ACE source-address matching in nested class-maps not working

petfooddirect · ‎09-07-2012

Im having a (from google-fu) seemingly unique issue with load balancing.

So for background, I am running the ACE 4710 device in "on a stick" mode, so I am using NAT and all that good stuff. I am also utilizing class maps and host header matching so I can save on IP space.

(so www.mainsite.com and mainsite.com go to one serverfarm, services.mainsite.com go to another, mobile.mainsite.com go to another, etc)

The multi-match policy looks like this:

policy blah blah multimatch on the interface

class VIP_MAINSITE_WILDCARD
    loadbalance vip inservice
    loadbalance policy L7_POLICY_MAINSITE_WILDCARD
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 205
    appl-parameter http advanced-options HTTP_PARAMETER_MAP

The policy map looks like this:
policy-map type loadbalance first-match L7_POLICY_MAINSITE_WILDCARD
class L7_CLASS_MAINSITE_COM_NOCOMPRESS
    sticky-serverfarm STICKY_IP_MAINSITE_COM
    insert-http X-Forwarded-For header-value "%is"  class L7_CLASS_MAINSITE_COM
    compress default-method gzip    sticky-serverfarm STICKY_IP_MAINSITE_COM
    insert-http X-Forwarded-For header-value "%is"
class L7_CLASS_BETA_MAINSITE_COM_NOCOMPRESS    sticky-serverfarm STICKY_IP_beta.mainsite.com
    insert-http X-Forwarded-For header-value "%is"  class L7_CLASS_BETA_MAINSITE_COM
    compress default-method gzip    sticky-serverfarm STICKY_IP_beta.mainsite.com
    insert-http X-Forwarded-For header-value "%is"

Class maps are:

class-map type http loadbalance match-all L7_CLASS_MAINSITE_COM

2 match class-map L7_CLASS_MAINSITE_COM_VHOSTS <---this is just a match-any class map with www.mainsite.com and mainsite.com as hosts

class-map type http loadbalance match-all L7_CLASS_BETA_MAINSITE_COM

match class-map L7_CLASS_beta.mainsite.com-vhosts <-- just matches beta.mainsite.com and betatest.mainsite.com

and the no-compress just also include the default-mime types class map

The class-map for the VIP looks like this:

class-map match-any VIP_MAINSITE_WILDCARD

2 match virtual-address 10.0.205.23 tcp eq www

So...finally, to the crux...what I am trying to do, is be able to limit the IP address that can access the beta site.

So I thought I would add

class-map type http loadbalance match-any ACL_CLASS_beta.mainsite.com

match source-address 10.0.0.0 255.0.0.0 <-- our internal ip range (we are on a site-to-site vpn with the datacenter so it's all internal traffic)

match source-address x.x.x.x <-- vendor A, and so on

And then apply that class map like so

class-map type http loadbalance match-all L7_CLASS_BETA_MAINSITE_COM

4 match class-map L7_CLASS_beta.mainsite.com-vhosts

5 match class-map ACL_CLASS_beta.mainsite.com

Basically, as soon as I add that ACL_CLASS_beta.mainsite.com class map, all I get back from the ACE is RST packets and it comes back with an L7 LB Policy Miss.

It SEEMS like it should work, but it doesnt seem to like matching on those source addresses at all.

Maybe I'm going about this the wrong way? Any insight would be pretty awesome. Thanks.

Jorge Bejarano · ‎09-10-2012

Hey Luke,

It looks you are mixing many things here and probably that´s why is not working.

class-map type http loadbalance match-all L7_CLASS_BETA_MAINSITE_COM

4 match class-map L7_CLASS_beta.mainsite.com-vhosts

5 match class-map ACL_CLASS_beta.mainsite.com

Since you are matching a "match-all" statement ( which works as "AND"), you need to do both things at that same time to continue and work properly

Can you upload the config of class-map L7_CLASS_beta.mainsite.com-vhosts and class-map ACL_CLASS_beta.mainsite.com?

In case you just need to match any of those policies, you may try with a "match-any" instead of a "match-all".

Can you upload #show stats http and # show service-policy class-map detail?

Jorge