SSL Guide vA5(1.0), Cisco ACE Application Control Engine
Displaying SSL Information and Statistics
Downloads: This chapterpdf (PDF - 283.0KB) The complete bookPDF (PDF - 3.42MB) | Feedback

Displaying SSL Information and Statistics

Table Of Contents

Displaying SSL Information and Statistics

Displaying CSR Parameter Set Configurations

Displaying the List of Certificate and Key Pair Files

Displaying Certificate Information

Displaying CRL Information

Displaying CDP Error Statistics

Displaying OCSP Information

Displaying OCSP Server Statistics

Displaying the AuthorityInfoAccess Extension Error Statistics

Displaying RSA Key Pair Information

Displaying Certificate Chain Group Information

Displaying Client Authentication Group Information

Displaying Cached TLS and SSL Session Entries

Displaying SSL Parameter Map Settings

Displaying Front-End and Back-End SSL Statistics

Information about SSL HTTP Header Insertion and Truncated Counters

Displaying HTTP Header Insertion Statistics

Clearing SSL and TLS Statistics


Displaying SSL Information and Statistics



Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted.


This chapter describes how to use the available show commands to display SSL-related information, such as the certificate and key pair files loaded on the ACE. The show commands display information associated with the context from which you execute the command. Each command described in this chapter also includes an explanation of the command output.

While the show commands are Exec mode commands, you can execute a show command from any configuration mode by using the do command. The following examples show how to execute the show running-config command from either Exec mode or configuration mode.

From Exec mode, enter:

host1/Admin# show running-config
 
   

From configuration mode, enter:

host1/Admin(config)# do show running-config
 
   

This chapter contains the following major sections:

Displaying CSR Parameter Set Configurations

Displaying the List of Certificate and Key Pair Files

Displaying Certificate Information

Displaying CRL Information

Displaying CDP Error Statistics

Displaying OCSP Information

Displaying RSA Key Pair Information

Displaying Certificate Chain Group Information

Displaying Client Authentication Group Information

Displaying Cached TLS and SSL Session Entries

Displaying Front-End and Back-End SSL Statistics

Information about SSL HTTP Header Insertion and Truncated Counters

Displaying HTTP Header Insertion Statistics

Displaying CSR Parameter Set Configurations

To display the CSR parameter set summary and detailed reports, use the show crypto csr-params command in Exec mode.

The syntax of this command is as follows:

show crypto csr-params {params_set | all}

The arguments and keywords are:

params_set argument is a specific CSR parameter set. Enter an unquoted alphanumeric string with a maximum of 64 characters. The ACE displays the detailed report for the specified CSR parameter set. The detailed report contains the distinguished name attributes of the CSR parameter set.

To display the summary report that lists all the CSR parameter sets for the current context, enter the command without specifying a CSR parameter set.

For example, to display the CSR parameter set summary report, enter:

host1/Admin# show crypto csr-params all
 
   

The following example shows how to display the detailed report for the MYCSRCONFIG CSR parameter set:

host1/Admin# show crypto csr-params MTCSRCONFIG

Table 6-1 describes the fields in the show crypto csr-params command output.

Table 6-1 Field Descriptions for the show crypto csr-params config_name Command 

Field
Description

Country-name

Country where the certificate owner resides.

State

State where the certificate owner resides.

Locality

Locality where the certificate owner resides.

Org-name

Name of the organization (certificate owner or subject).

Org-unit

Name of unit within the organization.

Common-name

Common-name (domain name or individual hostname of the SSL site).

Serial number

Serial number.

Email

E-mail address.


Displaying the List of Certificate and Key Pair Files

To display a list of all available certificate and key pair files, use the show crypto files command in Exec mode.

For example, to display the list of certificate and key pair files, enter:

host1/Admin# show crypto files
 
   

Table 6-2 describes the fields in the show crypto files command output.

Table 6-2 Field Descriptions for the show crypto files
Command 

Field
Description

Filename

Name of the file that contains the certificate or key pair.

File Size

Size of the file.

File Type

Format of the file: PEM, DER, or PKCS12.

Exportable

Indicates whether you can export the file from the ACE using the crypto export command:

Yes—You can export the file to an FTP, SFTP, or TFP server (see the "Exporting Certificate and Key Pair Files" section in Chapter 2 "Managing Certificates and Keys").

No—You cannot export the file as it is protected.

Key/Cert

Indicates whether the file contains a certificate (CERT), a key pair (KEY), or both (BOTH).


Displaying Certificate Information

To display the certificate summary and detailed reports, use the show crypto certificate command in Exec mode.

The syntax of this command is as follows:

show crypto certificate {filename | all}

The keywords and arguments are as follows:

filenameName of a specific certificate file. Enter an unquoted alphanumeric string with a maximum of 40 characters. The ACE displays the certificate detailed report for the specified file. If the certificate file contains a chain, the ACE displays only the bottom level certificate (the signers are not displayed).

allDisplays the certificate summary report that lists all the certificate files for the current context.

For example, to display the certificate summary report, enter:

host1/Admin# show crypto certificate all
 
   

Table 6-3 describes the fields in the show crypto certificate all command output.

Table 6-3 Field Descriptions for the show crypto certificate all Command 

Field
Description

Certificate file

Name of the certificate file.

Subject

Distinguished name of the organization that owns the certificate and possesses the private key.

Issuer

Distinguished name of the Certificate Association (CA) that issued the certificate.

Not Before

Starting time period, before which the certificate is not considered valid.

Not After

Ending time period, after which the certificate is not considered valid.

CA Cert

Certificate of the CA that signed the certificate.


The following example shows how to display the detailed report for the MYCERT.PEM certificate file:

host1/Admin# show crypto certificate MYCERT.PEM
 
   

Table 6-4 describes the fields in the show crypto certificate filename command output.

Table 6-4 Field Descriptions for the show crypto certificate filename Command 

Field
Description

Certificate

Name of the certificate file.

Data

Version

Version of the X.509 standard. The certificate complies with this version of the standard.

Serial Number

Serial number associated with the certificate.

Signature Algorithm

Digital signature algorithm used for the encryption of information with a public/private key pair.

Issuer

Distinguished name of the CA that issued the certificate.

Validity

Not Before

Starting time period, before which the certificate is not considered valid.

Not After

Ending time period, after which the certificate is not considered valid.

Subject

Distinguished name of the organization that owns the certificate and possesses the private key.

Subject Public Key Info

Public Key Algorithm

Name of the key exchange algorithm used to generate the public key (for example, RSA).

RSA Public Key

Number of bits in the key to define the size of the RSA key pair used to secure web transactions.

Modulus

Actual public key on which the certificate was built.

Exponent

One of the base numbers used to generate the key.

X509v3 Extensions

Array of X509v3 extensions added to the certificate.

X509v3 Basic Constraints

Indicates whether the subject may act as a CA, with the certified public key being used to verify certificate signatures. If so, a certification path length constraint may also be specified.

Netscape Comment

Comment that may be displayed when the certificate is viewed.

X509v3 Subject Key Identifier

Public key to be certified. It enables distinct keys used by the same subject to be differentiated (for example, as key updating occurs).

X509v3 Authority Key Identifier

Public key to be used to verify the signature on this certificate or CRL. It enables distinct keys used by the same CA to be distinguished (for example, as key updating occurs).

Signature Algorithm

Name of the algorithm used for digital signatures (but not for key exchanges).

Hex Numbers

Actual signature of the certificate. The client can regenerate this signature using the specified algorithm to make sure that the certificate data has not been changed.


Displaying CRL Information

To display a list of certificate revocation lists (CRLs) or definitions for a specified CRL in a context, use the show crypto crl command in Exec mode. The syntax of this command is as follows:

show crypto crl {crl_name [detail] | all | best-effort}

The keywords and arguments are as follows:

crl_nameName of a specific CRL configured in the context. Enter an unquoted alphanumeric string. The ACE displays the definitions for the specified CRL.

detail—(Optional) Displays detailed statistics for the downloading of the CRL including failure counters.

allDisplays a lists of all CRLs configured in the context.

best-effort—Displays summarized information for all best-effort CRLs on the ACE (a maximum of 16 CRLs).

For example, to display a list of all CRLs, enter:

host1/Admin# show crypto crl all
 
   

To display the definitions for a specific CRL, for example CRL1, enter:

host1/Admin# show crypto crl CRL1
 
   

Table 6-5 describes the fields in the show crypto crl crl_name command output.

Table 6-5 Field Descriptions for the show crypto crl Command 

Field
Description

URL

URL where the ACE downloads the CRL.

Last Downloaded

Last time the ACE downloaded the CRL. If the CRL is configured on an SSL-proxy service on a policy map that is not active or the service is not associated with a policy map, the field displays the "not downloaded yet" message.

Total Number of Download Attempts

Number of times the ACE attempted to download the CRL.

Failed Download Attempts

Numbers of times the ACE failed to download the CRL.

Total Number of Download Attempts for Real CRL Data

Number of times the ACE attempted to download a specified CRL (not including "best effort" attempts).

Failed Download Attempts for Real CRL Data

Number of times the ACE failed to download a specified CRL (not including "best effort" attempts).

Successful Loads (detail option)

Number of times that the ACE successfully loaded the CRL.

Failed Loads (detail option)

Number of times that the ACE could not load the CRL because of a failure.

Hours since Last Load (detail option)

Number of hours that elapsed since the ACE last successfully downloaded the CRL. If no successful download has occurred, this field displays NA, not applicable.

No IP Addr Resolutions (detail option)

Number of times the DNS resolution for the server host address of CRL the failed.

Host Timeouts (detail option)

Number of download retries to the CRL that had timed out.

Next Update Invalid (detail option)

Number of times that the next update field of the CRL was invalid.

Next Update Expired (detail option)

Number of times that the next update field of the CRL was expired.

Bad Signature (detail option)

Number of times that the signature mismatch for the CRL was detected, with respect to the CA certificate configured for signature verification of the CRL.

CRL Found-Failed to load (detail option)

Number of times that the ACE could not load the CRL because of the maximum size limitation of 10MB on ACE or the formatting of the CRL was not recognized. The ACE recognizes only DER and PEM encoded CRLs.

File Not Found (detail option)

Number of times that the server responded that the CRL file was not found at the server.

Memory Outage failures (detail option)

Number of times that the ACE failed to download the CRL because it temporarily could not provide memory to store the CRL data.

Cache Limit failures (detail option)

Number of times that the ACE could not load the CRL because the CRL cache was exhausted.

Conn Failures (detail option)

Number of times that the ACE failed to download the CRL because it could not establish a connection with the server or no server entity was listening on the destination system.

Internal Failures (detail option)

Number of internal failures in the ACE that hampered downloading the CRL, for example, internal communication failures between components responsible for the downloading the CRL.

Not Eligible for download (detail option)

Number of times that the CRL was found ineligible for downloading because the following conditions:

The downloading of the same CRL is in progress.

The CRL has already been loaded successfully earlier and has not expired yet.

HTTP Read Failures (detail option)

Number of times that the ACE encountered an error when downloading the CRL because it could not read data on the connection established with server.

HTTP Write failures (detail option)

Number of times that the ACE encountered an error when downloading the CRL because it could not write the CRL download request from the connection established with the server.


For example, to display summarized information for all best-effort CRLs, enter:

host1/Admin# show crypto crl best-effort
 
   

Table 6-6 describes the fields in the show crypto crl best-effort command output.

Table 6-6 Field Descriptions for the show crypto crl best-effort Command 

Field
Description

Best Effort CRL

Identifier to distinguish each best-effort CRL present at this time. At another time, the identifier can vary for the same CRL.

CRL Distribution Point

URL of the CDP. The ACE displays the first 255 characters of the URL.

CRL Downloaded

Whether the CRL is downloaded on the ACE, Yes or No.

CRL Issuer Name

Name of the CRL issuer. The ACE displays the first 255 characters of the name.

Last Update

Contents of the Last Update field extracted from the CRL. The ACE displays the first 64 characters in the field

Next Update

Contents of the Next Update field extracted from the CRL. The ACE displays the first 64 characters in the field.


If no best-effort CRL exists on the ACE service module, the ACE service module displays the following message:

No best effort crl present in the system
 
   

Note To view whether the ACE rejects client certificates when the CRL in use is expired, use the show parameter-map command.


Displaying CDP Error Statistics

CRL Distribution Points (CDPs) indicate the location of the CRL in the form of a URL. CDP parsing in the certificate occurs only when best effort CRL is in use. To display statistics for discrepancies in CDPs for the certificates, use the show crypto cdp-errors command.

For example, to display the CDP statistics, enter:

host1/Admin# show crypto cdp-errors
 
   

Table 6-7 describes the fields in the show crypto cdp-errors command output.

Table 6-7 Field Descriptions for the show crypto cdp-errors
Command 

Field
Description

Incomplete

Number of times that the CDPs are missing information required to download the CRLs, for example, host, filename, or base information.

Malformed

Number of times that the CDPs are malformed with erroneous information, for example, specifying an incorrect attribute or base information. This counter also includes CDPs with URL lengths exceeding the ACE limit of 255 characters; a truncated URL could point to the wrong CRL.

Unrecognized Transports

Number of times that the ACE service module does not recognize or support the transport mechanism in the CDP for the CRL.

Missing from cert

Number of times that the CDPs are missing from the certificate.

Best Effort CDP Errors Ignored

Number of times that the ACE service module ignored CDP errors in the presented certificates, and thereby allowed the SSL connection. This field is related to the cdp-errors ignore command in parameter map SSL configuration mode.


Displaying OCSP Information

You can display Online Certificate Status Protocol (OCSP) information by using the show commands that are described in th following sections:

Displaying OCSP Server Statistics

Displaying the AuthorityInfoAccess Extension Error Statistics

Displaying OCSP Server Statistics

To display OCSP server statistics, use the show crypto ocspserver command in Exec mode. The syntax of this command is as follows:

show crypto ocspserver {name [detail] | all | best-effort}

The keywords and arguments are as follows:

name—Identifier of a configured OCSP server. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

detail—Instructs the ACE to display detailed statistics for the specified OCSP server.

all—Displays statistics for all configured OCSP servers.

best-effort—Displays statistics for OCSP servers that were obtained on a best-effort basis by extracting the server information from the client packets.

Table 6-8 describes the fields in the show crypto ocspserver name detail command output.

Table 6-8 Field Descriptions for the show crypto ocspserver Command 

Field
Description

Name

Identifier of the configured OCSP server.

URL

URL of the OCSP server.

Connection State

State of the connection to the OCSP server. Possible values are Connected or Not Connected. If the state is Connected, the Connected Since field that follows is specified. Otherwise, it does not appear.

Connected Since

Date and time when the existing connection with the OCSP server was established.

Total Number of Connection Attempts

Total number of connection attempts with the OCSP server.

Failed Connections

Number of connection attempts with the OCSP server that failed.

Nonce

State of nonce: enabled or disabled.

Req signer cert

Configured signer's certificate filename to sign outgoing requests to the OCSP server.

Req signer key

Configured signer's private keyfilename to sign outgoing requests to the OCSP server.

Resp sign. verifier

Configured certificate to verify the signature of the OCSP server responses.

Inactivity timeout

Configured connection inactivity timeout.

Successful Connections

Number of connection attempts with the OCSP server that were successful.

No IP Addr Resolutions

Number of times that the IP address that corresponds to the host address could not be obtained successfully.

Host Timeouts

Number of times that the connection timed out while trying to establish a connection with the OCSP server.

Conn Failures

Number of connect call failures that prevented the ACE service module from establishing a connection with the OCSP server successfully.

Internal Failures

Number of internal failures that prevented the ACE service module from establishing a connection with the OCSP server successfully.

HTTP Read Failures

Number of connection failures due to HTTP read call failures.

HTTP Write Failures

Number of connection failures due to HTTP write call failures.

Inactivity timeouts

Number of times that the connection with the OCSP server was terminated because of inactivity.

Requests sent

Total number of requests that the ACE service module sent to the OCSP server.

Non-OCSP Responses

Number of non-OCSP responses received by the ACE.

OCSP Responses

Number of OCSP responses received by the ACE.

Malformed OCSP Responses

Number of malformed OCSP responses received by the ACE.

Nonce Mismatches

Number of times the OCSP responses mismatched the nonce string.

Response verify failures

Number of times that the OCSP responses failed the response signature verification.

Unreliable OCSP Responses

Number of times that the OCSP response was found to be unreliable.

Revoked responses

Number of responses that indicated the revocation status of the certificates as Revoked.

Non-revoked responses

Number of responses that indicated the revocation status of the certs as nonrevoked.

Status unknown responses

Number of times that the server failed to determine the status of the client (or provided) certificate.


For example, to display the statistics for the OCSP_SERV1 server, enter the following command:

host1/Admin# show crypto ocspserver OCSP_SERV1 detail
 
   

Displaying the AuthorityInfoAccess Extension Error Statistics

To display the AuthorityInfoAccess (AIA) extension error statistics, use the show crypto aia-errors command in Exec mode. The syntax of this command is as follows:

show crypto aia-errors

Table 6-9 describes the fields in the show crypto aia-errors command output.

Table 6-9 Field Descriptions for the show crypto aia-errors Command 

Field
Description

Incomplete

Number of times that AIAs are missing required information.

Malformed

Number of times that AIAs are malformed or contain erroneous information.

Unrecognized Transports

Number of AIAs with unsupported or unrecognized transports in the URL.

Missing from cert

Number of times that the AIAs were missing from certificates.

Invalid address

Number of times that the AIAs contained invalid IP addresses.


For example, to display the AIA errors for OCSP, enter the following command:

host1/Admin# show crypto aia-errors
 
   

Displaying RSA Key Pair Information

To display the key pair file summary and detailed reports, use the show crypto key command in Exec mode.

The syntax of this command is as follows:

show crypto key {filename | all}

The keywords and arguments are as follows:

filenameName of a specific key pair file. Enter an unquoted alphanumeric string with a maximum of 40 characters. The ACE displays the key pair detailed report for the specified file.

allDisplays the key pair summary report that lists all of the available key pair files.

For example, to display the key pair summary report, enter:

host1/Admin# show crypto all
 
   

Table 6-10 describes the fields in the show crypto key command output.

Table 6-10 Field Descriptions for the show crypto key Command 

Field
Description

Filename

Name of the key pair file that contains the RSA key pair.

Bit Size

Size of the file.

Type

Type of key exchange algorithm, such as RSA.


The following example shows how to display the detailed report for the public and private keys contained in the MYKEYS.PEM key pair file:

host1/Admin# show crypto key MYKEYS.PEM
1024-bit RSA keypair
 
   

Table 6-11 describes the fields in the show crypto key filename command output.

Table 6-11 Field Descriptions for the show crypto key filename Command 

Field
Description

Key Size

Size (in bits) of the RSA key pair.

Modulus

Hex value of the public key. The private key modulus is not shown for security purposes.


Displaying Certificate Chain Group Information

To display the chain group file summary and detailed reports, use the show crypto chaingroup command in Exec mode.

The syntax of this command is as follows:

show crypto chaingroup {filename | all}

The keywords and arguments are as follows:

filenameName of a specific chain group file. Enter an unquoted alphanumeric string with a maximum of 64 characters. The ACE displays the chain group detailed report for the specified file. The detailed report contains a list of the certificates configured for the chain group.

allDisplays the chain group summary report that lists each of the available chain group files. The summary report also lists the certificates configured for each chain group.

For example, to display the chain group summary report, enter:

host1/Admin# show crypto chaingroup all
 
   

The following example shows how to display the detailed report of the certificates configured for the MYCERTGROUP chain group:

host1/Admin# show crypto chaingroup MYCERTGROUP
 
   

Table 6-12 describes the fields in the show crypto chaingroup command output.

Table 6-12 Field Descriptions for the show crypto chaingroup Command 

Field
Description

Certificate

Certificate filename.

Subject

Distinguished name of the organization that owns the certificate and possesses the private key.

Issuer

Distinguished name of the CA that issued the certificate.


Displaying Client Authentication Group Information

To display a list of certificates for each authentication group or the certificates in a specified client authentication group including the Subject and Issuer information for each certificate, use the show crypto authgroup command in Exec mode.

The syntax of this command is as follows:

show crypto authgroup {group_name | all}

The keywords and arguments are as follows:

group_nameName of a specific authentication group file. Enter an unquoted alphanumeric string with a maximum of 64 characters.

allDisplays the list of certificates for each authentication groups.

For example, to display the list of certificates for each authentication group, enter:

host1/Admin# show crypto authgroup all

To display each certificate for the AUTH-CERT1 group including the Subject and Issuer information for each certificate, enter:

host1/Admin# show crypto authgroup AUTH-CERT1
 
   

Table 6-13 describes the fields in the show crypto authgroup group_name command output.

Table 6-13 Field Descriptions for the show crypto authgroup group_name Command 

Field
Description

Certificate

Certificate filename.

Subject

Distinguished name of the organization that owns the certificate and possesses the private key.

Issuer

Distinguished name of the CA that issued the certificate.


Displaying Cached TLS and SSL Session Entries

To display the number of cached TLS and SSL client and server session entries in the current context, use the show crypto session command in Exec mode.

The syntax of this command is as follows:

show crypto session

For example, enter:

host1/Admin# show crypto session
 
   

Displaying SSL Parameter Map Settings

To display the settings in your SSL parameter map, use the show parameter-map command in Exec mode. The syntax of this command is as follows:

show parameter-map name

The name argument specifies the name of an existing SSL parameter map. Enter the SSL parameter name as an unquoted text string with a maximum of 64 alphanumeric characters.

For example:

host1/Admin# show parameter-map SSL_PARAMMAP
 
   

Table 6-14 describes the fields in the show parameter-map command output relating to the HTTP headers that provide the server with SSL session information. For information about the other fields that display with this command, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

Table 6-14 Field Descriptions for the show parameter-map
Command 

Field
Description

Parameter-map

Name of the SSL parameter map

Type

SSL

Description

Previously entered text description of the SSL parameter map

version

Version of SSL or TLS

close-protocol

Status of the close-protocol command: none

expired-crl

Status of the expired-crl command: allow or reject

cdp-errors

Status of the cdp-errors command: allow or reject

authentication-failure any

Status of the authentication-failure any command: ignore

session-cache timeout

Status of the session-cache timeout command: enabled or disabled

queue-delay timeout

Status of the queue-delay timeout command: enabled or disabled

rehandshake

Status of the rehandshake enabled command: enabled or disabled

purpose-check

Status of the purpose-check command: enabled or disabled


Displaying Front-End and Back-End SSL Statistics

To display the front-end and back-end SSL statistics for the current context, use the show stats crypto command in Exec mode. This command displays alert, authentication, cipher, header insertion, redirect, and termination statistics. To clear these statistics, see the "Clearing SSL and TLS Statistics" section.

To display the back-end SSL statistics, the syntax of this command is as follows:

show stats crypto client [alert | authentication | cipher | termination]

To display the front-end SSL statistics, the syntax of this command is as follows:

show stats crypto server [alert | authentication | cipher | insert | redirect | termination]

The keywords are as follows:

clientDisplays the back-end SSL statistics. Without any options, all statistics are displayed.

serverDisplays the front-end SSL statistics. Without any options, all statistics are displayed.

alert—(Optional) Displays the statistics for the received and sent alert messages.

authentication—(Optional) Displays authentication statistics.

cipher—(Optional) Displays the cipher statistics.

insert—(Optional) With the server keyword, this option displays header insertion statistics.

redirect—(Optional) With the server keyword, this option displays the SSL redirect statistics.

termination—(Optional) Displays the SSL termination statistics.

For example, to display the back-end statistics, enter:

host1/Admin# show stats crypto client
 
   

To display the front-end statistics, enter:

host1/Admin# show stats crypto server
 
   

Table 6-15 describes the fields in the show stats crypto command output. For an explanation of how the HTTP header insertion counters work, see the "Information about SSL HTTP Header Insertion and Truncated Counters" section.

Table 6-15 Field Descriptions for the show stats crypto
Command 

Field
Description

Crypto client/server termination statistics:

SSLv3/TLSv1 negotiated protocol

Number of the times that the protocol is used when negotiating the connection.

SSLv3 full handshakes

Number of SSLv3 handshakes completed without errors.

SSLv3 resumed handshakes

Number of SSLv3 handshakes resumed when using a session ID.

SSLv3 handshakes

Number of SSLv3 handshakes when using a session ID.

TLSv1 full handshakes

Number of TLSv1 handshakes completed without errors.

TLSv1 resumed handshakes

Number of TLSv1 handshakes resumed when using a session ID.

TLSv1 handshakes

Number of TLSv1 handshakes when using a session ID.

SSLv3 handshake failures

Number of SSLv3 handshake failures when using a session ID.

SSLv3 failures during data phase

Number of SSLv3 data exchange failures when using a session ID.

TLSv1 handshake failures

Number of TLSv1 handshake failures when using a session ID.

TLSv1 failures during data phase

Number of TLSv1 data exchange failures when using a session ID.

Handshake Timeouts

Number of times that the handshake timed out.

total transactions

Total number of all SSL transactions.

SSLv3 active connections

Number of SSLv3 active connections.

SSLv3 connections in handshake phase

Number of SSLv3 connections in the handshake phase.

SSLv3 conns in renegotiation phase

Number of SSLv3 connections in the renegotiation (rehandshake) phase.

SSLv3 connections in data phase

Number of SSLv3 connections in the data exchange phase of the session.

TLSv1 active connections

Number of TLSv1 active connections.

TLSv1 connections in handshake phase

Number of TLSv1 connections in the handshake phase.

TLSv1 conns in renegotiation phase

Number of TLSv1 connections in the renegotiation (rehandshake) phase.

TLSv1 connections in data phase

Number of TLSv1 connections in the data exchange phase of the session.

Crypto client/server alert statistics:

SSL alert... rcvd/sent

Number of times that the standard SSL alert messages are received or sent.

Crypto client/server authentication statistics:

Total SSL client authentications

Number of authenticated client connections. This field increments only when displaying server statistics.

Failed SSL client authentications

Number of client connections that failed authentication. This field increments only when displaying server statistics.

SSL authentication cache hits

Number of times that an authenticated client reconnects and a cache entry is found. This field increments only when displaying server statistics.

SSL static CRL lookups

Number of lookups against a statically defined CRL.

SSL best effort CRL lookups

Number of lookups using the best effort.

SSL CRL lookup cache hits

Number of CRL lookups where the cache result was used.

SSL static OCSP lookups

Number of lookups against statically configured OCSP servers.

SSL best effort OCSP lookups

Number of lookups using best-effort OCSP servers.

SSL OCSP lookup cache hits

Number of lookups where the cache result was used.

SSL revoked certificates

Number of revoked certificates encountered.

Total SSL server authentications

Number of server certificate authentications that the ACE attempted to perform. This field increments only when displaying client statistics.

Failed SSL server authentications

Number of server certificate authentications that failed. This field increments only when displaying client statistics.

Crypto client/server cipher statistics:

Cipher sslv3/tlsv1...

Number of times that the cipher suite is used in the connection.

Crypto client/server redirect statistics:

Redirects due to cert not yet valid

Number of redirects because the certificate is not valid yet.

Redirects due to cert expired

Number of redirects because the certificate has expired.

Redirects due to unknown issuer cert

Number of redirects because the ACE cannot retrieve issuer certificate.

Redirects due to cert revoked

Number of redirects because the certificate is revoked.

Redirects due to no client cert

Number of redirects because the client did not send a client certificate.

Redirects due to no CRL available

Number of redirects because a CRL was not available.

Redirects due to expired CRL

Number of redirects because the CRL has expired.

Redirects due to bad cert signature

Number of redirects because the certificate has a bad signature.

Redirects due to other cert error

Number of redirects caused by certificate errors that do not apply to the other redirect fields.

Crypto client/server header insert statistics:

Session headers extracted

Number of HTTP headers that contain SSL-negotiated session parameter information that the ACE successfully added to the HTTP header information build1 .

Session headers failed

Number of HTTP headers that contain SSL-negotiated session parameter information that the ACE could not add to the HTTP header information build1.

Server cert headers extracted

Number of HTTP headers that contain SSL server certificate information that the ACE successfully added to the HTTP header information build1.

Server cert headers failed

Number of HTTP headers that contain SSL server certificate information that the ACE could not add to the HTTP header information build1.

Client cert headers extracted

Number of HTTP headers that contain SSL client certificate information that the ACE successfully added to the HTTP header information build1.

Client cert headers failed

Number of HTTP headers that contain SSL client certificate information that the ACE could not add to the HTTP header information build1.

Headers truncated

Number of HTTP headers that contain the SSL negotiated session parameter, server certificate, or client certificate information that the ACE truncated because the combined header information exceeded 512 bytes1.

Headers insert buffer limit hit

Number of times that the buffer has reached its 512 byte limit and is not available to perform header insertion. This field increments when no part of a header is inserted because of lack of buffer space.

1 For more information, see the "Information about SSL HTTP Header Insertion and Truncated Counters" section.


Information about SSL HTTP Header Insertion and Truncated Counters

When you configure the ACE for SSL HTTP header insertion, the ACE creates a build of the HTTP header information during the SSL handshake with the client. This information is based on the SSL negotiated session parameters, client certificate parameters, or server certificate parameters that you specify in the action list. When the ACE receives the session's first HTTP request, it performs the HTTP header insert operation and inserts the HTTP header build.

While the ACE is creating the HTTP header build, it uses the following counters to track the success rate of the information being inserted:

"(header type) headers extracted" counters—The ACE increments the corresponding header type counter (session, server certificate, or client certificate) by the number of headers that it can successfully add to the information being built for the HTTP header insertion operation.

"(header type) headers failed" counters—The ACE increments the corresponding header type counter (session, server certificate, or client certificate) by the number of headers that it is unable to add to the information being built for the HTTP header insertion operation. The ACE is unable to insert a header because it encounters either an internal error (such as not being able to allocate memory) or an error when parsing a certificate field (for example, the certificate has an invalid date specified date field).

Headers truncated—The ACE increments this counter every time it truncates a header because the combined header information exceeds 512 bytes.

The ACE creates only one build of the header information per session, which means that it inserts the same build even when you configure the ACE to insert the information into all the HTTP requests that it receives during the session. Because the same build is used for all session HTTP requests, the counters increment during the build process only and not every time the ACE performs the HTTP header insertion operation. For information about the counters that track the success rate of the HTTP header insertion operation, see the "Displaying HTTP Header Insertion Statistics" section.


Note It is possible for the ACE to extract the header information during the SSL handshake but not insert the information into the HTTP request. This situation can occur if the SSL handshake fails after the ACE extracts the header information but before it receives the first GET. When this situation occurs, the SSL counters increment but the HTTP counters do not increment.


Displaying HTTP Header Insertion Statistics

You can display HTTP statistics, including information relating to the HTTP headers that contain SSL session information, by using the show stats http command in Exec mode. The syntax of this command is as follows:

show stats http

Table 6-16 describes the fields in the show stats http command output relating to the HTTP headers that provide the server with SSL session information. For information about the other fields that display with this command, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.

Table 6-16 Field Descriptions for the show stats http Command 

Field
Description

SSL headers inserted

Number of times that the ACE successfully performed the HTTP header insert operation by inserting all of the HTTP headers that contain SSL session, client certificate, and server certificate information defined in the corresponding action list into the HTTP request.

SSL header insert errors

Number of times that the ACE failed to perform the HTTP header insert operation completely because it could not insert the HTTP headers that contain the SSL session information defined in the corresponding action list.

SSL spoof headers deleted

Number of times that the ACE deleted an HTTP header from the HTTP request that it received over the client connection. To prevent HTTP header spoofing, the ACE deletes any incoming HTTP headers that contain SSL session information that matches any of the headers that it has to insert.


Clearing SSL and TLS Statistics

You can clear the SSL and TLS statistics displayed by the show stats crypto command for the current context by using the clear stats crypto command in Exec mode. The syntax for this command is as follows:

clear stats crypto [client | server [alert | authentication | cipher | termination]]

The options are as follow:

client(Optional) Clears the complete TLS and SSL client statistics for the current context.

server(Optional) Clears the complete TLS and SSL server statistics for the current context.

alert(Optional) Clears the back-end SSL alert statistics.

authentication(Optional) Clears the back-end SSL authentication statistics.

cipher(Optional) Clears the back-end SSL cipher statistics.

termination(Optional) Clears the back-end SSL termination statistics.

If you do not enter the client or server option, the ACE clears both the client and server statistics.

For example, to clear all TLS and SSL statistics, enter the following:

host1/Admin# show stats crypto