topic ACE 4710 - SSL issues 2 ViPS in Application Networking

ACE 4710 - SSL issues 2 ViPS

dclee — Tue, 26 Jun 2012 14:00:48 GMT

Well I have struggled with our new ACE over the last few weeks but I think I am on my last issue

Currently have all inbound SSL termination working for *.english.ca

which uses a VIP of 192.168.10.10

but

I also need to terminate all inbound SSL connections for *.french.ca

which needs to use VIP 192.168.10.20

Right now all connections still appear to be going thru the 192.168.10.10 VIP when I look at service policy hitcounts.

Here is my config

class-map match-all english

2 match virtual-address 192.168.10.10 255.255.255.224 tcp eq https

class-map match-all french

2 match virtual-address 192.168.10.20 255.255.255.224 tcp eq https

policy-map multi-match vip

class english

loadbalance vip inservice

loadbalance policy english

loadbalance vip icmp-reply active

nat dynamic 1 vlan 500

ssl-proxy server english

class french

loadbalance vip inservice

loadbalance policy french

loadbalance vip icmp-reply active

nat dynamic 2 vlan 500

ssl-proxy server french

interface vlan 500

description xxxxxxx

ip address 192.168.10.2 255.255.255.224

access-group input 101

nat-pool 2 192.168.10.20 192.168.10.20 netmask 255.255.255.255 pat

nat-pool 1 192.168.10.10 192.168.10.20 netmask 255.255.255.255 pat

service-policy input vip

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

Sh service-policy summary shows that no matter what...all ssl connections are hitting against the english vip

service-policy: vip

Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop

english 204.101.28.164 tcp eq 443 1,500 IN-SRVC 0 11 0

french 204.101.28.166 tcp eq 443 1,500 IN-SRVC 0 0 0

Surely I must be able to run multiple VIPS ?

Any help would be appreciated.

Cheers

Dave

ACE 4710 - SSL issues 2 ViPS

Cesar Roque — Tue, 26 Jun 2012 18:26:22 GMT

Hello Dave,

Try changing the match statements, it should look like this:

class-map match-all english

2 match virtual-address 192.168.10.10 tcp eq https

class-map match-all french

2 match virtual-address 192.168.10.20 tcp eq https

-------------------------------

Cesar R

ACE 4710 - SSL issues 2 ViPS

dclee — Tue, 26 Jun 2012 18:30:00 GMT

So no need for the masks ?

Cheers

Dave

ACE 4710 - SSL issues 2 ViPS

dclee — Tue, 26 Jun 2012 18:40:36 GMT

Hey Cesar, that seemed to fix my issue...I had gone with a work around and created a seperate context for the french connections which worked fine..but this way saves me from burning another public IP for int vlan 500 in the french context.

Thanks alot

Dave

ACE 4710 - SSL issues 2 ViPS

ajayku2 — Tue, 26 Jun 2012 18:43:20 GMT

Hi,

when you use a mask you ideally end up taking the entire subnet in this case you used the range:

191.166.10.1 - 191.166.10.30 <<< 192.168.10.10 255.255.255.224 >>>>

Thats the reason for the trouble never use mask for the vip.

regards,

Ajay Kumar