Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1647
Views
5
Helpful
3
Replies

ACE loadbalancing : cannot get to the same farm with http / ssl ?

laurent55
Level 1
Level 1

‎08-03-2012 07:12 AM

Hello there,

I configured 2 farms, and one call on a specific host adress is redirected to farm 2.

This is working, but only for HTTP traffic : for HTTPS, it's redirected to farm 1 !

I need help, if someone can help...

I post my configuration here :

probe tcp PROBE_TCP
  interval 30
rserver host MTP01
  ip address 172.16.0.1
  inservice
rserver host MTP02
  ip address 172.16.0.2
  inservice
rserver host MTP03
  ip address 172.16.0.3
  inservice
serverfarm host FARM01
  predictor leastconns
  probe PROBE_TCP
  rserver MTP01
    inservice
  rserver MTP02
    inservice
serverfarm host FARM02
  predictor leastconns
  probe PROBE_TCP
  rserver MTP02
    inservice
  rserver MTP03
    inservice
parameter-map type http HTTP_PARAMETER_MAP
  persistence-rebalance
class-map match-all CLASSMAP_L3L4
  2 match virtual-address 178.xx.xx.xx tcp eq www
class-map type http loadbalance match-all CLASSMAP_L7
  3 match http header Host header-value "theurloftheserver.com"
class-map match-all L4-HTTPS-IP
  2 match virtual-address 178.xx.xx.xx tcp eq https
class-map match-all L4-WEB-IP
  2 match virtual-address 178.xx.xx.xx tcp eq www
policy-map type loadbalance http first-match HTTPS_POLICY
  class CLASSMAP_L7
    serverfarm FARM02
  class class-default
    serverfarm FARM01
    insert-http x-forward header-value "%is"
policy-map type loadbalance http first-match WEB_L7_POLICY
  class CLASSMAP_L7
    serverfarm FARM02
  class class-default
    serverfarm FARM01
    insert-http x-forward header-value "%is"
policy-map multi-match WEB-to-vIPs
  class L4-WEB-IP
    loadbalance vip inservice
    loadbalance policy WEB_L7_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
  class L4-HTTPS-IP
    loadbalance vip inservice
    loadbalance policy HTTPS_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP

What is really weird is that traffic to http (CLASSMAP_L7) is ok, so I don't get it : this should match on HTTPS_POLICY, where am I wrong ?

Thanks a lot !

Labels:
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎08-03-2012 07:56 PM

Hi,

You are not getting match for https since with https header would be encrypted and ACE cannot read the URL and defaults to Farm01. HTTPS is encrypted HTTP.

ACE should be able to decrypt the traffic to look into the packet and take decision. SSL termination on ACE is a feature for that. I would recommend going to the SSL guide for more details.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/terminat.html

Regards,

Kanwal

laurent55
Level 1
Level 1
In response to Kanwaljeet Singh

‎08-06-2012 02:57 AM

Thank you so much, Kanwal !

I forgot about SSL termination, it's under investigation now

Best regards

Laurent

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to laurent55

‎08-06-2012 11:30 PM

Hi Laurent,

You are most welcome:)

Regards,

Kanwal

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card