How can I preserve Client IP address? - Page 2

vtnguyenaz · ‎03-09-2012

I am configuring the ACE for bridged mode. However, the real server is seeing VIP IP but not Client IPs. Our business requires that the real server must see client IPs. Do you have any idea how to set that up?

I tried to turn ON/OFF normalization but it is still not working.

Thanks,

Vincent

==============================

Here is my configuration:

rserver host 192.168.71.71

ip address 192.168.71.71

inservice

serverfarm host WEB_FARM

failaction purge

probe ICMP

rserver 192.168.71.71

inservice

access-list PERMIT-BPDU ethertype permit bpdu

access-list ALL line 8 extended permit ip any any

sticky ip-netmask 255.255.255.255 address source WEB_FARM_Sticky

timeout 180

replicate sticky

serverfarm WEB_FARM

class-map match-all WEB_FARM_VIP

2 match virtual-address 192.168.71.154 tcp eq 80

class-map type management match-any remote_access

2 match protocol xml-https any

4 match protocol icmp any

5 match protocol telnet any

6 match protocol ssh any

7 match protocol http any

8 match protocol https any

9 match protocol snmp any

policy-map type loadbalance first-match WEB_FARM_Policy

class class-default

sticky-serverfarm WEB_FARM_Sticky

policy-map multi-match WEB_VIPS

class WEB_FARM_VIP

loadbalance vip inservice

loadbalance policy WEB_FARM_Policy

loadbalance vip icmp-reply active

nat dynamic 6 vlan 31

nat dynamic 5 vlan 21

interface vlan 21

description Client VLAN

bridge-group 171

no normalization

mac-sticky enable

access-group input PERMIT-BPDU

access-group input ALL

service-policy input WEB_VIPS

nat-pool 5 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat

interface vlan 31

description Server VLAN

bridge-group 171

no normalization

mac-sticky enable

access-group input PERMIT-BPDU

access-group input ALL

service-policy input WEB_VIPS

nat-pool 6 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat

no shutdown

interface bvi 171

ip address 192.168.71.3 255.255.255.0

no shutdown

David Niemann · ‎03-12-2012

Vincent, vlan 100 in my setup is the vlan where the default gateway is (front side of ACE). All my rservers are in vlan 110 which is logically behind the ACE. Bridged mode uses one subnet and bridges the two different VLANs. Unless you are using one-arm mode both bridge mode and routed mode require the traffic to flow through the ACE.

jsirstin · ‎03-12-2012

Forgot to hit reply but it looks like David answered as well.

The config is bridged but depending on what vlan you server is in it makes it bridged or one armed. If your servers are in the same vlan as the gateway try changing the switch port config so the switchport access vlan command is in the vlan that is opposite of the gateway and test. If it is in the same vlan as the gateway then you are using a one armed mode topology.

Your config is definately a bridge mode config but I think your servers are just in the wrong vlan.

vtnguyenaz · ‎03-12-2012

Hi David and Jim,

Please correct me! Here is my setup details:

Real server is a VMware box. ESX VM is setup with VLAN 21 for 192.168.71.x subnet.

One the ACE, I set Gig1/1;1/2;1/3 as Ether-channel and all VLAN trunk to another switch, and that switch connects to the firewall.

I have firewall ASA that includes VLAN 21 and VLAN 10. VLAN 21 is 192.168.71.x subnet and VLAN 10 is 192.168.1.x. On the ACE, I defined VLAN 10 for management VLAN and I setup a default route 0.0.0.0 0.0.0.0 192.168.1.1. Also, on the ACE, I create VLAN 21 as Client VLAN and VLAN 31 as Server VLAN, howerver, in my ASA, it doesnt have the VLAN 31.

Do I need to add VLAN 31 to the firewall and ESX VM server? Do I miss something there?

Please advice,

Vincent

David Niemann · ‎03-12-2012

I'm assuming that your ASA is the default gateway for vlan 21. You need to change your default gateway on the ACE to be the ASA address on that subnet. I would also change your management interface to a different context on the ACE.

Are your rservers all on VLAN 31 and your ASA on VLAN 21? If so, it sounds like you have everything setup right with the exception of sending all traffic out the management interface. You could put some static routes for specific subnets or IPs on the management VLAN, but I think the better practice is to probably move your management interface to a different context and allocate that VLAN to that context.

csimmons · ‎03-13-2012

I had the same issue. This was the solution provided by TAC.

policy-map type loadbalance first-match LB_lc3q-ui#v51a

class class-default

sticky-serverfarm ST_lc3q-ui#v51a

action SSL_rewrite

insert-http x-forward header-value "%is"

Your application code will need to read the header in order to get the clients real IP.

-Clint

vtnguyenaz · ‎03-13-2012

Hi Clint,

Do you have any idea for UDP application?

Thanks,

Vincent

csimmons · ‎03-13-2012

From my experience you will need to remove the NAT, otherwise the packets source will be of the ACE NAT.

I know removing the NAT is probably not possible with your configuration. Unfortunately your options are slim.

I would get TAC involved for a final solution.

-Clint