Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1545
Views
0
Helpful
7
Replies

[ACE30-MOD-K9] Accessing and convert TCP options header

laurentkuper
Level 1
Level 1

‎01-29-2013 07:47 AM

Hi,

Is there a way to convert TCP options header into an http header using Cisco ACE ?

is there an equivalent solution with Cisco as the one proposed by F5 here:

https://devcentral.f5.com/tutorials/tech-tips/accessing-tcp-options-from-irules

Thanks

LK

Labels:
0 Helpful
7 Replies 7

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎01-30-2013 10:50 PM

Hi,

TCP and HTTP are separate protocols and i am not sure how can any device convert TCP options to a HTTP header. What do you achieve  using it? TCP options is basically unused space you have in TCP header which can be used for win scaling, TS, Sack etc. Not sure i get the requirement here. Please elaborate on it.

Regards,

Kanwal

0 Helpful

laurentkuper
Level 1
Level 1
In response to Kanwaljeet Singh

‎01-30-2013 11:17 PM

Hi Kanwal,

Basically, my client needs to be able to able to create the same rule on his ACE as the on described here:

https://devcentral.f5.com/tutorials/tech-tips/accessing-tcp-options-from-irules

This setup is related to a CDN integration.

Before: user-->ACE-->webserver

As the user connects directly on the ACE, end user IP address is visible

After:

user-->cdn-->cdn edge-->Ace--->webserver

transaction is SSL and no ssl offload is done at the cdn edge so ACE only see CDN edge ip address

however the webserver needs to know the end user ip address

CDN added end user ip address in the tcp option header.

now the ACE must be able to read it and convert it into an http header like XFF.

As i said same process as the one described on the link i provided.

thanks for the help

LK

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to laurentkuper

‎01-30-2013 11:28 PM

Hi Laurent,

You can configure the x-forwarded-for option in ACE , apply it to appropriate policy and server then  can see the client src ip /port etc in the packets which would be forwarded by the ACE to it. Example below:

policy-map type loadbalance http first-match WEB_L7_POLICY

  class class-default

    serverfarm SF-1

    insert-http x-forward header-value "%is"

But this is normally when ACE is source natting. I am not sure if ACE can read the IP in TCP options and translate it into equivalent XFF in HTTP. I will check and let you know.

Regards,

Kanwal


0 Helpful

laurentkuper
Level 1
Level 1
In response to Kanwaljeet Singh

‎02-01-2013 09:04 AM

Hi,

what about this:

1/ user-defined TCP options can be transferred by allowing the TCP option in the setting.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/parammap.html#wp1006556

parameter-map type connection TCPPARAM-MAP

tcp-options range 6 255 allow

Specifies the TCP options not explicitly supported by the ACE using a range of option numbers.

The arguments are as follows:

•number1—Specifies the lower limit of the TCP option range. Enter either 6 or 7 or an integer from 9 to 255. See the "Usage Guidelines" section for the available TCP options.

•number2—Specifies the upper limit of the TCP option range. Enter 6 or 7 or an integer from 9 to 255. See the "Usage Guidelines" section for the available TCP options.

2/ Page 175 for header insertion

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/slbgd.pdf

or can't we use a script ?

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/script.pdf

let me know.

thanks

Laurent

0 Helpful

sesoerensen
Level 1
Level 1

‎02-01-2013 01:10 AM

Hi Laurent,

Been having the exact same issue, also related to a 'CDN infrastructure'.
The ACE cannot extract the tcp options, and insert as a header for instance.

You can configure the ACE, not to drop those options, as it normally does using a tcp parameter map,
But thats about it :-/





Sent from Cisco Technical Support iPad App

0 Helpful

laurentkuper
Level 1
Level 1
In response to sesoerensen

‎02-01-2013 09:05 AM

Hi,

what about this:

1/ user-defined TCP options can be transferred by allowing the TCP option in the setting.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/parammap.html#wp1006556

parameter-map type connection TCPPARAM-MAP

tcp-options range 6 255 allow

Specifies the TCP options not explicitly supported by the ACE using a range of option numbers.

The arguments are as follows:

•number1—Specifies the lower limit of the TCP option range. Enter either 6 or 7 or an integer from 9 to 255. See the "Usage Guidelines" section for the available TCP options.

•number2—Specifies the upper limit of the TCP option range. Enter 6 or 7 or an integer from 9 to 255. See the "Usage Guidelines" section for the available TCP options.

2/ Page 175 for header insertion

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/slbgd.pdf

or can't we use a script ?

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/script.pdf

let me know.

thanks

Laurent

0 Helpful

ajayku2
Cisco Employee
Cisco Employee
In response to laurentkuper

‎02-02-2013 02:43 AM

Hi Laurent,

what about this:

1/ user-defined TCP options can be transferred by allowing the TCP option in the setting.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/parammap.html#wp1006556

Also if you look at the following section in the above link:

Supported TCP Options:

Option 28 is not supported on Cisco ACE.

So the first part explained in the F5 doc which extract the client IP and use that IP in X-forward header is not possible.

But you can certainly allow the option header using following command as explained in above link :

tcp-options {range number1 number2 {allow

And the same option header can be used by server.

2/ Page 175 for header insertion

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/slbgd.pdf

You can certainly insert a header which is already explained in the thread using :

insert-http x-forward header-value "%is"  << But this is not extracted from the option header.

or can't we use a script ?

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/script.pdf

The script is only used to configure custom probe.

Rest of the option which is mentioned in F5 blog.

  • Opkind 2 – Max Segment Size  ( Not supported )
  • Opkind 3 – Window Scaling    ( Supported )
  • Opkind 5 – Selective Acknowledgements  ( Supported )
  • Opkind 8 – Timestamps     ( Supported )

So ideally you can still use the supported option headers with ACE.

regards,

Ajay Kumar

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card