Solved: Error: sticky resource not available - Page 4

netternewbie · ‎10-30-2013

Hi,

I get the following error when I try to add sticky config to a context.

Error: sticky resource not available

I have added the following to the admin context but no joy:

resource-class **********

limit-resource all minimum 0.00 maximum unlimited

limit-resource sticky minimum 10.00 maximum equal-to-min

One thing I noticed is it is only on the admin context of one ace module. It ain't on the admin module of the other ace context. Do I need to add it manly to both? Afraid of putting them out of sync.

Can anyone please advise?

netternewbie · ‎11-01-2013

Hi Kanwal,

Seem to have lost connection since makes those changes. See output below:

sh service-policy ****-POLICY DE

Status : ACTIVE

Description: -----------------------------------------

Context Global Policy:

service-policy: ****-POLICY

class: ****-HTTPS-VIP

ssl-proxy server: SSL-****-PROXY

VIP Address: Protocol: Port:

*.*.175.110 tcp eq 443

loadbalance:

L7 loadbalance policy: ****-HTTPS-POLICY

Regex dnld status : SUCCESSFUL

VIP Route Metric : 77

VIP Route Advertise : DISABLED

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 0 , hit count : 0

dropped conns : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

L7 Loadbalance policy : ****-HTTPS-POLICY

class/match : SSLCLASS

ssl-proxy client : SSL_CLIENT

LB action: :

sticky group: STICKY-SSL-****-FARM

primary serverfarm: ****-FARM

state: UP

backup serverfarm : -

hit count : 0

dropped conns : 0

class/match : class-default

ssl-proxy client : SSL_CLIENT

LB action: :

sticky group: STICKY-SSL-****-FARM

primary serverfarm: ****-FARM

state: UP

backup serverfarm : -

hit count : 0

dropped conns : 0

class: REDIRECT-HTTP-****

VIP Address: Protocol: Port:

*.*.175.110 tcp eq 80

loadbalance:

L7 loadbalance policy: ****-POLICY-REDIRECT

VIP Route Metric : 77

VIP Route Advertise : ENABLED

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 0 , hit count : 0

dropped conns : 0

client pkt count : 0 , client byte count: 0

server pkt count : 0 , server byte count: 0

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

L7 Loadbalance policy : ****-POLICY-REDIRECT

class/match : class-default

LB action: :

primary serverfarm: HTTP-****-FARM

state: UP

backup serverfarm : -

hit count : 0

dropped conns : 0

netternewbie · ‎11-01-2013

Actually I have changed VIP address so need to double check firewall now. Sorry.

netternewbie · ‎11-01-2013

Sorry for delayed response Kanwal. We had some problems here with other things. I will try what you suggested Monday morning and get the server guys to check their things.

I will let you know how I get on. Thanks for all your help and patience. Hopefully we get it sorted Monday.

netternewbie · ‎11-05-2013

Hi kanwal,

Unfortunately I am still having problems. Below is the current config. Do you see anything obvious that is wrong? At the moment the application is listening on 8443, there are certs on the two servers and there was a reverse proxy configured but this is turned off now.

crypto chaingroup ****-CHAINGRP

cert chain-ROOT

cert ****CAcert

probe tcp ****-WEB-PROBE

port 8443

interval 3

passdetect interval 5

parameter-map type ssl SSL-****-ADVANCED

cipher RSA_WITH_RC4_128_MD5

rserver host ****TC1

ip address *.*.*.*

inservice

rserver host ****TC2

ip address *.*.*.*

inservice

rserver redirect HTTP-****

webhost-redirection https://%h/%p 301

inservice

ssl-proxy service SSL-****-PROXY

key ****.pem

cert ****CAcert

chaingroup ****-CHAINGRP

ssl advanced-options SSL-****-ADVANCED

ssl-proxy service SSL_CLIENT

ssl advanced-options SSL-****-ADVANCED

serverfarm host ****-FARM

predictor leastconns

probe ****-WEB-PROBE

rserver ****TC1 8443

inservice

rserver ****TC2 8443

inservice

serverfarm redirect HTTP-****-FARM

rserver HTTP-****

inservice

sticky ip-netmask 255.255.255.255 address source STICKY-SSL-****-FARM

timeout 720

timeout activeconns

replicate sticky

serverfarm ****-FARM

class-map match-any ****-HTTPS-VIP

3 match virtual-address *.*.*.* tcp eq https

class-map match-any REDIRECT-HTTP-****

3 match virtual-address *.*.*.* tcp eq www

class-map type http loadbalance match-all SSLCLASS

2 match http url .*

policy-map type loadbalance first-match ****-HTTPS-POLICY

class SSLCLASS

sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

class class-default

sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

policy-map type loadbalance first-match ****-POLICY-REDIRECT

class class-default

serverfarm HTTP-****-FARM

policy-map multi-match ****-POLICY

class ****-HTTPS-VIP

loadbalance vip inservice

loadbalance policy ****-HTTPS-POLICY

loadbalance vip icmp-reply active

ssl-proxy server SSL-****-PROXY

class REDIRECT-HTTP-****

loadbalance vip inservice

loadbalance policy ****-POLICY-REDIRECT

loadbalance vip icmp-reply active

loadbalance vip advertise

service-policy input ****-POLICY

Kanwaljeet Singh · ‎11-05-2013

Hi Netter,

Hmm..Let us do this way. If you configure a simple tcp port 8443 loadbalancing(nothing to do with ssl offloading) does it work?

So you will configure a VIP listening on port 8443 and if client comes on that VIP with dst port as 8443 the request would be sent to your server listening on 8443. If that works then we are sure that routing is fine and it is ssl configuration which is problem.

Can you test that?

Regards,

Kanwal

Kanwaljeet Singh · ‎11-05-2013

Hi Netter,

And yes your config looks fine. Can you also get a pcap from client while testing the existing configuration?

Can you also send me output of show conn

Regards,

Kanwal

Kanwaljeet Singh · ‎11-05-2013

Hi Netter,

Did you also test by removing SSL parameter ?

Regards,

Kanwal

netternewbie · ‎11-05-2013

Hi Kanwal,

Yes I did but no luck. Would you like me to leave it removed or leave it on? I am currently getting a connection timeout when I try hit the service in a browser. So maybe the server guys have changed something and I need to do something else.

Kanwaljeet Singh · ‎11-05-2013

HI Netter,

You can test it by removing it.

The best way to start would be to see if the traffic is being forwarded from client or not by ACE and if server is replying or not. That way we can be sure that there is no routing problem.

Once that is confirmed we can start with SSL. The config above looks like. Just test it by removing the SSL parameter since you have selected only cipher there. Let it be at default and check.

Regards,

Kanwal

Kanwaljeet Singh · ‎11-05-2013

Hi Netter,

yes please try with ssl parameter.

Regards,

Kanwal

netternewbie · ‎11-05-2013

Hi Kanwal.

Removing it seems to have worked. Brilliant!!!!!!!! I will carry out more testing and let you know.

Thanks a million for all the help.

Kanwaljeet Singh · ‎11-05-2013

Hi Netter,

Wonderful. Let me know how it goes. I am very glad it worked.

Regards,

Kanwal