Hello!

I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.

The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.

The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.

If i have missed something in the config or if someone have any other idea why this dont work for me..

Appreciate any help!

My config:

(at the moment only web5 is in use)

ACE-1/CO-WEB1# show run

access-list ANY line 10 extended permit ip any any

access-list icmp line 8 extended permit icmp any any

probe http PROBE-HTTP

interval 3

passdetect interval 10

passdetect count 2

expect status 200 200

expect status 300 323

parameter-map type ssl SSLPARAMS

cipher RSA_WITH_RC4_128_MD5

rserver host vmware-server1

description testserver1

ip address 219.222.4.180

probe PROBE-HTTP

inservice

rserver host vmware-server2

description testserver 2

ip address 219.222.4.181

probe PROBE-HTTP

inservice

rserver host web5

description testserver from windows nlb

ip address 219.222.4.185

probe PROBE-HTTP

inservice

ssl-proxy service SSL-PROXY-SE

key cert-se.key

cert cert-se.pem

ssl advanced-options SSLPARAMS

serverfarm host WM-ware_servers

rserver vmware-server1

inservice

serverfarm host webtest

description testserver-farm

predictor leastconns

rserver vmware-server1 80

rserver vmware-server2 80

rserver web5

inservice

sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1

timeout 60

serverfarm webtest

class-map match-all VIP-HTTP

2 match virtual-address 219.222.4.178 tcp eq www

class-map match-all VIP-HTTPS

2 match virtual-address 219.222.4.178 tcp eq https

class-map type management match-any icmp

description for icmp reply

2 match protocol icmp any

policy-map type management first-match icmp

class icmp

permit

policy-map type loadbalance first-match VIP-HTTP

class class-default

sticky-serverfarm STICKY-GROUP1

policy-map type loadbalance first-match VIP-SSL

class class-default

serverfarm webtest

policy-map multi-match SLB-VIP-HTTP

class VIP-HTTP

loadbalance vip inservice

loadbalance policy VIP-HTTP

loadbalance vip icmp-reply

class VIP-HTTPS

loadbalance vip inservice

loadbalance policy VIP-SSL

loadbalance vip icmp-reply

ssl-proxy server SSL-PROXY-SE

interface vlan 21

description ### ACE OUTSIDE mot FW ###

ip address 219.222.4.171 255.255.255.240

access-group input ANY

access-group output ANY

service-policy input icmp

service-policy input SLB-VIP-HTTP

no shutdown

interface vlan 22

description ### ACE INSIDE Gateway for Web-servers ###

ip address 219.222.4.177 255.255.255.240

access-group input ANY

access-group output ANY

service-policy input icmp

no shutdown

ip route 0.0.0.0 0.0.0.0 219.222.4.161

ACE-1/CO-WEB1#

as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):

ACE-1/CO-WEB1# show conn

total current connections : 4

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB

14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB

11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB

3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB

ACE-1/CO-WEB1#