I get the following error when I try to add sticky config to a context.

Error: sticky resource not available

I have added the following to the admin context but no joy:

resource-class **********

  limit-resource all minimum 0.00 maximum unlimited

  limit-resource sticky minimum 10.00 maximum equal-to-min

One thing I noticed is it is only on the admin context of one ace module. It ain't on the admin module of the other ace context. Do I need to add it manly to both? Afraid of putting them out of sync.

Can anyone please advise?

Thanks Kanwal,

Looks like it's getting closer but still not there. If I type service name it redirects to https:// but gives a no data received error on web page.

If I go directly to each server on https://*.*.*.*:8443 it works. Am I missing somthing simple. Here is a few show commands:

sh probe ****-WEB-PROBE

probe       : ****-WEB-PROBE

type        : TCP

state       : ACTIVE


   port      : 8443    address     :         addr type  : -

   interval  : 3       pass intvl  : 5               pass count : 3

   fail count: 3       recv timeout: 10

                       --------------------- probe results --------------------

   probe association   probed-address  probes     failed     passed     health

   ------------------- ---------------+----------+----------+----------+-------

   serverfarm  : ****-FARM

     real      : ****TC1[8443]

                       *.*.*.*    7834       127        7707       SUCCESS

     real      : ****TC2[8443]

                       *.*.*.*    7836       128        7708       SUCCESS

sh serverfarm ****-FARM

serverfarm     : ****-FARM, type: HOST

total rservers : 2



       real                  weight state        current    total      failures



       *.*.*.*:8443     8      OPERATIONAL  0          0          44

   rserver: *TC2

       *.*.*.*:8443     8      OPERATIONAL  0          0          0

sh service-policy

Policy-map : ****-POLICY

Status     : ACTIVE


Context Global Policy:

  service-policy: ****-POLICY

    class: ****-HTTPS-VIP

      ssl-proxy server: SSL-****-PROXY


        L7 loadbalance policy: ****-HTTPS-POLICY

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        curr conns       : 0         , hit count        : 363

        dropped conns    : 184

        client pkt count : 4051      , client byte count: 1056853

        server pkt count : 1765      , server byte count: 258936

        conn-rate-limit      : 0         , drop-count : 0

        bandwidth-rate-limit : 0         , drop-count : 0

    class: REDIRECT-HTTP-****


        L7 loadbalance policy: ****-POLICY-REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : ENABLED

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        curr conns       : 0         , hit count        : 2

        dropped conns    : 0

        client pkt count : 8         , client byte count: 344

        server pkt count : 0         , server byte count: 0

        conn-rate-limit      : 0         , drop-count : 0

        bandwidth-rate-limit : 0         , drop-count : 0

Also here is the current config. Maybe I am missing something or extra still in config.

crypto chaingroup ****-CHAINGRP

  cert chain-ROOT

  cert ****CAcert

probe tcp ****-WEB-PROBE

  port 8443

  interval 3

  passdetect interval 5

parameter-map type ssl SSL-****-ADVANCED

  cipher RSA_WITH_RC4_128_MD5

rserver host ****TC1

  ip address *.*.*.*


rserver host ****TC2

  ip address *.*.*.*


rserver redirect HTTP-****

  webhost-redirection https://%h/%p 301


ssl-proxy service SSL-****-PROXY

  key ****.pem

  cert ****CAcert

  chaingroup ****-CHAINGRP

  ssl advanced-options SSL-****-ADVANCED

ssl-proxy service SSL_CLIENT

  ssl advanced-options SSL-****-ADVANCED

serverfarm host ****-FARM

  predictor leastconns

  probe ****-WEB-PROBE

  rserver ****TC1 8443


  rserver ****TC2 8443


serverfarm redirect HTTP-****-FARM

  rserver HTTP-****


sticky ip-netmask address source STICKY-SSL-****-FARM

  timeout 720

  timeout activeconns

  replicate sticky

  serverfarm ****-FARM

class-map match-any ****-HTTPS-VIP

  2 match virtual-address *.*.*.* tcp eq https

class-map match-any REDIRECT-HTTP-****

  2 match virtual-address *.*.*.* tcp eq www

policy-map type loadbalance first-match ****-HTTPS-POLICY

  class class-default

    sticky-serverfarm STICKY-SSL-****-FARM

    ssl-proxy client SSL_CLIENT

policy-map type loadbalance first-match ****-POLICY-REDIRECT

  class class-default

    serverfarm HTTP-****-FARM

policy-map multi-match ****-POLICY

  class ****-HTTPS-VIP

    loadbalance vip inservice

    loadbalance policy ****-HTTPS-POLICY

    loadbalance vip icmp-reply active

    ssl-proxy server SSL-****-PROXY

  class REDIRECT-HTTP-****

    loadbalance vip inservice

    loadbalance policy ****-POLICY-REDIRECT

    loadbalance vip icmp-reply active

    loadbalance vip advertise

service-policy input ****-POLICY

Hi Netter,

My apologies but i was not entirely right. For end to end ssl it a requirment that you create a layer 7 class map. So you would need to make changes to the configuration. Let me paste one example for you:

class-map type http loadbalance match-all SSLCLASS

  2 match http url .*

Then you need to call this class under policy map.

policy-map type loadbalance first-match ****-HTTPS-POLICY


Stikcy serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

class class-default

sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

Other than that it is looking fine.

Please try and let me know how it goes.

I tested with 443 backend and it worked. Couldn't test with backend 8443. But i think it should work fine.



Hi Kanwal,

No joy unfortunately. This is what I have changed,

policy-map type loadbalance first-match ****-HTTPS-POLICY

  class SSLCLASS

    sticky-serverfarm STICKY-SSL-****-FARM

    ssl-proxy client SSL_CLIENT

  class class-default

    sticky-serverfarm STICKY-SSL-****-FARM

    ssl-proxy client SSL_CLIENT

policy-map type loadbalance first-match ****-POLICY-REDIRECT

  class class-default

    serverfarm HTTP-****-FARM

policy-map multi-match ****-POLICY

  class ****-HTTPS-VIP

    loadbalance vip inservice

    loadbalance policy ****-HTTPS-POLICY

    loadbalance vip icmp-reply active

    ssl-proxy server SSL-****-PROXY

  class REDIRECT-HTTP-****

    loadbalance vip inservice

    loadbalance policy ****-POLICY-REDIRECT

    loadbalance vip icmp-reply active

    loadbalance vip advertise

service-policy input ****-POLICY

sh serverfarm ****-FARM

serverfarm     : ****-FARM, type: HOST

total rservers : 2



       real                  weight state        current    total      failures


   rserver: ****TC1

       *.*.*.*:8443     8      OPERATIONAL  0          0          88

   rserver: ****TC2

       *.*.*.*:8443     8      OPERATIONAL  0          0          5

                   Hi Netter,

You didn't configure the L7 class map. Can you configure the L7 class map as shown in config i pasted in last post and see how it goes.



Sorry Kanwal, I had it in. Here are the classes I have:

class-map match-any ****-HTTPS-VIP

  2 match virtual-address *.*.*.* tcp eq https

class-map match-any REDIRECT-HTTP-****

  2 match virtual-address *.*.*.* tcp eq www

class-map type http loadbalance match-all SSLCLASS

  2 match http url .*

Thanks again for your thorough help on this.

Hi Kanwal, This is actually the full config I have now. Does it look ok to you?

crypto chaingroup ****-CHAINGRP

cert chain-ROOT

cert ****CAcert

probe tcp ****-WEB-PROBE

port 8443

interval 3

passdetect interval 5

parameter-map type ssl SSL-****-ADVANCED

cipher RSA_WITH_RC4_128_MD5

rserver host ****TC1

ip address *.*.*.*


rserver host ****TC2

ip address *.*.*.*


rserver redirect HTTP-****

webhost-redirection https://%h/%p 301


ssl-proxy service SSL-****-PROXY

key ****.pem

cert ****CAcert

chaingroup ****-CHAINGRP

ssl advanced-options SSL-****-ADVANCED

ssl-proxy service SSL_CLIENT

ssl advanced-options SSL-****-ADVANCED

serverfarm host ****-FARM

predictor leastconns

probe ****-WEB-PROBE

rserver ****TC1 8443


rserver ****TC2 8443


serverfarm redirect HTTP-****-FARM

rserver HTTP-****


sticky ip-netmask address source STICKY-SSL-****-FARM

timeout 720

timeout activeconns

replicate sticky

serverfarm ****-FARM

class-map match-any ****-HTTPS-VIP

2 match virtual-address *.*.*.* tcp eq https

class-map match-any REDIRECT-HTTP-****

2 match virtual-address  *.*.*.* tcp eq www

class-map type http loadbalance match-all SSLCLASS

2 match http url .*

policy-map type loadbalance first-match ****-HTTPS-POLICY


sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

class class-default

sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

policy-map type loadbalance first-match ****-POLICY-REDIRECT

class class-default

serverfarm HTTP-****-FARM

policy-map multi-match ****-POLICY

class ****-HTTPS-VIP

loadbalance vip inservice

loadbalance policy ****-HTTPS-POLICY

loadbalance vip icmp-reply active

ssl-proxy server SSL-****-PROXY

class REDIRECT-HTTP-****

loadbalance vip inservice

loadbalance policy ****-POLICY-REDIRECT

loadbalance vip icmp-reply active

loadbalance vip advertise

service-policy input ****-POLICY

Hi Netter,

Yes this looks good.



Thanks Kanwal. I now get this error though:

The connection was reset

The connection to the server was reset while the page was loading.

   *   The site could be temporarily unavailable or too busy. Try again in a few


    *   If you are unable to load any pages, check your computer's network


    *   If your computer or network is protected by a firewall or proxy, make sure

          that Firefox is permitted to access the Web.

I there anything else I can do? Do you think there is something still wrong with my config? I am really stuck now.

Thanks Again,

Hi Netter,

The config looks fine.

Send me the below output:

show service-policy detail.

Ensure that you don't need NAT. What is your serve's default gateway?

Is routing proper?



Thanks Kanwal, here is the output. We use public addresses so I don't think I need NAT. We have another service running in this context and it is fine. The default gateway of servers with be gateway of Van: *.*.*.1.

sh service-policy ****-POLICY detail

Status     : ACTIVE

Description: -----------------------------------------

Context Global Policy:

  service-policy: ****-POLICY

    class: ****-HTTPS-VIP

      ssl-proxy server: SSL-****-PROXY

     VIP Address:    Protocol:  Port:   tcp        eq    443 


        L7 loadbalance policy: ****-HTTPS-POLICY

        Regex dnld status    : SUCCESSFUL

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        curr conns       : 0         , hit count        : 467      

        dropped conns    : 282      

        client pkt count : 5054      , client byte count: 1206294            

        server pkt count : 2068      , server byte count: 272134             

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        L7 Loadbalance policy : ****-HTTPS-POLICY

          class/match : SSLCLASS

            ssl-proxy client : SSL_CLIENT

             LB action: :

               sticky group: STICKY-SSL-****-FARM

                  primary serverfarm: ****-FARM

                    state: UP

                  backup serverfarm : -

            hit count        : 82       

            dropped conns    : 0        

          class/match : class-default

            ssl-proxy client : SSL_CLIENT

             LB action: :

               sticky group: STICKY-SSL-****-FARM

                  primary serverfarm: ****-FARM

                    state: UP

                  backup serverfarm : -

            hit count        : 0        

            dropped conns    : 0        

    class: REDIRECT-HTTP-****

     VIP Address:    Protocol:  Port:

     *.*.*.*   tcp        eq    80  


        L7 loadbalance policy: ****-POLICY-REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : ENABLED

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        curr conns       : 0         , hit count        : 24       

        dropped conns    : 0        

        client pkt count : 99        , client byte count: 7933               

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        L7 Loadbalance policy : ****-POLICY-REDIRECT

          class/match : class-default

            LB action: :

               primary serverfarm: HTTP-****-FARM

                    state: UP

                  backup serverfarm : -

            hit count        : 6        

            dropped conns    : 0 

Hi Kanwal, the VIP is actually a different subnet to servers so maybe this is the problem. I will change the IP of the VIP and change it in the context and see if it makes any difference.

                   Hi Netter,

We are getting hits on the policy as well as on sslclass but there are drops on L3 policy map.Can you also remove SSL parameter map from both ssl client proxy as well as server and give it a try.

VIP can be different as long as there is a route to it from uplink. Once traffic matches it will be loadbalanced to servers in serverfarm. Now servers should be able to send the traffic back (if ace is their GW or servers have a route towards ace or you do NAT so that traffic comes back  to ACE).

When you establish a connection what do you see in "show conn"? You can filter using your testing client IP address or VIP. So you can use show conn . Send me that output as well.

Also, ensure that policy is applied to the correct interface vlan. It should be applied to client facing VLAN.



Sorry Kanwal, how or what do I remove. Is it like line bolded below:

ssl-proxy service SSL-FILR-PROXY

  key filr.pem

  cert filrCAcert

  chaingroup FILR-CHAINGRP

NO  ssl advanced-options SSL-FILR-ADVANCED

ssl-proxy service SSL_CLIENT

NO ssl advanced-options SSL-FILR-ADVANCED

Hi Netter,

Yeah that is right.



