Sachin,

Thanks for the suggestion, but the change was not successful.  When I try to connect to http://www.testsite.com/sub, the /sub is removed from my browser and I am redirected to the main page.

Let me know if you have any other suggestions.  I'll be glad to give them a try.  :-)

Michael

PS:  Here is the output of a show service-policy detail command:

    class: TEST_VIP_1
      ssl-proxy server: SSL_TEST_1
     VIP Address:    Protocol:  Port:
     10.64.74.41     tcp        eq    443
      loadbalance:
        L7 loadbalance policy: LB_TEST_1
        Regex dnld status    : SUCCESSFUL
        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
        VIP State: INSERVICE
        Persistence Rebalance: ENABLED
        curr conns       : 1         , hit count        : 288
        dropped conns    : 55
        client pkt count : 18886     , client byte count: 1727808
        server pkt count : 17528     , server byte count: 21926545
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
        L7 Loadbalance policy : LB_TEST_1
          class/match : TEST_HCC_1
            LB action: :
               sticky group: STICKY_TEST_1
                  primary serverfarm: SF_TEST_1
                    state:UP
                  backup serverfarm : -
            hit count        : 3
            dropped conns    : 0
            compression      : off
          class/match : class-default
            LB action: :
               sticky group: STICKY_TEST_1
                  primary serverfarm: SF_TEST_1
                    state:UP
                  backup serverfarm : -
            hit count        : 32
            dropped conns    : 0
            compression      : off
      compression:
        bytes_in  : 0                          bytes_out : 0
        Compression ratio : 0.00%
                Gzip: 0               Deflate: 0
      compression errors:
        User-Agent  : 0               Accept-Encoding    : 0
        Content size: 0               Content type       : 0
        Not HTTP 1.1: 0               HTTP response error: 0
        Others      : 0

As it is a test site, there is no domain name; you need to use the IP address as follows:

https://12.130.236.60/hcc

You wil notice that when you enter that address in the browser, the /hcc will be stripped and you will be sent to the main page.

Because it is https, a packet capture from the end host will not reveal much.  I have attached a dump from the ACE.  The action begins at packet number 20.  That is the GET request from the client with the /hcc at the end of the url.  In packet 21, the server sends a response type 301; moved permanently message.  In packet 27, the host sends another Get request with the /hcc extension.  In packet 29, it appears that the ACE sends a 301 response with a close code.  In packet 33, the client closes the connection, then re-opens it and sends a GET request without the /hcc extension.

Cheers,

mb

Hi. The site is not accessible from my location.

As I read your config, the ACE is not configured to send any redirection, I guess it comes from the web servers itself. Can you send a pcap file of the capture ?

Attached is a wireshark capture from the server.  All of the action takes place in packets 4-7.  You will see the original GET request, a 301 response, then the new GET request minus the /hcc.

Any suggestions?

Hi.

The /hcc site is not configured on the web server (IIS) or maybe ther's a policy applied somewhere, it's not the ACE which send the redirection but the web server itself.

Yes, the hcc site is configured on the server.  A browser on another server on the same subnet can reach the site without any problems.  The ACE should simply pass the request on to the server.  I don't know why the client removes the /hcc on the next attempt.

Can you try to reach the server directly from another subnet, but not by hitting the VIP bound on the ACE ?

Yes, but not easily.  It would require changes to a production firewall, and that must go through the change management process.  We could arrange it, but it will take some time.

Can you check the IIS logs with the server guys to be sure that the redirect is sent by the server ?

Yes, the redirect is being sent by the server.

I've been trying a different approach: using an http header rewrite to ensure the header that reaches the server is correct.  Because the name is not yet registered with DNS, we rely on IP addresses to make the connection.  I've tried multiple header rewrite combinations, but I'm not certain of the correct syntax.  Below is an example:

parameter-map type http HCC_REWRITE
  persistence-rebalance
  header modify per-request

action-list type modify http REWRITE
  header rewrite request HCC header-value "10\.64\.64\.41/hcc" replace "10\.64\.64\.41/hcc/"

  class OCGB_VIP_1
    loadbalance vip inservice
    loadbalance policy LB_OCGB_1
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options HCC_REWRITE
    ssl-proxy server SSL_OCGB_1

Any suggestions?

I doubt you'll fix the issue on the ACE, the issue is related to the  web front end, you have to check why IIS is sending this redirection which is unexpected. maybe it's related to your source nat