cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2848
Views
0
Helpful
15
Replies

ACE 4710 - Internet Explorer cannot display the webpage randomly

misterc100
Level 1
Level 1

We have a ACE 4710 with a basic config, (see below).

When clicking on a tab from a window within Interent explorer we occasionally get an issue with it returning: "Internet Explorer cannot display the webpage" The details show "Access is denied" accessing a particular line of a javascript file.

We have put one web server out of service in the farm to make sure that this isn't a result of stickyness not quite working.

We have tested extensively by going directly to the web server directly without the load balancer and cannot reproduce the problem but we can produce the issue within a few minutes when going to the load balanced address.

Thanks in advance for any advice.

HOST-1/Admin# show run
Generating configuration....

logging enable
logging fastpath
logging standby
logging timestamp
logging trap 6
logging history 6

resource-class SLB_ResourceClass_T_R
  limit-resource all minimum 10.00 maximum unlimited
resource-class sticky
  limit-resource all minimum 10.00 maximum unlimited

boot system image:c4710ace-t1k9-mz.A5_1_2.bin

peer hostname HOST-2
hostname HOST-1
interface gigabitEthernet 1/1
  switchport access vlan 1000
  no shutdown
interface gigabitEthernet 1/2
  shutdown
interface gigabitEthernet 1/3
  description LB003
  switchport access vlan 1
  shutdown
interface gigabitEthernet 1/4
  description LB004
  switchport access vlan 2
  shutdown
interface port-channel 1
  port-channel load-balance src-dst-port
  no shutdown

clock timezone standard GMT
switch-mode
context Admin
  description SUTLB01
  member SLB_ResourceClass_T_R

access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

probe tcp probe_tcp_80
  port 80


rserver host Server_S_W301
  description Server_S_W301
  ip address x.x.32.152
  inservice
rserver host Server_S_W302
  description Server_S_W302
  ip address x.x.32.154
  inservice

serverfarm host sfarm_T_R
  description sfarm_T_R
  predictor leastconns
  probe probe_tcp_80
  rserver Server_S_W301 80
  rserver Server_S_W302 80
    inservice
   
   

sticky http-cookie Cookie1 T_R_sticky_cookie
  cookie insert browser-expire
  timeout 3600
  serverfarm sfarm_T_R


class-map match-any T_R_L4Class
  2 match virtual-address x.x.33.150 tcp eq www
class-map type management match-any remote_access
  2 match protocol xml-https any
  3 match protocol icmp any
  4 match protocol telnet any
  5 match protocol ssh any
  6 match protocol http any
  7 match protocol https any
  8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit


policy-map type loadbalance first-match T_R_L7policy
  class class-default
    sticky-serverfarm T_R_sticky_cookie


policy-map multi-match T_R_L4Policy
  class T_R_L4Class
    loadbalance vip inservice
    loadbalance policy T_R_L7policy
    loadbalance vip icmp-reply active
    nat dynamic 2 vlan 1000

interface vlan 1000
  ip address x.x.33.148 255.255.254.0
  access-group input ALL
  nat-pool 2 x.x.33.151 x.x.33.151 netmask 255.255.254.0 pat
  service-policy input remote_mgmt_allow_policy
  service-policy input T_R_L4Policy
  no shutdown

ip route 0.0.0.0 0.0.0.0 x.x.32.1


ssh key rsa 1024 force

15 Replies 15

pradeepser
Level 1
Level 1

- What browser and version?

- Are you facing this issue in other browser types & versions?

Hi we are using Internet Explorer 8

But when using the same browser on the same workstation, but going to the web server directly we get no issues.

As your configuration looks fine I would suggest you to check with other browser types as well. I think the problem stems from certain security feature in this browser and also we cant rely on a single browser for troubleshooting.

If the same problem persists in other broswer types then you shall try by removing insert cookie and use the cookie generated by the rserver.

Jorge Bejarano
Level 4
Level 4

Amit,

I would suggest you to do the following:

  • Check with different browsers
  • Make sure you clear the browser's cookies.
  • Turn off one of the servers and check one at the time.

You may require to get some capture at the time the issue is present.

Jorge

Hi thanks for the responses,

  • I have not checked with another browser as yet - but I cannot reproduce the issue when going directly to the Web server rather than via the load balancer (using the same browser on the same machine)
  • I have cleared the browser cookies and temporary internet files and can reproduce the issue.
  • I have turned off one of the servers at a time and can still reproduce the issue on both. In the config above you can see that I have even put one server out of service to ensure that the issue is not stickyness.

1.By default with the config above does the load balancer perform any type of caching?

2. Could this be an MTU issue - I believe its set too 1500 on both the server and the Load balancer?

Amit,

Can you upload the #show stats http?

I would say you should try to check with different browsers to see how it behaves.

Additionally, you may need to get a capture on the client side and server side at the same time. If the captures are not simultaneous then they won't work.

Jorge

+------------------------------------------+

+-------------- HTTP statistics -----------+

+------------------------------------------+

LB parse result msgs sent : 421347     , TCP data msgs sent       : 2099597

Inspect parse result msgs : 0          , SSL data msgs sent       : 0

                      sent

TCP fin msgs sent         : 6169       , TCP rst msgs sent:       : 769

Bounced fin msgs sent     : 5          , Bounced rst msgs sent:   : 1

SSL fin msgs sent         : 0          , SSL rst msgs sent:       : 0

Drain msgs sent           : 337811     , Particles read           : 5040829

Reuse msgs sent           : 0          , HTTP requests            : 342499

Reproxied requests        : 183422     , Headers removed          : 37475

Headers inserted          : 342124     , HTTP redirects           : 0

HTTP chunks               : 224859     , Pipelined requests       : 71466

HTTP unproxy conns        : 267246     , Pipeline flushes         : 0

Whitespace appends        : 0          , Second pass parsing      : 0

Response entries recycled : 71302      , Analysis errors          : 0

Header insert errors      : 22         , Max parselen errors      : 215

Static parse errors       : 99         , Resource errors          : 0

Invalid path errors       : 0          , Bad HTTP version errors  : 0

Headers rewritten         : 0          , Header rewrite errors    : 0

SSL headers inserted      : 0          , SSL header insert errors : 0

SSL spoof headers deleted : 0         , Unproxy msgs sent         : 267246

HTTP passthrough stat     : 0

NOTE - We did turn on caching at one point to try and resolve the issue but it has since been turned off

sesoerensen
Level 1
Level 1

Hi,

Does the webserver require you to authenticate using Kerberos by any chance?
If so, the Kerberos ticket may have a size larger than 4 kilobytes, which can explain the access denied error,
As the ticket is never passed on to the webserver from the client.

Cheers,

Søren

Sent from Cisco Technical Support iPad App

Cesar Roque
Level 4
Level 4

Hi Amit,

try with a parameter like this:

parameter-map type http test

  persistence-rebalance

  set header-maxparse-length 65535

  set content-maxparse-length 65535

  length-exceed continue

Add it to the policy-map multi-match

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

Jorge Bejarano
Level 4
Level 4

Amit,

In regards to the output #show statst http which I asked you before it looks you are getting some

Static parse errors and Max parselen errors then as my colleague César mentioned, it will be good to apply the http parameter.

Anyway, we will still require the captures from the client side and server side at the same time.

Have you had time to test it with other browsers?

Jorge.

misterc100
Level 1
Level 1

The fix by Cesar appears to have worked, we are still testing but I will update again later.


Thanks for all the replies and help.

misterc100
Level 1
Level 1

No issues so far.

Is there any impact of setting the header-maxparse-length too 65535 and content-maxparse-length to 65535 in terms of performance or capacity of the load balancer?

Should we try and work out the optimum value to set these values at?

Hi Amit,

The bigger the number, the bigger the time the ACE takes to buffer the packets in order  to take a loadbalance decission.  Is better if you tune these values to something lower but  still accomplishing with your needs.

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team

misterc100
Level 1
Level 1

Thanks Cesar, our techsnology stack consists of a JBOSS server, a  Apache web server in front of that and the load balancer in front of that. The JBOSS server and Web Server have a maximum of 8kb.

Would it be correct to assume that anything extra that the load balancer is adding to the header that the total length of the header is still under 8kb as we are not seeing issues with JBOSS or APACHE?

Thanks for all the help.

Review Cisco Networking for a $25 gift card