09-25-2012 09:22 AM
Hello All:
I'm looking for some documentation I can share with a customer to explain why I can't configure them a back-up sticky server farm when we're not terminating SSL on the the ACE (we pass SSL from the client through to the rservers, sticking the client to the rserver by source IP address). I've not been able to find anything that addresses this particular scenario in my googling so far. I remember discussing this in my training class with the instructor, but I can't find any reference to it. Have any of you run into this and have a link they can share?
Thanks in advance.
09-25-2012 09:58 AM
Hi,
This should be possible with this configuration:
serverfarm host backup
rserver test2 443
inservice
rserver test3 443
inservice
serverfarm host test
rserver test 443
inservice
rserver test1 443
inservice
sticky ip-netmask 255.255.255.255 address source test
serverfarm test backup backup sticky
Here is the doc about it:
http://tools.cisco.com/squish/D041b
---------------------
Cesar R
09-25-2012 12:58 PM
Thanks for the reply Cesar. I've actually attempted that configuration (see below) with no success. All we get are browser errors when the backup serverfarm is active:
Chrome:
SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
Firefox:
Secure Connection Failed
An error occurred during a connection to service.company.com.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
Here's the config I have for this service:
probe http SERVICE-HTTP_PROBE
port 80
interval 15
passdetect interval 60
request method get url /webapps/portal/healthCheck
expect status 200 200
connection term forced
open 1
probe https SERVICE-MAINTENANCE-PAGE
port 443
interval 15
passdetect interval 60
ssl version all
request method get url /server.html
expect status 200 200
connection term forced
open 1
rserver host SERVER1
ip address 192.168.0.173
inservice
rserver host SERVER2
ip address 192.168.0.174
inservice
rserver redirect SORRY
webhost-redirection http://www.company.com/sorry.shtml 302
inservice
rserver redirect SERVICE-REDIRECT
webhost-redirection https://servicecompany.com 302
inservice
serverfarm redirect SORRY-FARM
rserver LEARN-SORRY
inservice
serverfarm redirect SERVICE-REDIRECT
rserver SERVICE-REDIRECT
inservice
serverfarm host SERVICE-SSL
predictor leastconns
probe LEARN-HTTP_PROBE
probe LEARN-MAINTENANCE-PAGE
rserver SERVER1 443
inservice
rserver SERVER2 443
inservice
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
sticky ip-netmask 255.255.255.255 address source SERVICE-SSL_STICKY
replicate sticky
serverfarm SERVICE-SSL backup SORRY-FARM
class-map match-all SERVICE-REDIRECT_CLASS
2 match virtual-address 10.10.10.24 tcp eq www
class-map match-all SERVICE-SSL_CLASS
2 match virtual-address 10.10.10.24 tcp eq https
policy-map type loadbalance first-match SERVICE-REDIRECT_CLASS-l7slb
class class-default
serverfarm SERVICE-REDIRECT
policy-map type loadbalance first-match SERVICE-SSL_POLICY
class class-default
sticky-serverfarm SERVICE-SSL_STICKY
policy-map multi-match POLICY
class SERVICE-SSL_CLASS
loadbalance vip inservice
loadbalance policy SERVICE-SSL_POLICY
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
class SERVICE-REDIRECT_CLASS
loadbalance vip inservice
loadbalance policy SERVICE-REDIRECT_CLASS-l7slb
loadbalance vip icmp-reply active primary-inservice
appl-parameter http advanced-options CASE_PARAM
service-policy input POLICY
09-25-2012 01:03 PM
Hi,
The problem is that the backup serverfarm is actually a redirect, this is not going to work unless you have SSL termination configured in the ACE.
----------------------
Cesar R
09-25-2012 01:06 PM
Exactly! Do you know if there's some documentation somewhere that outlines why this doesn't work? Just looking for some backup. I wasn't coming up with anything in the Cisco documentation.
Thanks again!
09-25-2012 01:10 PM
Hi,
Not really, there is nothing in the documentation about this specifically
----------------------
Cesar R
09-25-2012 02:20 PM
Hi
You won't find such thing in ACE documentation (at least explicitly, it may be mentioned in some example, though) as it's not ACE related. It's how HTTPS works. Basically HTTPS it's just HTTP inside SSL tunnel. You can't send/receive any HTTP commands before SSL tunnel is built. So, you have your redirection servefarm , which is basically "small HTTP server" which always replies HTTP 302 message on any request it receives. However it can't receive any request or send any replies when HTTPS is used, as SSL tunnel needs to be built first.
So, it's how protocol works, it's not about product itself.
I guess you can give a link to this discussion to your customer
09-25-2012 02:33 PM
Thanks Borys! That makes a lot of sense to me. Thanks for the explanation. I guess it's documented now .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide