Solved: Re: ACE balance cookie + https

Rafael Mendes · ‎01-19-2011

Hello Everyone,

i have a ACE 4400 Appliance, for balance some applications on the network.

i have one application(citrix), the connection to this site is https(443).

I had a balance of cookie, plus this only worked if I left only one server in "inservice" on Serverfarm if I add the second, the application showed me a scree saying "your web interface session is in an inconsistent state."

Since the above problems, I set the cookie for connection to work with "persistence rebalance," but the problem continued.

After I passed the Serverfarm to be balanced by source IP, the troubles are over, I kept the persistence rebalance.

Now comes the question, why not work with cookie? https does not work if the balancing change something in the package, such as information inside a cookie?

Old configuration:

sticky http-cookie NFUSE-COOKIE STICKY-HIAE-NFUSE-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm SF-HIAE-NFUSE

Current Configuration:

sticky ip-netmask 255.255.255.255 address source STICKY-HIAE-TESTE-NFUSE
replicate sticky
serverfarm SF-HIAE-NFUSE

Class/Policy and Parameter map.

class-map match-all VS-HIAE-NFUSE
2 match virtual-address 192.168.16.30 tcp any

policy-map type loadbalance first-match VS-HIAE-NFUSE-l7slb
class class-default
sticky-serverfarm STICKY-HIAE-TESTE-NFUSE

class VS-HIAE-NFUSE
    loadbalance vip inservice
    loadbalance policy VS-HIAE-NFUSE-l7slb
    loadbalance vip icmp-reply active primary-inservice
    appl-parameter http advanced-options HTTP-OPTS

parameter-map type http HTTP-OPTS
persistence-rebalance

Tks a lot.

Rafael Mendes

ddastoli · ‎01-19-2011

Rafael,

You have 2 possibilities:
1- you terminate the SSL traffic on the ACE. In this case, the ACE will be able to read the cookie and apply stickiness correctly.
2- You use the SSL stickiness.

In the latter case, since the ACE is not doing SSL termination, thereforeyou need to match on the ssl payload, i.e.:
sticky layer4-payload STICKY-SSL
     serverfarm EXCHANGE2K10HUB_OWA1
     response sticky
     layer4-payload offset 43 length 32 begin-pattern "\x20"
You can find in this document quite nice examples about it:
http://docwiki.cisco.com/wiki/Secure_Sockets_Layer_Persistence_Configuration_Example
Cheers,Domenico.

View solution in original post

ddastoli · ‎01-19-2011

Hi Rafael.

First thing to figure out here is:

are you terminating SSL on the ACE?

If not, ACE will not be able to read the https and eventually no cookie stickiness can be done.

In this case, you should use

sticky layer4-payload

Cheers,

Domenico

Rafael Mendes · ‎01-19-2011

Hi Domenico,

I terminating ssl on the server, the serverfarm/rserver is configured for all ports.

Example:

rserver: Server1

X.X.X.X:0
rserver: Server2
X.X.X.X:0

This setting would only work if the direct Serverfarm was configured on port 443, is it?

Anyway, if I set up a balancing L4, would have no problems in changes in the package, you're right.

Can you give me an example configuration L4?

Tks..

ddastoli · ‎01-19-2011

Rafael,

You have 2 possibilities:
1- you terminate the SSL traffic on the ACE. In this case, the ACE will be able to read the cookie and apply stickiness correctly.
2- You use the SSL stickiness.

In the latter case, since the ACE is not doing SSL termination, thereforeyou need to match on the ssl payload, i.e.:
sticky layer4-payload STICKY-SSL
     serverfarm EXCHANGE2K10HUB_OWA1
     response sticky
     layer4-payload offset 43 length 32 begin-pattern "\x20"
You can find in this document quite nice examples about it:
http://docwiki.cisco.com/wiki/Secure_Sockets_Layer_Persistence_Configuration_Example
Cheers,Domenico.

Rafael Mendes · ‎01-19-2011

Ok Domenico.

Tks for the Help

Rafael Mendes · ‎01-21-2011

Realized the configuration as specified in the link.

Apparently, everything ok.

However, I can not access the page using internet explorer. I tested with firefox, safari, opera, everything works with internet explorer not.
Configuration follows below, is something wrong?

Thanks.

serverfarm host SF-HIAE-NFUSE
description Servidores nfuse.einstein.br
rserver WPVAP06
inservice
rserver WPVAP07
inservice

parameter-map type generic sslidparam
set max-parse-length 70

sticky layer4-payload STICK-L4-NFUSE-SSL
serverfarm SF-HIAE-TESTESSLTERM
response sticky

layer4-payload offset 43 length 32 begin-pattern "\x20"

class-map match-all VS-L4-NFUSE-SSL-TERMINATOR
2 match virtual-address 192.168.16.254 tcp eq https

policy-map type loadbalance generic first-match VS-HIAE-TESTESSLTERM
class class-default
sticky-serverfarm STICK-L4-NFUSE-SSL

policy-map multi-match int10

class VS-L4-NFUSE-SSL-TERMINATOR
   loadbalance vip inservice
   loadbalance policy VS-HIAE-TESTESSLTERM
   loadbalance vip icmp-reply active primary-inservice
   appl-parameter generic advanced-options sslidparam

ddastoli · ‎01-23-2011

Rafael, can you try

layer4-payload offset 43 length 32 begin-pattern "(\x20|\x00\xST)"

If still does not work, check out those bugs and workaround, it may help:

CSCsh04655 GPP/TCP: Regex Parser hangs for .*keyword.* and .*keyword configs

CSCsx30496 sticky layer4-payload w/ small packets fail to LB

Cheers,

Domenico.