11-27-2013 01:11 AM
Hi All,
I have configured application in cisco ACE module for which i got more requirement for URL redirection.
Application setup is as below.
VIP : 10.232.92.x/24 which is pointing to 2 Web server 10.232.94.x/24 range. In addition to that app team want APP server also need to be loadbalanced hence new VIP is configured for 10.232.92.x/24 which is pointing to 2 different app server 10.232.94.x/24.
Both Web and App servers are having different IP but in same broadcastdomain. SSL termination is done on ACE.
Issue : 1) After initiating connection i am getting login page but after login its again giveing login page. After 2 to 3 trial its giving me application page but with invalid session error.
2) How to do https connection redirecting to different path.
Ex. https://apps.xyz.com to https://apps.xyz.com/abc
configuration :
probe tcp rem_app_tcp
port 2100
interval 5
passdetect interval 10
passdetect count 2
open 1
probe http rem_itsm_https
port 80
interval 5
passdetect interval 10
passdetect count 2
request method get url /keepalive/https.html
expect status 200 200
open 1
serverfarm host app_tcp
predictor leastconns
probe rem_app_tcp
rserver server1 2100
inservice
rserver server2 2100
inservice
serverfarm host rem_https
predictor leastconns
probe rem_itsm_https
rserver server3 80
inservice
rserver server4 80
inservice
action-list type modify http remurlrewrite
ssl url rewrite location "apps\.xyz\.com"
policy-map type loadbalance first-match app_tcp
class class-default
serverfarm app_tcp
policy-map type loadbalance first-match app_https
class class-default
serverfarm rem_https
action remurlrewrite
class-map match-all VIP_rem_app_tcp
2 match virtual-address 10.232.92.8 any
class-map match-all VIP_rem_itsm_https
2 match virtual-address 10.232.92.9 tcp eq https
class-map match-all real_servers_vlan273
2 match source-address 10.232.94.0 255.255.255.0
policy-map multi-match VIPS
class real_servers_vlan273
nat dynamic 1 vlan 273
class VIP_rem_app_tcp
loadbalance vip inservice
loadbalance policy rem_app_tcp
loadbalance vip icmp-reply
class VIP_rem_itsm_https
loadbalance vip inservice
loadbalance policy rem_itsm_https
loadbalance vip icmp-reply
ssl-proxy server Remedy-SSL-PROXY
Solved! Go to Solution.
01-07-2014 01:47 AM
Hi Kanwal,
Below is the sh connection output.
1# sh conn | in 10.245.40.97
832998 4 in TCP 270 10.245.40.97:4700 10.232.92.9:443 ESTAB
906882 4 out TCP 273 10.232.94.76:80 10.245.40.97:1559 ESTAB
After clearing stats i can see the hit count increasing in webserver policy but not in app server.
i have attached wireshark output of the same wherein i can see packer coming from VIP which says Encrypted alert and then sending FIN message to client.
Both rservers and probes are showing operational.
I have tested with one server but dint work showing same message. Even after removing sticky configuration its giving same output. If i directly hit the webserver i can able to login in.
Thinking out of blue .. does loadbalancer restart help?
Regards
Chirag
01-07-2014 08:20 AM
Hey Chirag,
Long discussion. Can you please paste the interesting configuration here and what is the requirement? Let me check again and reply.
Restart wouldn't be fruitful if we don't if it is LB which is misbehaving or something else is going on. May be a bug but looks unlikely. Send me the configuration and requirement(traffic flow ) and i will look into it.
Regards
Kanwal
01-07-2014 11:48 PM
Hi Kanwaljeet,
Please find the attached application configuration.
I am not able to access application and giving below error while accessing it. I have attached wireshark output in my last post for the same which is saying encryption alert (21). which means its decryption issue.
If i bypassing LB and directly hit webserver its working fine. As per your suggestion i have checked probes and rservers. All are showing operational. I can see hits on LB while accssing application.
type Status report
message
description The requested resource () is not available.
ACE Software detail is as below.
loader: Version 12.2[125]
system: Version A4(1.0) [build 3.0(0)A4(1.0) adbuild_11:32:19-2010/10/23_/auto/adbure_nightly4/renumber/rel_a4_1_0_throttle/REL_3_0_0_A4_1_0]
system image file: [LCP] disk0:c6ace-t1k9-mz.A4_1_0.bin
installed license: ACE30-MOD-16-K9
Communication flow is as below :
Client --> Loadbalancer Web VIP(with SSL offloading) ---> Web server ----> Loadbalancer (Same LB) App VIP -----> App Server
Please let me know if you need any more detail.
Regards
Chirag
01-08-2014 08:51 AM
Hi Chirag,
The config looks fine. Why are you using SSL rewrite? Is your server sending a redirect which ACE needs to rewrite to HTTPS? You already i see using HTTP to HTTPS redirect. Try to remove that and see if that makes a difference.
Other than that i don't see any problem with configuration unless i am missing something pretty simple.
Encrypted alert is probably not an error. This pcap is on client. We shoul have front end as well as back end pcap to see what exactly is going on. This alert can also mean that session will be terminated once the data has been exchanged. In pcap we see ACE sent the fin-ack. But we should have backend pcap as well to check if the server sent FIN-ACK here or it is just ACE.
I would probably open a TAC case since webex or live web meeting would be helpful here. But your configuration looks fine.
Regards,
Kanwal
01-10-2014 08:11 AM
Hi Kanwal,
I have taken capture from ACE as per the attachment wherein line 15 says checksum error from VIP to client. Something wrong is happenign between line no 14 to 18 after that FIN connection executed by web server.
Just want you to review if you can recognize something out of it.
Regards
Chirag
01-10-2014 08:18 AM
Hi Chirag,
If you filter the pcap with tcp.stream eq 1 i see that client sends GET request and server replies with 404 not found and that's when the connection closes. We shall know why server is replying with 404 and if client is supposed to send the request which it is sending or something else. ACE seems to be forwarding the packets here fine.
Look at packet #12 and packet #14.
Regards,
Kanwal
12-04-2013 01:10 AM
Hi chirag,
If the Request comes with HTTPS,then We could try to create two classes in the Layer7 load balance policy
One for the HTTPS to HTTPS redirection and after the requests redirected to new URL,it should match the default class and loadbalanced to the server farm created for handling the offloaded traffic.I had not tested this .but it is worth a try
class-map type http loadbalance match-any HTTPS-REDIRECT-PH
2 match http header Host header-value "aaps[.]xyz[.]com"
3 match url /
policy-map type loadbalance first-match rem_itsm_https
class HTTPS-REDIRECT-PH
serverfarm REDIRECT-TO-HTTPS
class class-default
serverfarm rem_itsm_https
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide