Solved: Config Issues

Andrew MacDonald · ‎03-13-2013

Hi guys,

I am having some trouble with this config. All i am looking to do is a simple reverse proxy to this one host. When the page comes up it prompts me to download a bin file.... Probe succeeds and it says its working. I would also like to redirect to /spend What am i missing?

PA-ACE-4700-SLB/Spend-Support# show run

Generating configuration....

crypto chaingroup SPEND-CHAINGROUP

cert AddTrustExternalCARoot.crt

cert COMODOHigh-AssuranceSecureServerCA.crt

access-list allow line 8 extended permit ip any any

probe tcp HTTPS_PROBE

port 443

interval 5

passdetect interval 5

receive 3

connection term forced

open 2

probe tcp TCP8005_PROBE

port 8005

interval 5

passdetect interval 5

receive 3

connection term forced

open 2

rserver host Spend

ip address 10.0.10.22

inservice

serverfarm host SPEND

probe HTTPS_PROBE

rserver Spend 443

inservice

ssl-proxy service SPEND-SSLPROXY

key ProdKEYPAIR.PEM

cert WWW-PROD-CERT.crt

chaingroup SPEND-CHAINGROUP

class-map type http loadbalance match-any L5

2 match http url /.*

class-map match-all SPEND-CLASS

2 match virtual-address 10.0.1.110 tcp eq https

policy-map type loadbalance first-match HTTPS

class L5

serverfarm SPEND

policy-map multi-match SPEND-SLB

class SPEND-CLASS

loadbalance vip inservice

loadbalance policy HTTPS

loadbalance vip icmp-reply active

nat dynamic 1 vlan 1000

ssl-proxy server SPEND-SSLPROXY

interface vlan 1000

ip address 10.0.1.109 255.255.255.0

access-group input allow

nat-pool 1 10.0.1.110 10.0.1.110 netmask 255.255.255.255 pat

service-policy input SPEND-SLB

no shutdown

ip route 0.0.0.0 0.0.0.0 10.0.1.8

Thanks!

-Andy

Jorge Bejarano · ‎03-14-2013

Hey Andy what´s up?

Ok, Could you explain a little bit what seems to be the issue which you got or what you want to accomplish here?

You said, you are typing: https://10.0.1.110 and it should show the content of 10.0.10.22 but it is not or you are typing

https://10.0.1.110/spend and you expect the ACE magicly know what to do?

Could you specify a little bit?

If you are trying to do the following:

https://10.0.1.110/spend

then you may try something like:

class-map type http loadbalance match-any spend

2 match http url /spend

policy-map type loadbalance first-match HTTPS

class spend

serverfarm SPEND

class L5

serverfarm serverfarm-for-others

Please specify what you are looking for.

Jorge

View solution in original post

sivaksiv · ‎03-14-2013

Hi Andy,

Can you check the "show conn address .. " output and see if the connection is getting established both front and back end. Does this work when you directly access the server? The config seem to be good.

-

Siva

Andrew MacDonald · ‎03-14-2013

Hi Sivaksiv,

when i go directly to https://10.0.10.22 it works correctly. However when i hit the VIP it does not. I am assuming you want me to enter this command? show conn address 10.0.10.22 netmask 255.255.255.0 ?

Thanks,

-Andy

Jorge Bejarano · ‎03-14-2013

Hey Andy what´s up?

Ok, Could you explain a little bit what seems to be the issue which you got or what you want to accomplish here?

You said, you are typing: https://10.0.1.110 and it should show the content of 10.0.10.22 but it is not or you are typing

https://10.0.1.110/spend and you expect the ACE magicly know what to do?

Could you specify a little bit?

If you are trying to do the following:

https://10.0.1.110/spend

then you may try something like:

class-map type http loadbalance match-any spend

2 match http url /spend

policy-map type loadbalance first-match HTTPS

class spend

serverfarm SPEND

class L5

serverfarm serverfarm-for-others

Please specify what you are looking for.

Jorge

Andrew MacDonald · ‎03-15-2013

Hi Guys,

I ended up figuring it out. The port i was using for the serverfarm was wrong (I was given some bad info.) i used your instructions Jorge and it worked like a charm.

Thanks!

Jorge Bejarano · ‎03-15-2013

Andy,

It sounds good!

Jorge