Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
0
Helpful
1
Replies

ACE4710 Transparent Caching

sudheer
Level 1
Level 1

‎08-02-2011 03:20 AM

Hello Friends,

I am facing a problem with the ACE4710, problem description as follows;

We have two IronPort web security boxes loadbalanced using the ACE4710 which configured in the bridged mode for transparent caching . Now we are facing a strange problem with downloading from websites like cisco.com, ibm.com etc.. it gives the error ;;connection timedout''  in the final stage...What we observed that these sites are initially https and then changing to http something like that... below is the configuration details;

==================

serverfarm host IRONPORT-SF

  transparent

  predictor hash url

  rserver IRONPORT-1

    probe IRONPORT-ICMP

    inservice

  rserver IRONPORT-2

    probe IRONPORT-ICMP

    inservice

!

sticky ip-netmask 255.255.255.255 address source IRONPORT-STICKY

  timeout 60

  timeout activeconns

  replicate sticky

  serverfarm IRONPORT-SF

!

!

policy-map type loadbalance first-match IRONPORT-LB

  class class-default

    sticky-serverfarm IRONPORT-STICKY

!

class-map match-all VIP-TCP443

  2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq https

class-map match-all VIP-TCP80

  2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www

!

!

policy-map multi-match SERVERFARM-POLICY

  class VIP-TCP80

    loadbalance vip inservice

    loadbalance policy IRONPORT-LB

    loadbalance vip icmp-reply active

  class VIP-TCP443

    loadbalance vip inservice

    loadbalance policy IRONPORT-LB

    loadbalance vip icmp-reply active

!

!

policy-map type loadbalance first-match IRONPORT-LB

  class class-default

    sticky-serverfarm IRONPORT-STICKY

policy-map multi-match SERVERFARM-POLICY

  class VIP-TCP80

    loadbalance vip inservice

    loadbalance policy IRONPORT-LB

    loadbalance vip icmp-reply active

!

!

interface vlan 20

  description ---------CLIENT SIDE INTERFACE---------

  ip address <<IP Address>> <<Mask>>

  alias <<IP Address>> <<Mask>>

  peer ip address <<IP Address>> <<Mask>>

  no normalization

  no icmp-guard

  access-group input ACL-IN

  service-policy input REMOTE-ACCESS

  service-policy input SERVERFARM-POLICY

  no shutdown

interface vlan 208

  description ---------SERVER SIDE INTERFACE--------

  ip address <<IP Address>> <<Mask>>

  alias <<IP Address>> <<Mask>>

  peer ip address <<IP Address>> <<Mask>>

  no normalization

  mac-sticky enable

  no icmp-guard

  access-group input ACL-IN

  no shutdown

=============================

If anybody has the same setup or anyone faced similar problem....Pls comment.

Rgds

Sudheer.

Labels:
0 Helpful
1 Reply 1

Ahmad Basel Jaber
Level 1
Level 1

‎08-02-2011 04:01 AM

Hi Sudheer,

You mentioned that you are using the ACE in bridge mode, please confirm this point as I don't see any BVI interface configured, so I guess you are using it in routed mode?!

Looking through your configuration and considering routed mode deployment, I don't see how the ACE could effect these connection in anyway, you are doing basic L4 load balancing, and sharing the same sticky group under both policy map, which mean the client will stay stuck to the same server even if it been redirected by the web-site, so this connection change will not effect the ACE load balancing decision.

I would recommend you to capture the traffic on the client, ACE, IronPort simultaneously then have a look who is breaking the communication, that should give you better understanding about the problem.

Best regards,

Ahmad   

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card