HTTP Status 404 -

Chirag Prajapati · ‎11-27-2013

Hi All,

I have configured application in cisco ACE module for which i got more requirement for URL redirection.

Application setup is as below.

VIP : 10.232.92.x/24 which is pointing to 2 Web server 10.232.94.x/24 range. In addition to that app team want APP server also need to be loadbalanced hence new VIP is configured for 10.232.92.x/24 which is pointing to 2 different app server 10.232.94.x/24.

Both Web and App servers are having different IP but in same broadcastdomain. SSL termination is done on ACE.

Issue : 1) After initiating connection i am getting login page but after login its again giveing login page. After 2 to 3 trial its giving me application page but with invalid session error.

2) How to do https connection redirecting to different path.

Ex. https://apps.xyz.com to https://apps.xyz.com/abc

configuration :

probe tcp rem_app_tcp

port 2100

interval 5

passdetect interval 10

passdetect count 2

open 1

probe http rem_itsm_https

port 80

interval 5

passdetect interval 10

passdetect count 2

request method get url /keepalive/https.html

expect status 200 200

open 1

serverfarm host app_tcp

predictor leastconns

probe rem_app_tcp

rserver server1 2100

inservice

rserver server2 2100

inservice

serverfarm host rem_https

predictor leastconns

probe rem_itsm_https

rserver server3 80

inservice

rserver server4 80

inservice

action-list type modify http remurlrewrite

ssl url rewrite location "apps\.xyz\.com"

policy-map type loadbalance first-match app_tcp

class class-default

serverfarm app_tcp

policy-map type loadbalance first-match app_https

class class-default

serverfarm rem_https

action remurlrewrite

class-map match-all VIP_rem_app_tcp

2 match virtual-address 10.232.92.8 any

class-map match-all VIP_rem_itsm_https

2 match virtual-address 10.232.92.9 tcp eq https

class-map match-all real_servers_vlan273

2 match source-address 10.232.94.0 255.255.255.0

policy-map multi-match VIPS

class real_servers_vlan273

nat dynamic 1 vlan 273

class VIP_rem_app_tcp

loadbalance vip inservice

loadbalance policy rem_app_tcp

loadbalance vip icmp-reply

class VIP_rem_itsm_https

loadbalance vip inservice

loadbalance policy rem_itsm_https

loadbalance vip icmp-reply

ssl-proxy server Remedy-SSL-PROXY

Chirag Prajapati · ‎01-07-2014

Hi Kanwal,

Below is the sh connection output.

1# sh conn | in 10.245.40.97

832998 4 in TCP 270 10.245.40.97:4700 10.232.92.9:443 ESTAB

906882 4 out TCP 273 10.232.94.76:80 10.245.40.97:1559 ESTAB

After clearing stats i can see the hit count increasing in webserver policy but not in app server.

i have attached wireshark output of the same wherein i can see packer coming from VIP which says Encrypted alert and then sending FIN message to client.

Both rservers and probes are showing operational.

I have tested with one server but dint work showing same message. Even after removing sticky configuration its giving same output. If i directly hit the webserver i can able to login in.

Thinking out of blue .. does loadbalancer restart help?

Regards

Chirag

Kanwaljeet Singh · ‎01-07-2014

Hey Chirag,

Long discussion. Can you please paste the interesting configuration here and what is the requirement? Let me check again and reply.

Restart wouldn't be fruitful if we don't if it is LB which is misbehaving or something else is going on. May be a bug but looks unlikely. Send me the configuration and requirement(traffic flow ) and i will look into it.

Regards

Kanwal

Chirag Prajapati · ‎01-07-2014

Hi Kanwaljeet,

Please find the attached application configuration.

I am not able to access application and giving below error while accessing it. I have attached wireshark output in my last post for the same which is saying encryption alert (21). which means its decryption issue.

If i bypassing LB and directly hit webserver its working fine. As per your suggestion i have checked probes and rservers. All are showing operational. I can see hits on LB while accssing application.

HTTP Status 404 -

type Status report

message

description The requested resource () is not available.

Apache Tomcat/6.0.20

ACE Software detail is as below.

loader: Version 12.2[125]

system: Version A4(1.0) [build 3.0(0)A4(1.0) adbuild_11:32:19-2010/10/23_/auto/adbure_nightly4/renumber/rel_a4_1_0_throttle/REL_3_0_0_A4_1_0]

system image file: [LCP] disk0:c6ace-t1k9-mz.A4_1_0.bin

installed license: ACE30-MOD-16-K9

Communication flow is as below :

Client --> Loadbalancer Web VIP(with SSL offloading) ---> Web server ----> Loadbalancer (Same LB) App VIP -----> App Server

Please let me know if you need any more detail.

Regards

Chirag

Kanwaljeet Singh · ‎01-08-2014

Hi Chirag,

The config looks fine. Why are you using SSL rewrite? Is your server sending a redirect which ACE needs to rewrite to HTTPS? You already i see using HTTP to HTTPS redirect. Try to remove that and see if that makes a difference.

Other than that i don't see any problem with configuration unless i am missing something pretty simple.

Encrypted alert is probably not an error. This pcap is on client. We shoul have front end as well as back end pcap to see what exactly is going on. This alert can also mean that session will be terminated once the data has been exchanged. In pcap we see ACE sent the fin-ack. But we should have backend pcap as well to check if the server sent FIN-ACK here or it is just ACE.

I would probably open a TAC case since webex or live web meeting would be helpful here. But your configuration looks fine.

Regards,

Kanwal

Chirag Prajapati · ‎01-10-2014

Hi Kanwal,

I have taken capture from ACE as per the attachment wherein line 15 says checksum error from VIP to client. Something wrong is happenign between line no 14 to 18 after that FIN connection executed by web server.

Just want you to review if you can recognize something out of it.

Regards

Chirag

Kanwaljeet Singh · ‎01-10-2014

Hi Chirag,

If you filter the pcap with tcp.stream eq 1 i see that client sends GET request and server replies with 404 not found and that's when the connection closes. We shall know why server is replying with 404 and if client is supposed to send the request which it is sending or something else. ACE seems to be forwarding the packets here fine.

Look at packet #12 and packet #14.

Regards,

Kanwal

Srinivasan Aylur Narayanan · ‎12-04-2013

Hi chirag,

If the Request comes with HTTPS,then We could try to create two classes in the Layer7 load balance policy

One for the HTTPS to HTTPS redirection and after the requests redirected to new URL,it should match the default class and loadbalanced to the server farm created for handling the offloaded traffic.I had not tested this .but it is worth a try

class-map type http loadbalance match-any HTTPS-REDIRECT-PH

2 match http header Host header-value "aaps[.]xyz[.]com"

3 match url /

policy-map type loadbalance first-match rem_itsm_https

class HTTPS-REDIRECT-PH

serverfarm REDIRECT-TO-HTTPS

class class-default

serverfarm rem_itsm_https

SSL termination and URL redirection

HTTP Status 404 -

Apache Tomcat/6.0.20