cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3772
Views
0
Helpful
21
Replies

SSL termination and URL redirection

Hi All,

I have configured application in cisco ACE module for which i got more requirement for URL redirection.

Application setup is as below.

VIP : 10.232.92.x/24 which is pointing to 2 Web server 10.232.94.x/24 range. In addition to that app team want APP server also need to be loadbalanced hence new VIP is configured for 10.232.92.x/24 which is pointing to 2 different app server 10.232.94.x/24.

Both Web and App servers are having different IP but in same broadcastdomain. SSL termination is done on ACE.

Issue : 1) After initiating connection i am getting login page but after login its again giveing login page. After 2 to 3 trial its giving me application page but with invalid session error.

2) How to do https connection redirecting to different path.

Ex. https://apps.xyz.com to https://apps.xyz.com/abc

configuration :

probe tcp rem_app_tcp

  port 2100

  interval 5

  passdetect interval 10

  passdetect count 2

  open 1

probe http rem_itsm_https

  port 80

  interval 5

  passdetect interval 10

  passdetect count 2

  request method get url /keepalive/https.html

  expect status 200 200

  open 1

serverfarm host app_tcp

  predictor leastconns

  probe rem_app_tcp

  rserver server1 2100

    inservice

  rserver server2 2100

    inservice

serverfarm host rem_https

  predictor leastconns

  probe rem_itsm_https

  rserver server3 80

    inservice

  rserver server4 80

    inservice

action-list type modify http remurlrewrite

  ssl url rewrite location "apps\.xyz\.com"

policy-map type loadbalance first-match app_tcp

  class class-default

    serverfarm app_tcp

policy-map type loadbalance first-match app_https

  class class-default

    serverfarm rem_https

    action remurlrewrite

class-map match-all VIP_rem_app_tcp

  2 match virtual-address 10.232.92.8 any

class-map match-all VIP_rem_itsm_https

  2 match virtual-address 10.232.92.9 tcp eq https

class-map match-all real_servers_vlan273

  2 match source-address 10.232.94.0 255.255.255.0

policy-map multi-match VIPS

  class real_servers_vlan273

    nat dynamic 1 vlan 273

  class VIP_rem_app_tcp

    loadbalance vip inservice

    loadbalance policy rem_app_tcp

    loadbalance vip icmp-reply

  class VIP_rem_itsm_https

    loadbalance vip inservice

    loadbalance policy rem_itsm_https

    loadbalance vip icmp-reply

    ssl-proxy server Remedy-SSL-PROXY

21 Replies 21

Hi Kanwal,

Below is the sh connection output.

1# sh conn | in 10.245.40.97

832998     4  in  TCP   270  10.245.40.97:4700     10.232.92.9:443       ESTAB

906882     4  out TCP   273  10.232.94.76:80       10.245.40.97:1559     ESTAB

After clearing stats i can see the hit count increasing in webserver policy but not in app server.

i have attached wireshark output of the same wherein i can see packer coming from VIP which says Encrypted alert and then sending FIN message to client.

Both rservers and probes are showing operational.

I have tested with one server but dint work showing same message. Even after removing sticky configuration its giving same output. If i directly hit the webserver i can able to login in.

Thinking out of blue .. does loadbalancer restart help?

Regards

Chirag

Hey Chirag,

Long discussion. Can you please paste the interesting configuration here and what is the requirement? Let me check again and reply.

Restart wouldn't be fruitful if we don't if it is LB which is misbehaving or something else is going on. May be a bug but looks unlikely. Send me the configuration and requirement(traffic flow ) and i will look into it.

Regards

Kanwal

Hi Kanwaljeet,

Please find the attached application configuration.

I am not able to access application and giving below error while accessing it. I have attached wireshark output in my last post for the same which is saying encryption alert (21). which means its decryption issue.

If i bypassing LB and directly hit webserver its working fine. As per your suggestion i have checked probes and rservers. All are showing operational. I can see hits on LB while accssing application.

HTTP Status 404 -


type Status report

message

description The requested resource () is not available.


Apache Tomcat/6.0.20

ACE Software detail is as below.

loader:    Version 12.2[125]

  system:    Version A4(1.0) [build 3.0(0)A4(1.0) adbuild_11:32:19-2010/10/23_/auto/adbure_nightly4/renumber/rel_a4_1_0_throttle/REL_3_0_0_A4_1_0]

  system image file: [LCP] disk0:c6ace-t1k9-mz.A4_1_0.bin

  installed license: ACE30-MOD-16-K9

Communication flow is as below :

Client --> Loadbalancer Web VIP(with SSL offloading) ---> Web server ----> Loadbalancer (Same LB) App VIP -----> App Server

Please let me know if you need any more detail.

Regards

Chirag

Hi Chirag,

The config looks fine. Why are you using SSL rewrite? Is your server sending a redirect which ACE needs to rewrite to HTTPS? You already i see using HTTP to HTTPS redirect. Try to remove that and see if that makes a difference.

Other than that i don't see any problem with configuration unless i am missing something pretty simple.

Encrypted alert is probably not an error. This pcap is on client. We shoul have front end as well as back end pcap to see what exactly is going on. This alert can also mean that session will be terminated once the data has been exchanged. In pcap we see ACE sent the fin-ack. But we should have backend pcap as well to check if the server sent FIN-ACK here or it is just ACE.

I would probably open  a TAC case since webex or live web meeting would be helpful here. But your configuration looks fine.

Regards,

Kanwal

Hi Kanwal,

I have taken capture from ACE as per the attachment wherein line 15 says checksum error from VIP to client. Something wrong is happenign between line no 14 to 18 after that FIN connection executed by web server.

Just want you to review if you can recognize something out of it.

Regards

Chirag

Hi Chirag,

If you filter the pcap with tcp.stream eq 1 i see that client sends GET request and server replies with 404 not found and that's when the connection closes. We shall know why server is replying with 404 and if client is supposed to send the request which it is sending or something else. ACE seems to be forwarding the packets here fine.

Look at packet #12 and packet #14.

Regards,

Kanwal

Hi chirag,

If the Request comes with HTTPS,then We could try to create two classes in the Layer7 load balance policy

One for the HTTPS to HTTPS redirection and after the requests redirected to new URL,it should match the default class and loadbalanced to the server farm created for handling the offloaded traffic.I had not tested this .but it is worth a try

class-map type http loadbalance match-any HTTPS-REDIRECT-PH

2 match http  header Host header-value "aaps[.]xyz[.]com"

3 match url /

policy-map type loadbalance first-match rem_itsm_https

  class HTTPS-REDIRECT-PH

  serverfarm  REDIRECT-TO-HTTPS

class class-default

serverfarm rem_itsm_https

Review Cisco Networking for a $25 gift card