11-21-2013 05:36 AM
Hi,
I need to balance https in port 8091, I already make this configuration in port 443 and works, but with port 8091 the sessions are broken and the users have to constantly make login
probe tcp KPalive_server_8091
port 8091
interval 10
faildetect 2
passdetect interval 10
passdetect count 2
open 1
rserver host server01
ip address 192.168.32.128
inservice
rserver host server02
ip address 192.168.32.129
inservice
serverfarm host SRVfarm_server
probe KPalive_server_8091
rserver server01
inservice
rserver server02
inservice
sticky layer4-payload server_HTTPS
serverfarm SRVfarm_server
response sticky
layer4-payload offset 43 length 64 begin-pattern "(\x20|\x00\xST)"
class-map match-all CLA4_HTTPS
2 match virtual-address 192.168.30.60 tcp eq 8091
policy-map type loadbalance generic first-match POL7_HTTPS
class class-default
sticky-serverfarm server_HTTPS
policy-map multi-match POL4_HTTPS
class CLA4_HTTPS
loadbalance vip inservice
loadbalance policy POL7_HTTPS
loadbalance vip icmp-reply active
thanks
Fred
P.S.
sorry for the repeated topic, but accidentally I choose write answer
Solved! Go to Solution.
11-21-2013 08:03 AM
Hi Fred,
By default the ACE would use the same port on which the incoming connection has come and in your case it would be 8091.
So if a client comes with dst port 8091 and it matches the class map condition then ACE after making load balance decision will forward the packet to rserver on port 8091.
If you the ACE to send it to a different port than the incoming port then you need to define the port number for rserver in serverfarm.
Regards,
Kanwal
11-24-2013 03:37 PM
Hello Fred
Check this page out for JSessionID persistence. HTH
11-25-2013 08:53 AM
Hi Fred,
Can you configuration parameter-map and configure "persistence rebalance" and try again?
Regards,
Kanwal
11-21-2013 05:38 AM
Hi Fred,
No problem:)
Regards,
Kanwal
11-21-2013 06:48 AM
Hi Kanwal,
"If i have understood you correctly you want that traffic coming to VIP at 443 should be sent back to the server on port 8091, then you should make a slight change in config."
I edit the post, the VIP is in 8091 and in the server too.
Regards,
Fred
11-21-2013 08:03 AM
Hi Fred,
By default the ACE would use the same port on which the incoming connection has come and in your case it would be 8091.
So if a client comes with dst port 8091 and it matches the class map condition then ACE after making load balance decision will forward the packet to rserver on port 8091.
If you the ACE to send it to a different port than the incoming port then you need to define the port number for rserver in serverfarm.
Regards,
Kanwal
11-21-2013 08:19 AM
yes I understand.
The problem seems to be in the sticky because I enter in the application via port 8091 without problems, but the ACE does not seem to grab the SSL ID.
Regards,
Fred
I clicked in the wrong button again
11-21-2013 08:51 AM
Hi Fred,
I see that you have Layer4 payload sticky which is basically to stick the connections on the basis of payload/data present in TCP or UDP.
ACE uses generic protocol parsing for L4 Payload and i would suggest to do that following configuration:
parameter-map type generic SSLID_PARAMMAP
set max-parse-length 76
Associate this parameter map
policy-map multi-match POL4_HTTPS
class CLA4_HTTPS
loadbalance vip inservice
loadbalance policy POL7_HTTPS
loadbalance vip icmp-reply active
appl-parameter generic advanced-options SSLID-PARAMMAP
Also, can you change the following:
layer4-payload offset 43 length 64 begin-pattern "(\x20|\x00\xST)
Replace 64 with 32 if it is a 32 BYTE SSL ID.
layer4-payload offset 43 length 32 begin-pattern "(\x20|\x00\xST)"
Let me know how it goes.
Regards,
Kanwal
11-22-2013 09:32 AM
Hi Kanwal,
Still the same, I do the show sticky database command and I don't find any session.
Regards,
Fred
11-22-2013 11:09 AM
Hi Fred,
Which version of SSL are you using ? Are you sure that location of SSLID is at the same place where we have told the ACE to look?
Can you take a pcap on client and see what is the location of SSLID string that ACE is looking for in there? That should give us an idea. Configuration looks fine.
Regards,
Kanwal
11-22-2013 11:12 AM
Hi Fred,
Also, do show sticky database layer4-payload v
Regards,
Kanwal
11-24-2013 11:02 AM
Hi Kanwal,
The url for the VIP is https://example.com/login/auth;jsessionid=E9BB3E120CDD87D06BF18A6575A801F2.tc1
I need to use another approach, such as Session Cookie Persistence, but I'm not sure how I'll get the jsessionid, I need to do the match in the url?
Thanks
Fred
11-24-2013 03:37 PM
Hello Fred
Check this page out for JSessionID persistence. HTH
11-25-2013 08:49 AM
Hi Steven,
I can see the sticky sessions in database, but users are constantly having logout.
Thanks
Fred
11-25-2013 08:53 AM
Hi Fred,
Can you configuration parameter-map and configure "persistence rebalance" and try again?
Regards,
Kanwal
11-25-2013 08:59 AM
Hi Fred,
Ensure the config is correct. Here's the sample config:
Sticky Based on JSESSIONID Cookie Location
With this example config, clients that connect to the VIP on port 80 (HTTP) will be load balanced to one of the three real servers in the serverfarm. When the server returns the cookie by the name of JSESSIONID in the HTTP header of the response, the ACE will create a sticky entry for this client based on the ten characters of the cookie value found after skipping the first 53 characters. The numbers 53 (offset) and 10 (length) are the most commonly used, although these two numbers may not work in all installations. Therefore research may be required to determine the correct numbers. The portion of the cookie value pointed to using these numbers is a static value that is always the same on a per-server basis
JSESSIONID Location Cookie Sticky Configuration
Example Config
access-list ANYONE line 10 extended permit ip any any
probe http WWW-PROBE
request method head url /keepalive.html
expect status 200 200
rserver host SERVER-01
ip address 192.168.1.11
inservice
rserver host SERVER-02
ip address 192.168.1.12
inservice
rserver host SERVER-03
ip address 192.168.1.13
inservice
serverfarm host WWW-SERVERFARM
probe WWW-PROBE
rserver SERVER-01
inservice
rserver SERVER-02
inservice
rserver SERVER-03
inservice
sticky http-cookie JSESSIONID JSESSIONID_STICKY
cookie offset 53 length 10
timeout 720
replicate sticky
serverfarm WWW-SERVERFARM
class-map match-all WWW-VIP
2 match virtual-address 10.1.1.100 tcp eq www
policy-map type loadbalance first-match WWW-POLICY
class class-default
sticky-serverfarm JSESSIONID_STICKY
policy-map multi-match WWW-POLICY
class WWW-VIP
loadbalance vip inservice
loadbalance policy WWW-POLICY
loadbalance vip icmp-reply active
interface vlan 10
description Client vlan
ip address 10.1.1.10 255.255.255.0
access-group input ANYONE
service-policy input WWW-POLICY
no shutdown
interface vlan 20
description Servers vlan
ip address 192.168.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.1.1
Regards,
Kanwal
11-25-2013 09:36 AM
perfect, the "persistence rebalance" was the missing piece
thanks for the help Kanwal
Regards,
Fred
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide