cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9703
Views
20
Helpful
9
Replies

ACE: connection reset using Firefox

Plinio Brandao
Level 1
Level 1

Hi Community,

I'm expecting some problems with ACE. I've configured it to loadbalance between 4 nodes with SSL termination at ACE.

Everything was working fine up to the identification of a problem using firefox browser. With Chrome and IE works fine.

The user is trying to upload a file to one of the 4 nodes. When the costumer click at the send button, the Firefox shows the following message: Connection Reset.

Can you suggest some actions? This problem just happens when the user try to upload the file. Whe he's just surfing through the system, works fine.

Thank you in advance.

------ Configuration ------

ACE-01-SJPR/eproc4# sh run

Generating configuration....

logging enable

logging timestamp

logging trap 5

logging buffered 7

access-list acl_ALL line 5 extended permit ip any any

access-list acl_ALL line 10 extended permit icmp any any

probe snmp cpu_servers

  version 2c

  community Public

  oid 1.3.6.1.2.1.25.3.3.1.2

    threshold 60

probe http pb_http

  port 80

  interval 5

  passdetect interval 30

  passdetect count 2

  request method get url /eprocV2/index.php

  expect status 200 200

probe icmp pb_ping

  interval 10

  faildetect 2

  passdetect interval 5

  passdetect count 2

rserver host eproc-1g-aplic-noh1

  ip address 10.7.123.1

  inservice

rserver host eproc-1g-aplic-noh2

  ip address 10.7.123.2

  inservice

rserver host eproc-1g-aplic-noh3

  ip address 10.7.123.3

  inservice

rserver host eproc-1g-aplic-noh4

  ip address 10.7.123.4

  inservice

rserver redirect srv_eproc4_https_redirect

  description ## Redireciona trafego de HTTP para HTTPS ##

  webhost-redirection https://%h%p 302

  inservice

serverfarm host farm_eproc4

  failaction purge

  probe pb_ping

  probe pb_http

  rserver eproc-1g-aplic-noh1 80

    cookie-string "eproc-1g-aplic-noh1"

    inservice

  rserver eproc-1g-aplic-noh2 80

    cookie-string "eproc-1g-aplic-noh2"

    inservice

  rserver eproc-1g-aplic-noh3 80

    cookie-string "eproc-1g-aplic-noh3"

    inservice

serverfarm redirect farm_eproc4_https_redirect

  description ## Redireciona trafego de HTTP para HTTPS ##

  rserver srv_eproc4_https_redirect

    inservice

parameter-map type http HTTP_PARAM

  description Reuse TCP and Keep Persistence

  case-insensitive

  persistence-rebalance

parameter-map type ssl PARAMMAP_SSL_TERMINATION

  cipher RSA_WITH_3DES_EDE_CBC_SHA

  cipher RSA_WITH_AES_128_CBC_SHA priority 2

  cipher RSA_WITH_AES_256_CBC_SHA priority 3

  rehandshake enabled

parameter-map type connection TCP_PARAM

  description TCP Options for SSL

  exceed-mss allow

sticky http-cookie acecookie st_eproc4_cookie

  cookie insert browser-expire

  serverfarm farm_eproc4

sticky http-cookie acecookie st_eproc4_https_redirect

  cookie insert browser-expire

  serverfarm farm_eproc4_https_redirect

ssl-proxy service CISCO-SSL-PROXY

  key my.key

  cert my-cert.pem

  ssl advanced-options PARAMMAP_SSL_TERMINATION

class-map type management match-any acesso_remoto

  description ## Acesso Remoto ao ACE ##

  2 match protocol telnet any

  3 match protocol ssh any

  4 match protocol icmp any

  5 match protocol snmp any

class-map type http loadbalance match-any https_redirect_eproc4

  2 match http url /.*

class-map match-all vip_eproc4_http

  8 match virtual-address 10.7.3.252 tcp eq www

class-map match-all vip_eproc4_https

  8 match virtual-address 10.7.3.252 tcp eq https

policy-map type management first-match acesso_mgmt

  class acesso_remoto

    permit

policy-map type loadbalance first-match lb_eproc4_http

  class class-default

    sticky-serverfarm st_eproc4_cookie

policy-map type loadbalance first-match lb_https_redirect

  class https_redirect_eproc4

    sticky-serverfarm st_eproc4_https_redirect

  class class-default

    sticky-serverfarm st_eproc4_cookie

policy-map multi-match policy_vip_eproc4

  class vip_eproc4_http

    loadbalance vip inservice

    loadbalance policy lb_https_redirect

    loadbalance vip icmp-reply active

    nat dynamic 4093 vlan 4093

    appl-parameter http advanced-options HTTP_PARAM

  class vip_eproc4_https

    loadbalance vip inservice

    loadbalance policy lb_eproc4_http

    loadbalance vip icmp-reply active

    nat dynamic 4093 vlan 4093

    appl-parameter http advanced-options HTTP_PARAM

    ssl-proxy server CISCO-SSL-PROXY

interface vlan 4039

  description ## Interface lado SERVIDOR ##

  bridge-group 1

  access-group input acl_ALL

  no shutdown

interface vlan 4093

  description ## Interface lado SERVIDOR ##

  bridge-group 1

  access-group input acl_ALL

  nat-pool 4093 10.7.3.253 10.7.3.253 netmask 255.255.255.255 pat

  service-policy input policy_vip_eproc4

  service-policy input acesso_mgmt

  no shutdown

interface bvi 1

  ip address 10.7.3.251 255.255.0.0

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.7.1.1


1 Accepted Solution

Accepted Solutions

ajayku2
Cisco Employee
Cisco Employee

From my prior experience I have seen similar issues with firefox.

Please try using firefox for reproducing the issue and get the output for below :

show np 1 me-stats -shttp

Look for counter value

Exceed max buffer errors:                     16901    <<<<<  Check if the counter increase after the test.

you can try few times and in case if you see the value increasing for  “ Exceed max buffer errors”

I believe if you do the following and test that should fix it. I have seen similar issue with a customer and the below has fixed it.

configure set header-maxparse-length 65535 and set max-parse-time 65535 and set content-maxparse-length 65535

host1/Admin(config)# parameter-map type http http_parameter_map

host1/Admin(config-parammap-http)#

host1/Admin(config-parammap-http)# set content-maxparse-length 65535

host1/Admin(config-parammap-http)# set max-parse-time 65535

host1/Admin(config-parammap-http)# set header-maxparse-length 65535

host1/Admin(config-parammap-http)# length-exceed continue

Apply the above in multimatch policy :

appl-parameter http advanced-options http_parameter_map

Let me know the result after applying the above.

View solution in original post

9 Replies 9

Surya ARBY
Level 4
Level 4

Hi.

Your config seems pretty unclear to me.

Can you install the extension names "live http headers" in firefox, reproduce the problem and send the trace here ?

ajayku2
Cisco Employee
Cisco Employee

From my prior experience I have seen similar issues with firefox.

Please try using firefox for reproducing the issue and get the output for below :

show np 1 me-stats -shttp

Look for counter value

Exceed max buffer errors:                     16901    <<<<<  Check if the counter increase after the test.

you can try few times and in case if you see the value increasing for  “ Exceed max buffer errors”

I believe if you do the following and test that should fix it. I have seen similar issue with a customer and the below has fixed it.

configure set header-maxparse-length 65535 and set max-parse-time 65535 and set content-maxparse-length 65535

host1/Admin(config)# parameter-map type http http_parameter_map

host1/Admin(config-parammap-http)#

host1/Admin(config-parammap-http)# set content-maxparse-length 65535

host1/Admin(config-parammap-http)# set max-parse-time 65535

host1/Admin(config-parammap-http)# set header-maxparse-length 65535

host1/Admin(config-parammap-http)# length-exceed continue

Apply the above in multimatch policy :

appl-parameter http advanced-options http_parameter_map

Let me know the result after applying the above.

Hi Ajay,

I was facing same problem, after configuring parameter-map type http as define in your post problem has been resloved.

Thanks,

Vashdev

Hi Vashdev,

Thanks for the feedback. I am glad that the issue is resolved.

with regards,

Ajay Kumar.

Hi Ajay,

Only this afternoon I tried your suggestion and it worked very well.

Do you have any idea why Firefox need these particular configurations?

Thank you very much for your help.

Hi Plinio,

Good to know that the suggested configuration helped you to fix the issue.

I haven't looked at the capture file. I will try to take a look at it and will let you know the difference.

regards,

Ajay Kumar

Hi Ajay,

your configuration worked also in my case. Thanks you foyour help. The only thing I'm a little bit disturbed is that I don't know what I did exactly ...

Best regards

Marko

I can try to guess most probably you would be filling a big form and posting it. Or a file upload.

regards,

Ajay Kumar

Whoohoo, this also fixed my problem. FF was the only browser having problems with an ssl-proxy over here. Installed this parameter map and *poof* problem went away without sideeffects for other browsers.

Thx!,

Hans

Review Cisco Networking for a $25 gift card