Thanks Pablo !

This is my full configuration below

access-list ANY line 24 extended permit icmp any any
access-list ANY line 32 extended permit ip any any
probe tcp PROBE_TCP
  interval 30
  passdetect interval 60
rserver host 55LABS
  ip address 172.16.0.1
  inservice
rserver host MICHELINE
  ip address 172.16.0.2
  inservice
serverfarm host FARM_55LABS
  predictor leastconns
  probe PROBE_TCP
  rserver 55LABS
    inservice
  rserver MICHELINE
    inservice
serverfarm host FARM_PHP
  predictor leastconns
  probe PROBE_TCP
  rserver MICHELINE
    inservice
parameter-map type http HTTP_PARAMETER_MAP
  persistence-rebalance
class-map match-all CLASSMAP_L3L4
  2 match virtual-address 178.xxx.xxx.xxx tcp eq www
class-map type http loadbalance match-all CLASSMAP_L7
  2 match http header Host header-value "subdomain.domain.com"
class-map match-all L4-HTTPS-IP
  2 match virtual-address xxx.xxx.xxx.161 tcp eq https
class-map match-all L4-WEB-IP
  2 match virtual-address xxx.xxx.xxx.161 tcp eq www
class-map type management match-all REMOTE_ACCESS
  2 match protocol ssh any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit
policy-map type loadbalance http first-match HTTPS_POLICY
  class class-default
    serverfarm FARM_55LABS
    insert-http x-forward header-value "%is"
policy-map type loadbalance first-match POLICYMAP_L7
  class CLASSMAP_L7
    serverfarm FARM_PHP
policy-map type loadbalance http first-match WEB_L7_POLICY
  class class-default
    serverfarm FARM_55LABS
    insert-http x-forward header-value "%is"
policy-map multi-match POLICYMAP_L3L4
  class CLASSMAP_L3L4
    loadbalance policy POLICYMAP_L7
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
policy-map multi-match WEB-to-vIPs
  class L4-WEB-IP
    loadbalance vip inservice
    loadbalance policy WEB_L7_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
  class L4-HTTPS-IP
    loadbalance vip inservice
    loadbalance policy HTTPS_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 265
  ip address xxx.xxx.xxx.170 255.255.255.240
  peer ip address xxx.xxx.xxx.171 255.255.255.240
  access-group input ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input WEB-to-vIPs
  service-policy input POLICYMAP_L3L4
  no shutdown
interface vlan 2369
  ip address 172.31.255.250 255.240.0.0
  alias 172.31.255.249 255.240.0.0
  peer ip address 172.31.255.251 255.240.0.0
  access-group input ANY
  nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat
  no shutdown
ft track interface  VLAN265
  track-interface vlan 265
  peer track-interface vlan 265
  priority 50
  peer priority 5

Hi Laurent,

Thanks for the info. From the configuration I noticed a couple of things missing,

1. The new class under the multi-match policy has not been yet activated with the command "loadbalance vip inservice", even if the policy is already applied under the interface the ACE is not ARP'ing for that new VIP.

2. I see that you're using the same rserver/SF for this new VIP so I'm assuming NAT is also required for this new implementation.

Not sure if you're doing all the config through the GUI, if using CLI you can copy and past the commands below and let us know if you get positive results.

policy-map multi-match POLICYMAP_L3L4

  class CLASSMAP_L3L4

    loadbalance vip inservice

     loadbalance vip icmp-reply active

    nat dynamic 1 vlan 2369

HTH

__ __

Pablo

Hi Pablo

Thanks for the answer.

You're right, I'd deleted it since I was testing. I have put it back now, and... same result.

(loading subdomain.domain.com)

show service-policy POLICYMAP_L3L4 summary => Hit Count doesn't change

show service-policy WEB-to-vIPs summary          => Hit Count increase

To be ok, here is the full configuration again, with the corrections.

probe tcp PROBE_TCP
  interval 30
  passdetect interval 60
rserver host 55LABS
  ip address 172.16.0.1
  inservice
rserver host MICHELINE
  ip address 172.16.0.2
  inservice
serverfarm host FARM_55LABS
  predictor leastconns
  probe PROBE_TCP
  rserver 55LABS
    inservice
  rserver MICHELINE
    inservice
serverfarm host FARM_PHP
  predictor leastconns
  probe PROBE_TCP
  rserver MICHELINE
    inservice
parameter-map type http HTTP_PARAMETER_MAP
  persistence-rebalance
class-map match-all CLASSMAP_L3L4
  2 match virtual-address xxx.xxx.xxx.161 tcp eq www
class-map type http loadbalance match-all CLASSMAP_L7
  2 match http header Host header-value "subdomain.domain.com"
class-map match-all L4-HTTPS-IP
  2 match virtual-address xxx.xxx.xxx.161 tcp eq https
class-map match-all L4-WEB-IP
  2 match virtual-address xxx.xxx.xxx.161 tcp eq www
class-map type management match-all REMOTE_ACCESS
  2 match protocol ssh any
class-map type management match-all TEST
  2 match protocol icmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit
policy-map type management first-match TEST_ALLOW
  class TEST
    permit
policy-map type loadbalance http first-match HTTPS_POLICY
  class class-default
    serverfarm FARM_55LABS
    insert-http x-forward header-value "%is"
policy-map type loadbalance first-match POLICYMAP_L7
  class CLASSMAP_L7
    serverfarm FARM_PHP
policy-map type loadbalance http first-match WEB_L7_POLICY
  class class-default
    serverfarm FARM_55LABS
    insert-http x-forward header-value "%is"
policy-map multi-match POLICYMAP_L3L4
  class CLASSMAP_L3L4
    loadbalance vip inservice
    loadbalance policy POLICYMAP_L7
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
policy-map multi-match WEB-to-vIPs
  class L4-WEB-IP
    loadbalance vip inservice
    loadbalance policy WEB_L7_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
  class L4-HTTPS-IP
    loadbalance vip inservice
    loadbalance policy HTTPS_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 265
  ip address xxx.xxx.xxx.170 255.255.255.240
  peer ip address xxx.xxx.xxx.171 255.255.255.240
  access-group input ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input WEB-to-vIPs
  service-policy input POLICYMAP_L3L4
  class CLASSMAP_L3L4
    loadbalance vip inservice
    loadbalance policy POLICYMAP_L7
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
policy-map multi-match WEB-to-vIPs
  class L4-WEB-IP
    loadbalance vip inservice
    loadbalance policy WEB_L7_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
  class L4-HTTPS-IP
    loadbalance vip inservice
    loadbalance policy HTTPS_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 265
  ip address xxx.xxx.xxx.170 255.255.255.240
  peer ip address xxx.xxx.xxx.171 255.255.255.240
  access-group input ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input WEB-to-vIPs
  service-policy input POLICYMAP_L3L4
  no shutdown
interface vlan 2369
  ip address 172.31.255.250 255.240.0.0
  alias 172.31.255.249 255.240.0.0
  peer ip address 172.31.255.251 255.240.0.0
  access-group input ANY
  nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat
  service-policy input TEST_ALLOW
  no shutdown
ft track interface  VLAN265
  track-interface vlan 265
  peer track-interface vlan 265
  priority 50
  peer priority 5

Thanks again.

Laurent

Hi Laurent,

Thanks for trying that out. Something that just called my attention is this:

class-map match-all CLASSMAP_L3L4

  2 match virtual-address xxx.xxx.xxx.161 tcp eq www

class-map match-all L4-WEB-IP

  2 match virtual-address xxx.xxx.xxx.161 tcp eq www

Are these two class-maps using the same VIP by any chance? All points out they are but want to make sure.

Tnx.

__ __

Pablo

Hey Pablo,

Yes they are.

Unfortunately, I presume :/

Hey Laurent,

In this case I'd say fortunately, this will make things way easier =)

Long story short, you don't need the new policies to get this working, since both policies are using the same VIP the ACE will inspect both policies under the interface but it would match the first one that was applied, that's why you're not seeing any hits for the new L7 policy.

The easy way to get this working is under the "first-match" policy, you just need to put the most specific match on top of the policy so all the specific matches will be layer 5 inspected, if a request comes with the host header

subdomain.domain.com then it will be sent to farm PHP otherwise the hit  will be caught by the class-default and sent to the 55LABS farm.

The configuration should look like this:

policy-map type loadbalance http first-match WEB_L7_POLICY

  class CLASSMAP_L7

    serverfarm FARM_PHP

  class class-default

    serverfarm FARM_55LABS

    insert-http x-forward header-value "%is"

I'd recommend you to remove the new policy from the interface then apply these changes (test it works) and finally remove the unnecesary lines so you can keep the config as simple/clean as possible.

HTH

__ __

Pablo

Thanks Pablo, this helps a lot !

This is currently working as a charm, I was far to imagine this was as simple

Thanks again, and merry christmas !

Laurent