ACE - Curious redirection configuration implementation behaviour

Paul Pinto · ‎10-14-2012

Good day,

I was presented with a requirement from a customer as follows:

1. Site published to customer was http://www.abc.com

3. Requirment is for site to be accessed via https

Originally https configuration implemeted with SSL offloading. No problem, all working fine (or so was thought as abc.com site was tested) as this was the site with the cert. issued to this and the "mishap" of the in-correct publication of the www.abc.com site was only picked up later.

Now, first requirement is to redirect http to https. Implemted and tested, no worries.

Second, access to www.abc.com presents cert. error.

So, we now are requested to redirect www.abc.com to abc.com, then redirect all http to https.

So, off I go and try implement this.

The final config applied is below:

rserver redirect REDIRECT-TO-HTTPS

webhost-redirection https://%h%p 301

inservice

rserver redirect WWW-REDIRECT

webhost-redirection http://abc.com 301

inservice

serverfarm redirect REDIRECT-Serverfarm

rserver REDIRECT-TO-HTTPS

inservice

serverfarm redirect WWW-REDIRECT-Serverfarm

rserver WWW-REDIRECT

inservice

class-map type http loadbalance match-any ABC-WWW-L7CLASS

2 match http header Host header-value "www.abc.com"

class-map match-all VIP-PUBLIC

2 match virtual-address xxx.xxx.xxx.186 tcp eq https

class-map match-all VIP-PUBLIC-HTTP-REDIRECT

2 match virtual-address xxx.xxx.xxx.186 tcp eq www

policy-map type loadbalance first-match REDIRECT-POLICY

class ABC-WWW-L7CLASS

serverfarm WWW-REDIRECT-Serverfarm

class class-default

serverfarm REDIRECT-Serverfarm

policy-map type loadbalance first-match WEB_LB

class class-default

sticky-serverfarm VIP-COOKIE-STICKY

policy-map multi-match PUBLIC-VIP

class VIP-PUBLIC-HTTP-REDIRECT

loadbalance vip inservice

loadbalance policy REDIRECT-POLICY

loadbalance vip icmp-reply active

appl-parameter http advanced-options HTTP_PARAM_MAP

class VIP-PUBLIC

loadbalance vip inservice

loadbalance policy WEB_LB

loadbalance vip icmp-reply active

loadbalance vip advertise active

appl-parameter http advanced-options HTTP_PARAM_MAP

ssl-proxy server abc.com

This is working. I just wanted to post this as while appying this, I recieved the following message while applying the second part within the policy map:

" Error: An action already exists. Delete that first.". I then tryied again and it was accepted and it is working.

So I suppose my questions are;

1. Is the message valid?

2. If so, how is this working?

3. Is this an eroneous message?

4. is this a bug, and will it "stop" working? Should I not be too comfortable?

Just wanted to post this and find out if anyone may have had to do something similar, if it worked for them and if they encountered something similar?

Thanks in advance, as always.

Paul.

Kanwaljeet Singh · ‎10-14-2012

Hi Paul,

I have seen this message but the behavior is inconsistent. This error message would be appropriate if some one configures another configuration/action without removing existing configuration/action. But i have seen this coming even without that and as in your case it worked while trying again.

I searched internally and found that this issue was reported to development but was not reproduced so it was not pursued further.

In my case also things worked fine after the configuration was applied successfully after error message. I would suggest reporting this to TAC in case the issue shows up again or you face any issues with above.

Regards,

Kanwal