Solved: ACE 4710 - SSL issues 2 ViPS

dclee · ‎06-26-2012

Well I have struggled with our new ACE over the last few weeks but I think I am on my last issue

Currently have all inbound SSL termination working for *.english.ca

which uses a VIP of 192.168.10.10

but

I also need to terminate all inbound SSL connections for *.french.ca

which needs to use VIP 192.168.10.20

Right now all connections still appear to be going thru the 192.168.10.10 VIP when I look at service policy hitcounts.

Here is my config

class-map match-all english

2 match virtual-address 192.168.10.10 255.255.255.224 tcp eq https

class-map match-all french

2 match virtual-address 192.168.10.20 255.255.255.224 tcp eq https

policy-map multi-match vip

class english

loadbalance vip inservice

loadbalance policy english

loadbalance vip icmp-reply active

nat dynamic 1 vlan 500

ssl-proxy server english

class french

loadbalance vip inservice

loadbalance policy french

loadbalance vip icmp-reply active

nat dynamic 2 vlan 500

ssl-proxy server french

interface vlan 500

description xxxxxxx

ip address 192.168.10.2 255.255.255.224

access-group input 101

nat-pool 2 192.168.10.20 192.168.10.20 netmask 255.255.255.255 pat

nat-pool 1 192.168.10.10 192.168.10.20 netmask 255.255.255.255 pat

service-policy input vip

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

Sh service-policy summary shows that no matter what...all ssl connections are hitting against the english vip

service-policy: vip

Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop

english 204.101.28.164 tcp eq 443 1,500 IN-SRVC 0 11 0

french 204.101.28.166 tcp eq 443 1,500 IN-SRVC 0 0 0

Surely I must be able to run multiple VIPS ?

Any help would be appreciated.

Cheers

Dave

Cesar Roque · ‎06-26-2012

Hello Dave,

Try changing the match statements, it should look like this:

class-map match-all english

2 match virtual-address 192.168.10.10 tcp eq https

class-map match-all french

2 match virtual-address 192.168.10.20 tcp eq https

-------------------------------

Cesar R

--------------------- Cesar R ANS Team

View solution in original post

Cesar Roque · ‎06-26-2012

Hello Dave,

Try changing the match statements, it should look like this:

class-map match-all english

2 match virtual-address 192.168.10.10 tcp eq https

class-map match-all french

2 match virtual-address 192.168.10.20 tcp eq https

-------------------------------

Cesar R

--------------------- Cesar R ANS Team

dclee · ‎06-26-2012

So no need for the masks ?

Cheers

Dave

dclee · ‎06-26-2012

Hey Cesar, that seemed to fix my issue...I had gone with a work around and created a seperate context for the french connections which worked fine..but this way saves me from burning another public IP for int vlan 500 in the french context.

Thanks alot

Dave

ajayku2 · ‎06-26-2012

Hi,

when you use a mask you ideally end up taking the entire subnet in this case you used the range:

191.166.10.1 - 191.166.10.30 <<< 192.168.10.10 255.255.255.224 >>>>

Thats the reason for the trouble never use mask for the vip.

regards,

Ajay Kumar