ACE LB SSL Session ID in onearm mode

robertsj2609 — Mon, 02 Aug 2010 18:29:47 GMT

I am trying to set-up SSL stickyness using the session ID in a onearm configuration mode and can not access the website via the vip. I can browse to both servers directly.

The ACE is connected to a Cat 6500, via a 4 gigabit ethernet port-channel and only the management and onearm context vlan is trunked down the port-channel.

From the OneArm Mode context i am able to ping the MSFC (VLAN980) default gateway and both rservers. The rservers, Server Farm and Service Policy are all showing as in service. I am also able to ping the vip from any device on the network.

The incoming connection is establish and nat appears to take place, although the return session is report as init.

I have posted the configuration below and was hoping someone could make a few suggestions. One of the things i notice is on the MSFC the nat address isn't in the arp table, although, it's showing on the ACE.

logging enable
logging buffered 7

access-list everyoneline 1 extended permit ip any any

script file name SSL_PROBE_SCRIPT

probe scripted ssl443
port 443
interval 60
passdetect interval 60
script SSL_PROBE_SCRIPT

parameter-map type generic sslidparam
set max-parse-length 70

rserver host host1
ip address 192.168.20.129
inservice
rserver host host2
ip address 192.168.20.130
inservice

serverfarm host ssl-443
rserver host1
    weight 10
    probe ssl443
    inservice
rserver host2
    weight 10
    probe ssl443
    inservice

sticky layer4-payload sticky-443
timeout 720
serverfarm ssl-443
response sticky
layer4-payload offset 43 length 32 begin-pattern "\x20"

class-map type management match-any MANAGEMENT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol ssh any
6 match protocol telnet any

class-map match-any slb-vip
3 match virtual-address 192.168.198.50 tcp eq https

policy-map type management first-match MANAGEMENT-POLICY
class MANAGEMENT
permit

policy-map type loadbalance generic first-match slb-vip
class class-default
sticky-serverfarm sticky-443

policy-map multi-match SSL-STICKY
class slb-vip
    loadbalance vip inservice
    loadbalance policy slb-vip
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 980
    appl-parameter generic advanced-options sslidparam

interface vlan 980
ip address 192.168.198.4 255.255.255.0
peer ip address 192.168.198.5 255.255.255.0
access-group input everyone
nat-pool 1 192.168.198.6 192.168.198.6 netmask 255.255.255.255 pat
service-policy input MANAGEMENT-POLICY
service-policy input SSL-STICKY
no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.198.1

sh conn

total current connections : 2

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

19828 1 in TCP 98 192.168.18.139:2411 192.168.198.50:443 ESTAB

19829 1 out TCP 98 192.168.20.129 :443 192.168.198.6:1059 INIT

Re: ACE LB SSL Session ID in onearm mode

robertsj2609 — Tue, 03 Aug 2010 18:22:07 GMT

The problem was caused by an incorrect nat pool. Correct Mask was 255.255.255.0.

topic Re: ACE LB SSL Session ID in onearm mode in Application Networking

ACE LB SSL Session ID in onearm mode

Re: ACE LB SSL Session ID in onearm mode