- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2012 07:00 AM
Well I have struggled with our new ACE over the last few weeks but I think I am on my last issue
Currently have all inbound SSL termination working for *.english.ca
which uses a VIP of 192.168.10.10
but
I also need to terminate all inbound SSL connections for *.french.ca
which needs to use VIP 192.168.10.20
Right now all connections still appear to be going thru the 192.168.10.10 VIP when I look at service policy hitcounts.
Here is my config
class-map match-all english
2 match virtual-address 192.168.10.10 255.255.255.224 tcp eq https
class-map match-all french
2 match virtual-address 192.168.10.20 255.255.255.224 tcp eq https
policy-map multi-match vip
class english
loadbalance vip inservice
loadbalance policy english
loadbalance vip icmp-reply active
nat dynamic 1 vlan 500
ssl-proxy server english
class french
loadbalance vip inservice
loadbalance policy french
loadbalance vip icmp-reply active
nat dynamic 2 vlan 500
ssl-proxy server french
interface vlan 500
description xxxxxxx
ip address 192.168.10.2 255.255.255.224
access-group input 101
nat-pool 2 192.168.10.20 192.168.10.20 netmask 255.255.255.255 pat
nat-pool 1 192.168.10.10 192.168.10.20 netmask 255.255.255.255 pat
service-policy input vip
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
Sh service-policy summary shows that no matter what...all ssl connections are hitting against the english vip
service-policy: vip
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
english 204.101.28.164 tcp eq 443 1,500 IN-SRVC 0 11 0
french 204.101.28.166 tcp eq 443 1,500 IN-SRVC 0 0 0
Surely I must be able to run multiple VIPS ?
Any help would be appreciated.
Cheers
Dave
Solved! Go to Solution.
- Labels:
-
Application Networking
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2012 11:26 AM
Hello Dave,
Try changing the match statements, it should look like this:
class-map match-all english
2 match virtual-address 192.168.10.10 tcp eq https
class-map match-all french
2 match virtual-address 192.168.10.20 tcp eq https
-------------------------------
Cesar R
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2012 11:26 AM
Hello Dave,
Try changing the match statements, it should look like this:
class-map match-all english
2 match virtual-address 192.168.10.10 tcp eq https
class-map match-all french
2 match virtual-address 192.168.10.20 tcp eq https
-------------------------------
Cesar R
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2012 11:30 AM
So no need for the masks ?
Cheers
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2012 11:40 AM
Hey Cesar, that seemed to fix my issue...I had gone with a work around and created a seperate context for the french connections which worked fine..but this way saves me from burning another public IP for int vlan 500 in the french context.
Thanks alot
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-26-2012 11:43 AM
Hi,
when you use a mask you ideally end up taking the entire subnet in this case you used the range:
191.166.10.1 - 191.166.10.30 <<< 192.168.10.10 255.255.255.224 >>>>
Thats the reason for the trouble never use mask for the vip.
regards,
Ajay Kumar
