Thanks Kanwal. Here is the current config. I think I am on right track.

crypto chaingroup ****-CHAINGRP
  cert chain-ROOT

    cert ****CAcert

crypto csr-params CSR-PARAMS
  country
  state
  locality
  organization-name
  organization-unit
  common-name ****.co.uk
  serial-number 601
access-list BPDU ethertype permit bpdu

probe tcp ****-WEB-PROBE
  interval 3
  passdetect interval 5

parameter-map type ssl SSL-****-ADVANCED
  cipher RSA_WITH_RC4_128_MD5

rserver host ****TC1
  ip address *.*.*.*
  inservice
rserver host ****TC2
  ip address *.*.*.*
  inservice
rserver redirect HTTP-****
  webhost-redirection https://%h/%p 301
  inservice

ssl-proxy service SSL-****-PROXY
  key ****.pem
  cert ****CAcert
  chaingroup ****-CHAINGRP
  ssl advanced-options SSL-****-ADVANCED

serverfarm host ****-FARM
  predictor leastconns
  probe ****-WEB-PROBE
  rserver ****TC1 80
    inservice
  rserver ****TC2 80
    inservice
serverfarm redirect HTTP-****-FARM
  rserver HTTP-****
    inservice

sticky ip-netmask 255.255.255.255 address source STICKY-SSL-****-FARM
  timeout 720
  timeout activeconns
  replicate sticky
  serverfarm ****-FARM

class-map match-any ****-HTTPS-VIP
  2 match virtual-address *.*.*.* tcp eq https
class-map match-any REDIRECT-HTTP-****
  2 match virtual-address *.*.*.* tcp eq www

policy-map type loadbalance first-match ****-HTTPS-POLICY
  class class-default
    sticky-serverfarm STICKY-SSL-****-FARM
policy-map type loadbalance first-match ****-POLICY-REDIRECT
  class class-default
    serverfarm HTTP-****-FARM

policy-map multi-match ****-POLICY
  class ****-HTTPS-VIP
    loadbalance vip inservice
    loadbalance policy ****-HTTPS-POLICY
    loadbalance vip icmp-reply active
    ssl-proxy server SSL-****-PROXY
policy-map multi-match ****REDIRECTPOLICY
  class REDIRECT-HTTP-****
    loadbalance vip inservice
    loadbalance policy ****-POLICY-REDIRECT
    loadbalance vip icmp-reply active
    loadbalance vip advertise

service-policy input ****REDIRECTPOLICY
service-policy input ****-POLICY

Hi Netter,

The configuration looks absolutely fine to me.

So this configuratio didn't work? You said there was redirection loop which  i assume could happen because client didn't come with https url to which it was redirected otherwise it would have matched a different class and loadbalanced to different serverfarm.

Can you capture on client itself and see what URL client goes with after it has been redirected? That should tell us why the redirection is happening again and again.

You can also install iehttp for IE or Live utility in Mozilla to see the HTTP based communication between client and server(ACE).

And you don't need to define two policy mutli-match. You can simply call both class maps under the same policy mutli match. If it doesn't match the first class, it will look into second and so on. Once a match is done it stops.

Regards,

Kanwal

Hi Kanwal,

Just got word from the server guys  server runs on 8443. Do I just change

serverfarm host ****-FARM

  predictor leastconns

  probe ****-WEB-PROBE

  rserver ****TC1 80

    inservice

  rserver ****TC2 80

to

serverfarm host ****-FARM

  predictor leastconns

  probe ****-WEB-PROBE

  rserver ****TC1 8443

    inservice

  rserver ****TC2 8443

Hi Netter,

If the server is listening on 8443 then backend connection would be SSL too which means you need to do end to end ssl loadbalancing or you can simply loadbalance based on TCP port and if you do so you need to remove SSL proxy configuration.

For end to end ssl you have to configure ACE both as ssl server and client and configuration will need a slight change. Please go through the below link for same.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/endtoend.html

Let me know if have any questions.

Regards,

Kanwal

Thanks Kanwal,

To be honest I am knew to all this so haven't a clue which is best way to proceed. What way would you think is best? Would it be hard to change my current config to do end to end loadbalancing? Not sure where to start.

    Hi Netter,

    To configure end-to-end SSL you need to make couple of changes and they are not big. Please go through the link and it will give you an idea of what you are missing.

Regarding what you should is absolutely your decision. Normally SSL offloading is done on ACE to relieve servers of cpu intensive SSL handshake which may impact their performance and also take decisions on the basis of data which ACE otherwise cannot see if it is not doing SSL ofloading.

In end to end ssl even backend connection is encrypted which means that you don't care about performance impact but you may still need ACE to look into data for LB decisions. If you don't need that you can simply tell ACE to LB on the basis of TCP port and connection would be encrypted from client to server and ACE would just do LB.

Honestly, it is your decision based on your requirement. If you don't want ACE to do anything by looking into decrypted packet then i would suggest go for TCP port based load balancing.but still your decision.

You can also go through the link for more details regarding end to end ssl which explains in detail about it.

If you have any questions please let me know.

Regards,

Kanwal

Thanks Kanwal,

The service has to run on 8443 if they disable redirects so guess I have to do end-to-end SSL. I will give it a go and let you know how I get on.

I don't think I can do it on tcp port as client may connect on 80 or 443 from a web browser.

Hi Netter,

You are welcome. It is your choice as i said. But you can use redirection for port 80 and normal LB for 443 or end to end ssl. For end to end ssl you just need to make a minor change which you can see in the link i pasted. You have to add ssl-proxy client statement under policy-map type first match.

Let me know if you have any questions.

Regards,

Kanwal

Thanks Kanwal,

Doing that now. I am worried do I need to do this part.

interface vlan 210

ip address 10.10.2.1 255.255.255.0

  service-policy input L7_1

  access-group input ACL

  no shutdown

Do I need to add

service-policy input L7_1? There are servers already live in this context and I am afraid this will break them.

Hi Netter,

I am not sure what this policy is. If the connections  already working don't match what this service policy (class map conditions) has then there should be no problems.

You can do this without breaking any existing connections. If you are not sure you can try this in off time.

Regards,

Kanwal

Sorry thats just from the config in link you sent me. I will send what I have done now. I think I am totally lost to be honest.

Hi Kanwal,

Here is my current config. Is it totally wrong? Policy map L7_1 appears as offline.

crypto chaingroup ****-CHAINGRP

cert chain-ROOT

  cert ****CAcert

access-list BPDU ethertype permit bpdu

access-list ALL line 8 extended permit ip any any

access-list ALL line 16 extended permit icmp any any

probe tcp ****-WEB-PROBE

port 8443

interval 3

passdetect interval 5

parameter-map type ssl PM1

session-cache timeout 300

queue-delay timeout 1

parameter-map type ssl SSL-****-ADVANCED

cipher RSA_WITH_RC4_128_MD5

rserver host ****TC1

ip address *.*.*.*

inservice

rserver host ****TC2

ip address *.*.*.78

inservice

rserver redirect HTTP-****

webhost-redirection https://%h/%p 301

inservice

ssl-proxy service SSL-****-PROXY

key ****.pem

cert ****CAcert

chaingroup ****-CHAINGRP

ssl advanced-options SSL-****-ADVANCED

ssl-proxy service SSL_CLIENT

ssl advanced-options PM1

ssl-proxy service SSL_SERVER

key ****.pem

cert ****CAcert

ssl advanced-options PM1

serverfarm host ****-FARM

predictor leastconns

probe ****-WEB-PROBE

rserver ****TC1 8443

inservice

rserver ****TC2 8443

inservice

serverfarm redirect HTTP-****-FARM

rserver HTTP-****

inservice

sticky ip-netmask 255.255.255.255 address source STICKY-SSL-****-FARM

timeout 720

timeout activeconns

replicate sticky

serverfarm ****-FARM

class-map match-any ****-HTTPS-VIP

2 match virtual-address *.*.*.* tcp eq https

class-map match-any REDIRECT-HTTP-****

2 match virtual-address *.*.*.* tcp eq www

class-map type http loadbalance match-any SSL

2 match http url .*

class-map match-any SSL_C1

2 match virtual-address *.*.*.* tcp eq https

3 match virtual-address *.*.*.* tcp any

policy-map type loadbalance first-match ****-HTTPS-POLICY

class class-default

sticky-serverfarm STICKY-SSL-****-FARM

policy-map type loadbalance first-match ****-POLICY-REDIRECT

class class-default

serverfarm HTTP-****-FARM

policy-map type loadbalance first-match SSL_BACK

class SSL

serverfarm ****-FARM

ssl-proxy client SSL_CLIENT

policy-map multi-match ****-POLICY

class ****-HTTPS-VIP

loadbalance vip inservice

loadbalance policy ****-HTTPS-POLICY

loadbalance vip icmp-reply active

ssl-proxy server SSL-****-PROXY

policy-map multi-match ****REDIRECTPOLICY

class REDIRECT-HTTP-****

loadbalance vip inservice

loadbalance policy ****-POLICY-REDIRECT

loadbalance vip icmp-reply active

loadbalance vip advertise

policy-map multi-match L7_1

class SSL_C1

loadbalance vip inservice

loadbalance policy SSL_BACK

loadbalance vip icmp-reply

ssl-proxy server SSL_SERVER

service-policy input ****REDIRECTPOLICY

service-policy input ****-POLICY

interface vlan 303

bridge-group 303

no normalization

mac-sticky enable

access-group input BPDU

access-group input ALL

no shutdown

interface vlan 603

bridge-group 303

no normalization

mac-sticky enable

access-group input BPDU

access-group input ALL

no shutdown

interface bvi 303

ip address *.*.*.* 255.255.254.0

peer ip address *.*.*.* 255.255.254.0

no shutdown

ip route 0.0.0.0 0.0.0.0 *.*.*.1

Hi Netter,

As per your requirement which i have understood after our discussion, you don't need to do any major. Please see the bold lines that you need to add and you should have end to end ssl configuration.

crypto chaingroup ****-CHAINGRP
cert chain-ROOT

cert ****CAcert

crypto csr-params CSR-PARAMS
country
state
locality
organization-name
organization-unit
common-name ****.co.uk
serial-number 601
access-list BPDU ethertype permit bpdu

probe tcp ****-WEB-PROBE
interval 3
passdetect interval 5

parameter-map type ssl SSL-****-ADVANCED
cipher RSA_WITH_RC4_128_MD5

rserver host ****TC1
ip address *.*.*.*
inservice
rserver host ****TC2
ip address *.*.*.*
inservice
rserver redirect HTTP-****
webhost-redirection https://%h/%p 301
inservice

ssl-proxy service SSL-****-PROXY
key ****.pem
cert ****CAcert
chaingroup ****-CHAINGRP
ssl advanced-options SSL-****-ADVANCED

ssl-proxy service SSL_CLIENT

ssl advanced-options SSL-****-ADVANCED

serverfarm host ****-FARM
predictor leastconns
probe ****-WEB-PROBE
rserver ****TC1 8443
inservice
rserver ****TC2 8443
inservice
serverfarm redirect HTTP-****-FARM
rserver HTTP-****
inservice

sticky ip-netmask 255.255.255.255 address source STICKY-SSL-****-FARM
timeout 720
timeout activeconns
replicate sticky
serverfarm ****-FARM

class-map match-any ****-HTTPS-VIP
2 match virtual-address *.*.*.* tcp eq https
class-map match-any REDIRECT-HTTP-****
2 match virtual-address *.*.*.* tcp eq www

policy-map type loadbalance first-match ****-HTTPS-POLICY
class class-default
sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

policy-map type loadbalance first-match ****-POLICY-REDIRECT
class class-default
serverfarm HTTP-****-FARM

policy-map multi-match ****-POLICY

class ****-HTTPS-VIP
loadbalance vip inservice
loadbalance policy ****-HTTPS-POLICY
loadbalance vip icmp-reply active
ssl-proxy server SSL-****-PROXY

class REDIRECT-HTTP-****
loadbalance vip inservice
loadbalance policy ****-POLICY-REDIRECT
loadbalance vip icmp-reply active
loadbalance vip advertise

service-policy input ****-POLICY

Let me know how it goes.

Regards,

Kanwal

Thanks a million for all your help. I'll give this a go tomorrow and let you know how it goes.