01-19-2011 03:28 AM
Hello Everyone,
i have a ACE 4400 Appliance, for balance some applications on the network.
i have one application(citrix), the connection to this site is https(443).
I had a balance of cookie, plus this only worked if I left only one server in "inservice" on Serverfarm if I add the second, the application showed me a scree saying "your web interface session is in an inconsistent state."
Since the above problems, I set the cookie for connection to work with "persistence rebalance," but the problem continued.
After I passed the Serverfarm to be balanced by source IP, the troubles are over, I kept the persistence rebalance.
Now comes the question, why not work with cookie? https does not work if the balancing change something in the package, such as information inside a cookie?
Old configuration:
sticky http-cookie NFUSE-COOKIE STICKY-HIAE-NFUSE-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm SF-HIAE-NFUSE
Current Configuration:
sticky ip-netmask 255.255.255.255 address source STICKY-HIAE-TESTE-NFUSE
replicate sticky
serverfarm SF-HIAE-NFUSE
Class/Policy and Parameter map.
class-map match-all VS-HIAE-NFUSE
2 match virtual-address 192.168.16.30 tcp any
policy-map type loadbalance first-match VS-HIAE-NFUSE-l7slb
class class-default
sticky-serverfarm STICKY-HIAE-TESTE-NFUSE
class VS-HIAE-NFUSE
loadbalance vip inservice
loadbalance policy VS-HIAE-NFUSE-l7slb
loadbalance vip icmp-reply active primary-inservice
appl-parameter http advanced-options HTTP-OPTS
parameter-map type http HTTP-OPTS
persistence-rebalance
Tks a lot.
Rafael Mendes
Solved! Go to Solution.
01-19-2011 09:20 AM
Rafael, You have 2 possibilities: 1- you terminate the SSL traffic on the ACE. In this case, the ACE will be able to read the cookie and apply stickiness correctly. 2- You use the SSL stickiness. In the latter case, since the ACE is not doing SSL termination, thereforeyou need to match on the ssl payload, i.e.: sticky layer4-payload STICKY-SSL serverfarm EXCHANGE2K10HUB_OWA1 response sticky layer4-payload offset 43 length 32 begin-pattern "\x20" You can find in this document quite nice examples about it: http://docwiki.cisco.com/wiki/Secure_Sockets_Layer_Persistence_Configuration_Example Cheers,Domenico.
01-19-2011 04:46 AM
Hi Rafael.
First thing to figure out here is:
are you terminating SSL on the ACE?
If not, ACE will not be able to read the https and eventually no cookie stickiness can be done.
In this case, you should use
sticky layer4-payload
Cheers,
Domenico
01-19-2011 09:12 AM
Hi Domenico,
I terminating ssl on the server, the serverfarm/rserver is configured for all ports.
Example:
rserver: Server1
X.X.X.X:0
rserver: Server2
X.X.X.X:0
This setting would only work if the direct Serverfarm was configured on port 443, is it?
Anyway, if I set up a balancing L4, would have no problems in changes in the package, you're right.
Can you give me an example configuration L4?
Tks..
01-19-2011 09:20 AM
Rafael, You have 2 possibilities: 1- you terminate the SSL traffic on the ACE. In this case, the ACE will be able to read the cookie and apply stickiness correctly. 2- You use the SSL stickiness. In the latter case, since the ACE is not doing SSL termination, thereforeyou need to match on the ssl payload, i.e.: sticky layer4-payload STICKY-SSL serverfarm EXCHANGE2K10HUB_OWA1 response sticky layer4-payload offset 43 length 32 begin-pattern "\x20" You can find in this document quite nice examples about it: http://docwiki.cisco.com/wiki/Secure_Sockets_Layer_Persistence_Configuration_Example Cheers,Domenico.
01-19-2011 09:31 AM
Ok Domenico.
Tks for the Help
01-21-2011 07:33 AM
Realized the configuration as specified in the link.
Apparently, everything ok.
However, I can not access the page using internet explorer. I tested with firefox, safari, opera, everything works with internet explorer not.
Configuration follows below, is something wrong?
Thanks.
serverfarm host SF-HIAE-NFUSE
description Servidores nfuse.einstein.br
rserver WPVAP06
inservice
rserver WPVAP07
inservice
parameter-map type generic sslidparam
set max-parse-length 70
sticky layer4-payload STICK-L4-NFUSE-SSL
serverfarm SF-HIAE-TESTESSLTERM
response sticky
layer4-payload offset 43 length 32 begin-pattern "\x20"
class-map match-all VS-L4-NFUSE-SSL-TERMINATOR
2 match virtual-address 192.168.16.254 tcp eq https
policy-map type loadbalance generic first-match VS-HIAE-TESTESSLTERM
class class-default
sticky-serverfarm STICK-L4-NFUSE-SSL
policy-map multi-match int10
class VS-L4-NFUSE-SSL-TERMINATOR
loadbalance vip inservice
loadbalance policy VS-HIAE-TESTESSLTERM
loadbalance vip icmp-reply active primary-inservice
appl-parameter generic advanced-options sslidparam
01-23-2011 01:16 AM
Rafael, can you try
layer4-payload offset 43 length 32 begin-pattern "(\x20|\x00\xST)"
If still does not work, check out those bugs and workaround, it may help:
CSCsh04655 GPP/TCP: Regex Parser hangs for .*keyword.* and .*keyword configs
CSCsx30496 sticky layer4-payload w/ small packets fail to LB
Cheers,
Domenico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide