ACE 4710 - Internet Explorer cannot display the webpage randomly

misterc100 · ‎03-21-2013

We have a ACE 4710 with a basic config, (see below).

When clicking on a tab from a window within Interent explorer we occasionally get an issue with it returning: "Internet Explorer cannot display the webpage" The details show "Access is denied" accessing a particular line of a javascript file.

We have put one web server out of service in the farm to make sure that this isn't a result of stickyness not quite working.

We have tested extensively by going directly to the web server directly without the load balancer and cannot reproduce the problem but we can produce the issue within a few minutes when going to the load balanced address.

Thanks in advance for any advice.

HOST-1/Admin# show run
Generating configuration....

logging enable
logging fastpath
logging standby
logging timestamp
logging trap 6
logging history 6

resource-class SLB_ResourceClass_T_R
limit-resource all minimum 10.00 maximum unlimited
resource-class sticky
limit-resource all minimum 10.00 maximum unlimited

boot system image:c4710ace-t1k9-mz.A5_1_2.bin

peer hostname HOST-2
hostname HOST-1
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
description LB003
switchport access vlan 1
shutdown
interface gigabitEthernet 1/4
description LB004
switchport access vlan 2
shutdown
interface port-channel 1
port-channel load-balance src-dst-port
no shutdown

clock timezone standard GMT
switch-mode
context Admin
description SUTLB01
member SLB_ResourceClass_T_R

access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

probe tcp probe_tcp_80
port 80

rserver host Server_S_W301
description Server_S_W301
ip address x.x.32.152
inservice
rserver host Server_S_W302
description Server_S_W302
ip address x.x.32.154
inservice

serverfarm host sfarm_T_R
description sfarm_T_R
predictor leastconns
probe probe_tcp_80
rserver Server_S_W301 80
rserver Server_S_W302 80
    inservice

sticky http-cookie Cookie1 T_R_sticky_cookie
cookie insert browser-expire
timeout 3600
serverfarm sfarm_T_R

class-map match-any T_R_L4Class
2 match virtual-address x.x.33.150 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit

policy-map type loadbalance first-match T_R_L7policy
class class-default
sticky-serverfarm T_R_sticky_cookie

policy-map multi-match T_R_L4Policy
class T_R_L4Class
    loadbalance vip inservice
    loadbalance policy T_R_L7policy
    loadbalance vip icmp-reply active
    nat dynamic 2 vlan 1000

interface vlan 1000
ip address x.x.33.148 255.255.254.0
access-group input ALL
nat-pool 2 x.x.33.151 x.x.33.151 netmask 255.255.254.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input T_R_L4Policy
no shutdown

ip route 0.0.0.0 0.0.0.0 x.x.32.1

ssh key rsa 1024 force

pradeepser · ‎03-21-2013

- What browser and version?

- Are you facing this issue in other browser types & versions?

misterc100 · ‎03-21-2013

Hi we are using Internet Explorer 8

But when using the same browser on the same workstation, but going to the web server directly we get no issues.

pradeepser · ‎03-21-2013

As your configuration looks fine I would suggest you to check with other browser types as well. I think the problem stems from certain security feature in this browser and also we cant rely on a single browser for troubleshooting.

If the same problem persists in other broswer types then you shall try by removing insert cookie and use the cookie generated by the rserver.

Jorge Bejarano · ‎03-21-2013

Amit,

I would suggest you to do the following:

Check with different browsers
Make sure you clear the browser's cookies.
Turn off one of the servers and check one at the time.

You may require to get some capture at the time the issue is present.

Jorge

misterc100 · ‎03-22-2013

Hi thanks for the responses,

I have not checked with another browser as yet - but I cannot reproduce the issue when going directly to the Web server rather than via the load balancer (using the same browser on the same machine)
I have cleared the browser cookies and temporary internet files and can reproduce the issue.
I have turned off one of the servers at a time and can still reproduce the issue on both. In the config above you can see that I have even put one server out of service to ensure that the issue is not stickyness.

1.By default with the config above does the load balancer perform any type of caching?

2. Could this be an MTU issue - I believe its set too 1500 on both the server and the Load balancer?

Jorge Bejarano · ‎03-22-2013

Amit,

Can you upload the #show stats http?

I would say you should try to check with different browsers to see how it behaves.

Additionally, you may need to get a capture on the client side and server side at the same time. If the captures are not simultaneous then they won't work.

Jorge

misterc100 · ‎03-25-2013

+------------------------------------------+

+-------------- HTTP statistics -----------+

+------------------------------------------+

LB parse result msgs sent : 421347 , TCP data msgs sent : 2099597

Inspect parse result msgs : 0 , SSL data msgs sent : 0

sent

TCP fin msgs sent : 6169 , TCP rst msgs sent: : 769

Bounced fin msgs sent : 5 , Bounced rst msgs sent: : 1

SSL fin msgs sent : 0 , SSL rst msgs sent: : 0

Drain msgs sent : 337811 , Particles read : 5040829

Reuse msgs sent : 0 , HTTP requests : 342499

Reproxied requests : 183422 , Headers removed : 37475

Headers inserted : 342124 , HTTP redirects : 0

HTTP chunks : 224859 , Pipelined requests : 71466

HTTP unproxy conns : 267246 , Pipeline flushes : 0

Whitespace appends : 0 , Second pass parsing : 0

Response entries recycled : 71302 , Analysis errors : 0

Header insert errors : 22 , Max parselen errors : 215

Static parse errors : 99 , Resource errors : 0

Invalid path errors : 0 , Bad HTTP version errors : 0

Headers rewritten : 0 , Header rewrite errors : 0

SSL headers inserted : 0 , SSL header insert errors : 0

SSL spoof headers deleted : 0 , Unproxy msgs sent : 267246

HTTP passthrough stat : 0

NOTE - We did turn on caching at one point to try and resolve the issue but it has since been turned off

sesoerensen · ‎03-25-2013

Hi,

Does the webserver require you to authenticate using Kerberos by any chance?
If so, the Kerberos ticket may have a size larger than 4 kilobytes, which can explain the access denied error,
As the ticket is never passed on to the webserver from the client.

Cheers,

Søren

Sent from Cisco Technical Support iPad App

Cesar Roque · ‎03-25-2013

Hi Amit,

try with a parameter like this:

parameter-map type http test

persistence-rebalance

set header-maxparse-length 65535

set content-maxparse-length 65535

length-exceed continue

Add it to the policy-map multi-match

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

Jorge Bejarano · ‎03-25-2013

Amit,

In regards to the output #show statst http which I asked you before it looks you are getting some

Static parse errors and Max parselen errors then as my colleague César mentioned, it will be good to apply the http parameter.

Anyway, we will still require the captures from the client side and server side at the same time.

Have you had time to test it with other browsers?

Jorge.

misterc100 · ‎03-26-2013

The fix by Cesar appears to have worked, we are still testing but I will update again later.

Thanks for all the replies and help.

misterc100 · ‎03-27-2013

No issues so far.

Is there any impact of setting the header-maxparse-length too 65535 and content-maxparse-length to 65535 in terms of performance or capacity of the load balancer?

Should we try and work out the optimum value to set these values at?

Cesar Roque · ‎03-28-2013

Hi Amit,

The bigger the number, the bigger the time the ACE takes to buffer the packets in order to take a loadbalance decission. Is better if you tune these values to something lower but still accomplishing with your needs.

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

misterc100 · ‎04-03-2013

Thanks Cesar, our techsnology stack consists of a JBOSS server, a Apache web server in front of that and the load balancer in front of that. The JBOSS server and Web Server have a maximum of 8kb.

Would it be correct to assume that anything extra that the load balancer is adding to the header that the total length of the header is still under 8kb as we are not seeing issues with JBOSS or APACHE?

Thanks for all the help.