ACE 4710 and Web secure sockets

i.tsakonikos1 · ‎09-21-2015

Hello and Help!

I have come to a dead end, trying to make an ace 4710 to load balance a farm of 2 servers listening to specific port using the WSS (web secure socket) protocol.

I have tried almost every combination of policies and class maps but I could not make it work. After an extended research I hope you will be able to help me out. Here is the scenario:

I have a VIP serving 4 different services on 4 different ports. I have created a different policy for each port. The http services are working as expected but the 2 WSS services are not working at all. From what I've read so far, it looks like ACE does not support wss protocol.

If this is the case, then please suggest me a way to load balance it or an alternative way to handle those to ports (even pass straight through in a round robin policy)

I would be really grateful if you could provide me with the commands needed to get over this culprit.

Thank you very much in advance.

Best Regards,

Yannis Tsakonikos

Richard Bradfield · ‎09-21-2015

please share the configuration of the Ace 4710 (CLI) and the ports you are trying to balance

i.tsakonikos1 · ‎09-21-2015

Thank you very much for replying. The following stanzas are the ones related to the VIP/port I am trying to setup with WSS:

probe tcp web-442
port 442
passdetect interval 15

rserver host kef-proxy-443
description test proxy for KEF
ip address 10.193.102.168
probe icmp
inservice
rserver host kef-proxy2
description second proxy for KEF
ip address 10.193.102.170
probe icmp
inservice

serverfarm host web-proxy-kef-442
predictor leastconns
probe icmp
probe web-442
rserver kef-proxy-443 442
inservice
rserver kef-proxy2 442
inservice

sticky http-cookie kef-cookie-442 kef-http-cookie-442
cookie insert browser-expire
serverfarm web-proxy-kef-442

class-map match-any kef.ggps.gsis-442
2 match virtual-address 10.193.102.27 tcp eq 442

policy-map type loadbalance first-match kef.ggps.gsis-442-l7slb
class class-default
sticky-serverfarm kef-http-cookie-442

policy-map multi-match kef.ggps.gsis-442-L34
class kef.ggps.gsis-442
    loadbalance vip inservice
    loadbalance policy kef.ggps.gsis-442-l7slb
    loadbalance vip icmp-reply
    appl-parameter http advanced-options http_parameter_map

Thank you!

Richard Bradfield · ‎09-22-2015

perhaps forget about the cookies and do something like below in that case the LB should not care about which port you are using.

sticky ip-netmask 255.255.255.255 address source web-proxy-kef-442-sticky
timeout 600
timeout activeconns
serverfarm web-proxy-kef-442

class-map match-any 442-NEW
2 match virtual-address xx.xx.xx.xx tcp eq 442

policy-map type loadbalance first-match 442-slb-new
class class-default
sticky-serverfarm web-proxy-kef-442-sticky

policy-map multi-match multi-vips
class 442-NEW
loadbalance vip inservice
loadbalance policy 442-slb-new
loadbalance vip icmp-reply

i.tsakonikos1 · ‎09-25-2015

Thank you very much for the answer Richard. i hope it will work as expected. As soon as I get the feedback I'll let you know what happens.

Update:

Unfortunately the abovementioned suggestion didnot work. WSS protocol still cannot be passed to the serverfarm. Thank you very much any way.