ACE Module Cookie Parsing causes Reset Connection

stovenator · ‎10-13-2010

I am trying to upgrade my ACE Modules from A2(1.3) to A2(3.2) . Unfortunately, the cookie parsing breaks when there are illegal characters and causes a connection reset (RST) when there is an invalid cookie, but only on code later than A2(1.3).

The cookie in question is being passed by a third party so making them change the cookie is not necessarily do-able. The cookie has the following value:

Cookie: CurrentUser={"UserKey":{"Key":"anonymous"},"LastUpdated":"10/13/2010 1:35:52 PM"}

We are using the following parameter map:

parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
set header-maxparse-length 20480
length-exceed continue

On the older code, the request is passed on to the server.

Is there a setting similar to "length-exceed continue" that I can give the ACE to tell it to ignore cookies it cannot parse?

Gilles Dufour · ‎10-14-2010

Do you have HTTP inspection configured ? If yes, you need to remove it.

Does your serverfarm has a 'class-default' ? if not you need to create one so that it can handle parse errors.

Gilles.

stovenator · ‎10-14-2010

HTTP inspection is not enabled.

Did you mean adding a class-default to the policy-map?

Adding it to the policy-map does make it match the class-default. Unfortunately, cookie parse errors result in the inability to parse both the cookie and the host header as well. It seems that rather than just failing to parse the cookie and being unable to do sticky matching - it completely fails the entire header parsing.

Here's our setup:

rserver host test1
ip address 192.168.1.101
inservice

rserver host test2
ip address 192.168.1.102
inservice

rserver host test3
ip address 192.168.1.103
inservice

rserver host test4
ip address 192.168.1.104
inservice

serverfarm host auto
probe HTTP-diagnostic
rserver test1
inservice
rserver test2
inservice

serverfarm host news
probe HTTP-diagnostic
rserver test3
inservice
rserver test4
inservice

sticky http-cookie autoCookie auto-cookie
cookie insert browser-expire
replicate sticky
serverfarm auto
sticky http-cookie newsCookie news-cookie
cookie insert browser-expire
replicate sticky
serverfarm news

class-map type http loadbalance match-any auto
2 match http header Host header-value "www.auto.local"
3 match http header Host header-value "auto.local"

class-map type http loadbalance match-any news
2 match http header Host header-value "www.news.local"
3 match http header Host header-value "news.local"

class-map match-all prod_VIP
2 match virtual-address XXX.XXX.XXX.XXX tcp eq www

policy-map type loadbalance first-match prod_POLICY
class auto
    sticky-serverfarm auto-cookie
class news
    sticky-serverfarm news-cookie
class class-default
    sticky-serverfarm auto-cookie

policy-map multi-match aggregate-slb-apps
class prod_VIP
    loadbalance vip inservice
    loadbalance policy prod_POLICY
    loadbalance vip icmp-reply active
    loadbalance vip advertise
    appl-parameter http advanced-options CASE_PARAM

Gilles Dufour · ‎10-15-2010

Under the class-default configure a simple serverfarm.

When there is a parse error, ace falls back to L4 mode so it stops parsing and just tries to do a normal loadbalancing operation if one is available.

What has changed in later version is that now the "," is considered as a cookie separator (as defined in RFC).

Therefore, the cookie is splitted in 2 at the coma and the part following the coma is considered invalid.

If possible, try to change the cookie on the server since this cookie is illegal per RFC anyway.

Gilles

stovenator · ‎02-23-2011

Bringing back up an old thread, but it looks like A2 (3.3) has a fix for this.

Will cookie-error-ignore fix my issue here?

lgnmaia11267708 · ‎03-16-2017

very helpful.