x00ff), which is not a cipher but only indicates that it supports secure renegotiation. Server will 
send alert (no_shared_cipher) in this case.

TLS1.1 requests will work with the combination of Upto_TLS1_2 and only 
RSA_WITH_DES_CBC_SHA.

Following are the new MIB objects for TLS1.1 and TLS1.2:

cspTl1cFullHandShake–-Displays the number of full handshakes done with TLS1.1

cspTl1cResumedHandShake–-Displays the number of resumed handshakes done with TLS1.1

cspTl1cHandShakeFailed–-Displays the number of handshakes failed for TLS1.1

cspTl1cDataFailed–-Displays the number of data failures for TLS1.1

cspTl2cFullHandShake–-Displays the number of full handshakes done with TLS1.2

cspTl2cResumedHandShake–- Displays the number of resumed handshakes done with TLS1.2

cspTl2cHandShakeFailed–-Displays the number of handshakes failed for TLS1.2

cspTl2cDataFailed–-Displays the number of data failures for TLS1.2

The application firewall currently supports a list of applications including HTTP, SIP, FTP. The FTP 
deep inspection is an application firewall that state-fully monitors the File Transfer Protocol. Earlier 
version of ACE supports FTP with IPv4. With A5(3.0), the ACE now supports FTP with both IPv4 and 
IPv6.

This feature does not support the following:

SSL based FTP for IPv6.

FTP from IPv4 client to IPv6 server.

Addition of static Route cannot be done with SLB64.

1-Arm mode config is not supported with SLB64 as static route addition is not supported.

SFTP is not supported.

Included below is a summary of the sample configuration to support FTP IPv6 in A5(3.0):

access-list all1 line 8 extended permit ip anyv6 anyv6

class-map match-all ftp-nat

  2 match destination-address 2015::214:5eff:fe84:30

class-map match-any vip-ftpv6

  2 match virtual-address 2015::214:5eff:fe84:30 tcp eq ftp

policy-map multi-match policy

  class vip-ftpv6