Solved: ACE: connection reset using Firefox

Plinio Brandao · ‎05-24-2012

Hi Community,

I'm expecting some problems with ACE. I've configured it to loadbalance between 4 nodes with SSL termination at ACE.

Everything was working fine up to the identification of a problem using firefox browser. With Chrome and IE works fine.

The user is trying to upload a file to one of the 4 nodes. When the costumer click at the send button, the Firefox shows the following message: Connection Reset.

Can you suggest some actions? This problem just happens when the user try to upload the file. Whe he's just surfing through the system, works fine.

Thank you in advance.

------ Configuration ------

ACE-01-SJPR/eproc4# sh run
Generating configuration....
logging enable
logging timestamp
logging trap 5
logging buffered 7
access-list acl_ALL line 5 extended permit ip any any 
access-list acl_ALL line 10 extended permit icmp any any 
probe snmp cpu_servers
  version 2c
  community Public
  oid 1.3.6.1.2.1.25.3.3.1.2
    threshold 60
probe http pb_http
  port 80
  interval 5
  passdetect interval 30
  passdetect count 2
  request method get url /eprocV2/index.php
  expect status 200 200
probe icmp pb_ping
  interval 10
  faildetect 2
  passdetect interval 5
  passdetect count 2
rserver host eproc-1g-aplic-noh1
  ip address 10.7.123.1
  inservice
rserver host eproc-1g-aplic-noh2
  ip address 10.7.123.2
  inservice
rserver host eproc-1g-aplic-noh3
  ip address 10.7.123.3
  inservice
rserver host eproc-1g-aplic-noh4
  ip address 10.7.123.4
  inservice
rserver redirect srv_eproc4_https_redirect
  description ## Redireciona trafego de HTTP para HTTPS ##
  webhost-redirection https://%h%p 302
  inservice
serverfarm host farm_eproc4
  failaction purge
  probe pb_ping
  probe pb_http
  rserver eproc-1g-aplic-noh1 80
    cookie-string "eproc-1g-aplic-noh1"
    inservice
  rserver eproc-1g-aplic-noh2 80
    cookie-string "eproc-1g-aplic-noh2"
    inservice
  rserver eproc-1g-aplic-noh3 80
    cookie-string "eproc-1g-aplic-noh3"
    inservice
serverfarm redirect farm_eproc4_https_redirect
  description ## Redireciona trafego de HTTP para HTTPS ##
  rserver srv_eproc4_https_redirect
    inservice
parameter-map type http HTTP_PARAM
  description Reuse TCP and Keep Persistence
  case-insensitive
  persistence-rebalance
parameter-map type ssl PARAMMAP_SSL_TERMINATION
  cipher RSA_WITH_3DES_EDE_CBC_SHA
  cipher RSA_WITH_AES_128_CBC_SHA priority 2
  cipher RSA_WITH_AES_256_CBC_SHA priority 3
  rehandshake enabled
parameter-map type connection TCP_PARAM
  description TCP Options for SSL
  exceed-mss allow
sticky http-cookie acecookie st_eproc4_cookie
  cookie insert browser-expire
  serverfarm farm_eproc4
sticky http-cookie acecookie st_eproc4_https_redirect
  cookie insert browser-expire
  serverfarm farm_eproc4_https_redirect
ssl-proxy service CISCO-SSL-PROXY
  key my.key
  cert my-cert.pem
  ssl advanced-options PARAMMAP_SSL_TERMINATION
class-map type management match-any acesso_remoto
  description ## Acesso Remoto ao ACE ##
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any
  5 match protocol snmp any
class-map type http loadbalance match-any https_redirect_eproc4
  2 match http url /.*
class-map match-all vip_eproc4_http
  8 match virtual-address 10.7.3.252 tcp eq www
class-map match-all vip_eproc4_https
  8 match virtual-address 10.7.3.252 tcp eq https
policy-map type management first-match acesso_mgmt
  class acesso_remoto
    permit
policy-map type loadbalance first-match lb_eproc4_http
  class class-default
    sticky-serverfarm st_eproc4_cookie
policy-map type loadbalance first-match lb_https_redirect
  class https_redirect_eproc4
    sticky-serverfarm st_eproc4_https_redirect
  class class-default
    sticky-serverfarm st_eproc4_cookie
policy-map multi-match policy_vip_eproc4
  class vip_eproc4_http
    loadbalance vip inservice
    loadbalance policy lb_https_redirect
    loadbalance vip icmp-reply active
    nat dynamic 4093 vlan 4093
    appl-parameter http advanced-options HTTP_PARAM
  class vip_eproc4_https
    loadbalance vip inservice
    loadbalance policy lb_eproc4_http
    loadbalance vip icmp-reply active
    nat dynamic 4093 vlan 4093
    appl-parameter http advanced-options HTTP_PARAM
    ssl-proxy server CISCO-SSL-PROXY
interface vlan 4039
  description ## Interface lado SERVIDOR ##
  bridge-group 1
  access-group input acl_ALL
  no shutdown
interface vlan 4093
  description ## Interface lado SERVIDOR ##
  bridge-group 1
  access-group input acl_ALL
  nat-pool 4093 10.7.3.253 10.7.3.253 netmask 255.255.255.255 pat
  service-policy input policy_vip_eproc4
  service-policy input acesso_mgmt
  no shutdown
interface bvi 1
  ip address 10.7.3.251 255.255.0.0
  no shutdown
ip route 0.0.0.0 0.0.0.0 10.7.1.1

ajayku2 · ‎05-29-2012

From my prior experience I have seen similar issues with firefox.

Please try using firefox for reproducing the issue and get the output for below :

show np 1 me-stats -shttp

Look for counter value

Exceed max buffer errors: 16901 <<<<< Check if the counter increase after the test.

you can try few times and in case if you see the value increasing for “ Exceed max buffer errors”

I believe if you do the following and test that should fix it. I have seen similar issue with a customer and the below has fixed it.

configure set header-maxparse-length 65535 and set max-parse-time 65535 and set content-maxparse-length 65535

host1/Admin(config)# parameter-map type http http_parameter_map

host1/Admin(config-parammap-http)#

host1/Admin(config-parammap-http)# set content-maxparse-length 65535

host1/Admin(config-parammap-http)# set max-parse-time 65535

host1/Admin(config-parammap-http)# set header-maxparse-length 65535

host1/Admin(config-parammap-http)# length-exceed continue

Apply the above in multimatch policy :

appl-parameter http advanced-options http_parameter_map

Let me know the result after applying the above.

View solution in original post

Surya ARBY · ‎05-25-2012

Hi.

Your config seems pretty unclear to me.

Can you install the extension names "live http headers" in firefox, reproduce the problem and send the trace here ?

ajayku2 · ‎05-29-2012

From my prior experience I have seen similar issues with firefox.

Please try using firefox for reproducing the issue and get the output for below :

show np 1 me-stats -shttp

Look for counter value

Exceed max buffer errors: 16901 <<<<< Check if the counter increase after the test.

you can try few times and in case if you see the value increasing for “ Exceed max buffer errors”

I believe if you do the following and test that should fix it. I have seen similar issue with a customer and the below has fixed it.

configure set header-maxparse-length 65535 and set max-parse-time 65535 and set content-maxparse-length 65535

host1/Admin(config)# parameter-map type http http_parameter_map

host1/Admin(config-parammap-http)#

host1/Admin(config-parammap-http)# set content-maxparse-length 65535

host1/Admin(config-parammap-http)# set max-parse-time 65535

host1/Admin(config-parammap-http)# set header-maxparse-length 65535

host1/Admin(config-parammap-http)# length-exceed continue

Apply the above in multimatch policy :

appl-parameter http advanced-options http_parameter_map

Let me know the result after applying the above.

vashdevt · ‎06-18-2012

Hi Ajay,

I was facing same problem, after configuring parameter-map type http as define in your post problem has been resloved.

Thanks,

Vashdev

ajayku2 · ‎06-18-2012

Hi Vashdev,

Thanks for the feedback. I am glad that the issue is resolved.

with regards,

Ajay Kumar.

Plinio Brandao · ‎06-18-2012

Hi Ajay,

Only this afternoon I tried your suggestion and it worked very well.

Do you have any idea why Firefox need these particular configurations?

Thank you very much for your help.

ajayku2 · ‎06-20-2012

Hi Plinio,

Good to know that the suggested configuration helped you to fix the issue.

I haven't looked at the capture file. I will try to take a look at it and will let you know the difference.

regards,

Ajay Kumar

m.vuckovic · ‎12-16-2012

Hi Ajay,

your configuration worked also in my case. Thanks you foyour help. The only thing I'm a little bit disturbed is that I don't know what I did exactly ...

Best regards

Marko

ajayku2 · ‎12-17-2012

I can try to guess most probably you would be filling a big form and posting it. Or a file upload.

regards,

Ajay Kumar

hans.loots · ‎12-17-2012

Whoohoo, this also fixed my problem. FF was the only browser having problems with an ssl-proxy over here. Installed this parameter map and *poof* problem went away without sideeffects for other browsers.

Thx!,

Hans