ā01-29-2013 07:47 AM
Hi,
Is there a way to convert TCP options header into an http header using Cisco ACE ?
is there an equivalent solution with Cisco as the one proposed by F5 here:
https://devcentral.f5.com/tutorials/tech-tips/accessing-tcp-options-from-irules
Thanks
LK
ā01-30-2013 10:50 PM
Hi,
TCP and HTTP are separate protocols and i am not sure how can any device convert TCP options to a HTTP header. What do you achieve using it? TCP options is basically unused space you have in TCP header which can be used for win scaling, TS, Sack etc. Not sure i get the requirement here. Please elaborate on it.
Regards,
Kanwal
ā01-30-2013 11:17 PM
Hi Kanwal,
Basically, my client needs to be able to able to create the same rule on his ACE as the on described here:
https://devcentral.f5.com/tutorials/tech-tips/accessing-tcp-options-from-irules
This setup is related to a CDN integration.
Before: user-->ACE-->webserver
As the user connects directly on the ACE, end user IP address is visible
After:
user-->cdn-->cdn edge-->Ace--->webserver
transaction is SSL and no ssl offload is done at the cdn edge so ACE only see CDN edge ip address
however the webserver needs to know the end user ip address
CDN added end user ip address in the tcp option header.
now the ACE must be able to read it and convert it into an http header like XFF.
As i said same process as the one described on the link i provided.
thanks for the help
LK
ā01-30-2013 11:28 PM
Hi Laurent,
You can configure the x-forwarded-for option in ACE , apply it to appropriate policy and server then can see the client src ip /port etc in the packets which would be forwarded by the ACE to it. Example below:
policy-map type loadbalance http first-match WEB_L7_POLICY
class class-default
serverfarm SF-1
insert-http x-forward header-value "%is"
But this is normally when ACE is source natting. I am not sure if ACE can read the IP in TCP options and translate it into equivalent XFF in HTTP. I will check and let you know.
Regards,
Kanwal
ā02-01-2013 09:04 AM
Hi,
what about this:
1/ user-defined TCP options can be transferred by allowing the TCP option in the setting.
parameter-map type connection TCPPARAM-MAP
tcp-options range 6 255 allow
Specifies the TCP options not explicitly supported by the ACE using a range of option numbers.
The arguments are as follows:
ā¢number1āSpecifies the lower limit of the TCP option range. Enter either 6 or 7 or an integer from 9 to 255. See the "Usage Guidelines" section for the available TCP options.
ā¢number2āSpecifies the upper limit of the TCP option range. Enter 6 or 7 or an integer from 9 to 255. See the "Usage Guidelines" section for the available TCP options.
2/ Page 175 for header insertion
or can't we use a script ?
let me know.
thanks
Laurent
ā02-01-2013 01:10 AM
Hi Laurent,
Been having the exact same issue, also related to a 'CDN infrastructure'.
The ACE cannot extract the tcp options, and insert as a header for instance.
You can configure the ACE, not to drop those options, as it normally does using a tcp parameter map,
But thats about it :-/
Sent from Cisco Technical Support iPad App
ā02-01-2013 09:05 AM
Hi,
what about this:
1/ user-defined TCP options can be transferred by allowing the TCP option in the setting.
parameter-map type connection TCPPARAM-MAP
tcp-options range 6 255 allow
Specifies the TCP options not explicitly supported by the ACE using a range of option numbers.
The arguments are as follows:
ā¢number1āSpecifies the lower limit of the TCP option range. Enter either 6 or 7 or an integer from 9 to 255. See the "Usage Guidelines" section for the available TCP options.
ā¢number2āSpecifies the upper limit of the TCP option range. Enter 6 or 7 or an integer from 9 to 255. See the "Usage Guidelines" section for the available TCP options.
2/ Page 175 for header insertion
or can't we use a script ?
let me know.
thanks
Laurent
ā02-02-2013 02:43 AM
Hi Laurent,
what about this:
1/ user-defined TCP options can be transferred by allowing the TCP option in the setting.
Also if you look at the following section in the above link:
Supported TCP Options:
Option 28 is not supported on Cisco ACE.
So the first part explained in the F5 doc which extract the client IP and use that IP in X-forward header is not possible.
But you can certainly allow the option header using following command as explained in above link :
tcp-options {range number1 number2 {allow
And the same option header can be used by server.
2/ Page 175 for header insertion
You can certainly insert a header which is already explained in the thread using :
insert-http x-forward header-value "%is" << But this is not extracted from the option header.
or can't we use a script ?
The script is only used to configure custom probe.
Rest of the option which is mentioned in F5 blog.
So ideally you can still use the supported option headers with ACE.
regards,
Ajay Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide