06-26-2012 07:00 AM
Well I have struggled with our new ACE over the last few weeks but I think I am on my last issue
Currently have all inbound SSL termination working for *.english.ca
which uses a VIP of 192.168.10.10
but
I also need to terminate all inbound SSL connections for *.french.ca
which needs to use VIP 192.168.10.20
Right now all connections still appear to be going thru the 192.168.10.10 VIP when I look at service policy hitcounts.
Here is my config
class-map match-all english
2 match virtual-address 192.168.10.10 255.255.255.224 tcp eq https
class-map match-all french
2 match virtual-address 192.168.10.20 255.255.255.224 tcp eq https
policy-map multi-match vip
class english
loadbalance vip inservice
loadbalance policy english
loadbalance vip icmp-reply active
nat dynamic 1 vlan 500
ssl-proxy server english
class french
loadbalance vip inservice
loadbalance policy french
loadbalance vip icmp-reply active
nat dynamic 2 vlan 500
ssl-proxy server french
interface vlan 500
description xxxxxxx
ip address 192.168.10.2 255.255.255.224
access-group input 101
nat-pool 2 192.168.10.20 192.168.10.20 netmask 255.255.255.255 pat
nat-pool 1 192.168.10.10 192.168.10.20 netmask 255.255.255.255 pat
service-policy input vip
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
Sh service-policy summary shows that no matter what...all ssl connections are hitting against the english vip
service-policy: vip
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
english 204.101.28.164 tcp eq 443 1,500 IN-SRVC 0 11 0
french 204.101.28.166 tcp eq 443 1,500 IN-SRVC 0 0 0
Surely I must be able to run multiple VIPS ?
Any help would be appreciated.
Cheers
Dave
Solved! Go to Solution.
06-26-2012 11:26 AM
Hello Dave,
Try changing the match statements, it should look like this:
class-map match-all english
2 match virtual-address 192.168.10.10 tcp eq https
class-map match-all french
2 match virtual-address 192.168.10.20 tcp eq https
-------------------------------
Cesar R
06-26-2012 11:26 AM
Hello Dave,
Try changing the match statements, it should look like this:
class-map match-all english
2 match virtual-address 192.168.10.10 tcp eq https
class-map match-all french
2 match virtual-address 192.168.10.20 tcp eq https
-------------------------------
Cesar R
06-26-2012 11:30 AM
So no need for the masks ?
Cheers
Dave
06-26-2012 11:40 AM
Hey Cesar, that seemed to fix my issue...I had gone with a work around and created a seperate context for the french connections which worked fine..but this way saves me from burning another public IP for int vlan 500 in the french context.
Thanks alot
Dave
06-26-2012 11:43 AM
Hi,
when you use a mask you ideally end up taking the entire subnet in this case you used the range:
191.166.10.1 - 191.166.10.30 <<< 192.168.10.10 255.255.255.224 >>>>
Thats the reason for the trouble never use mask for the vip.
regards,
Ajay Kumar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: