ACE 4700 one-arm design with SSL termination

Hi,
We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
1. Are there any limitations in the one-arm design and the SSL offloading
2. Can the ACE be configured with an IN and an OUT vlan to the router
CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
so that the SSL and the clear text traffic is in a separate Vlan?
3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
I would appreciate if you can share some sample configs
Regards,
George Georgiou

There are two ways to implement One Arm topology.
1. One Arm with PBR & 2.One Arm with SRC NAT
PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
1. Are there any limitations in the one-arm design and the SSL offloading
The limitations/config issues I can think of are following
One ARM with PBR:
Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
One ARM with SRC NAT:
You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
2. Can the ACE be configured with an IN and an OUT vlan to the router
CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
so that the SSL and the clear text traffic is in a separate Vlan?
Yes you can do that but wouldnt it make it routed mode topology?
3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
Details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
HTH
Syed Iftekhar Ahmed

Similar Messages

  • Sniffer Trace on ACE w/VACLs and One-Arm Design

    Wow...that was a mouthful of a title!
    Here is what I'm trying to accomplish. There is an application that is having issues. This application is being load balanced by the ACE. The ACE is configured in a One-Armed design. Essentially the application flow is as follows:
    client --> ACE VIP --> SNAT Pool --> rserver and then the reverse.
    The vlan for my ACE is 3002. It is the only vlan in this context. I have a WildPackets OmniEngine connected to port on the 6500. Here is its config:
    interface GigabitEthernet x/xx
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    switchport capture
    switchport capture allowed vlan 3002
    no ip address
    no cdp enable
    Here is the problem. When I take a trace I only see the back half of the conversation. That is I only see from the SNAT pool IPs to the rservers and back. I need to be able to see the conversation between the client IPs and the VIP. Does anyone know how this can be done? If you need more details or have questions please fire away! Thanks for the help...
    bc

    This can be done by setting up a monitor session on the Sup, with the
    TenGig/1 as SPAN
    source, and a trunk port as SPAN destination.
    For example, if the ACE is in slot X, the configuration would be:
    monitor session 10 source interface TeX/1
    monitor session 10 destination interface Giy/z
    The configuration for this port would be:
    int giy/z
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    Syed Iftekhar Ahmed

  • CSS One Arm Configuration with VIP(non-shared)/IP Interface Redundancy

    With Reference to the following CCO documentation;
    1). "How to Configure the CSS to Load Balance Using 1 Interface"
    In this example, the Real Server's (10.10.10.2 etc) gateway are pointed to the router's gateway(10.10.10.1) and used the 'add destination service' command to NAT the RealServer's IP address back to the VIP (10.10.10.6).
    2). "Understanding and Configuring VIP and Interface Redundancy on the CSS11000".
    In the interface redundancy configuration, the gateway of the Real Server are configured as the CSS11000's Interface Redundancy Address (192.168.1.1), not the Router's gateway.
    Can anyone help to advise on the preferred one arm configuration with VIP/IP redundancy?
    (i). Is the reason for configuring the gateway of the Real Server to CSS11000's Interface Redundancy Address in 2) same as using 'add destination service' command in 1)? That is to make sure that the return path from Real Server back to Client passes through the CSS and is NAT back to the VIP.
    (ii). To configure VIP(non-shared)/IP Interface redundancy(Active/Backup Mode) in a one arm configuration, my understanding is that there are 2 methods of configuration. Is it correct? Which method is preferred?
    Method a)
    1.Configure the Real Server's gateway to Router's Gateway
    2.Configure 'add destination service' command on the CSS to NAT the RealServer's IP address back to the VIP
    3.Configure VIP(non-shared) redundancy for the VIP on the CSS
    4.IP Interface Redundancy on the CSS is not required as the Real Server's gateway is already pointing to the Router's gateway. (Assuming that HSRP redundancy is already running on the Router)
    Method b)
    1. Configure the Real Server's gateway to the CSS's IP Interface Redundancy IP Address
    2. Configure IP Interface Redundancy on the CSS (as the Real Server's gateway)
    3. Configure VIP(non-shared) redundancy for the VIP on the CSS

    if you use method a) (server gateway is the router) you need the CSS to nat
    the source ip address of the client in order to force the server to send traffic back to the CSS.
    The issue then is that the server does not see the IP address of real client.
    The server only see connections with source IP address = CSS ip address.
    With method b) you don't have the above problem, but connection initiated by the servers are sent to the CSS that will then send it to the router.
    You have a performance issue because the traffic will cross 2 times the one-armed interface.
    If this is a new design, it is strongly recommended not to use one-armed setup.
    Regards,
    Gilles.

  • Configuring JMS and loadbalancer with SSL termination? Has Anyone done it?

    Hi all,
    I'm having a problem getting JMS or even any JNDI lookup to work with a hardware load balancer and SSL termination. Has anyone used such a configuration? The load balancer in question is a Cisco CSS 11500 Series which has an SSL module. A client communicates with the CSS over SSL, the SSL module decrypts the packets and sends it for content switching and on to WebLogic as cleartext.
    Without SSL termination everthing works fine. With SSL termination active, Web service and web content all work fine, but I can't get SSL tGetting Initial context from ms01
    <29-Sep-2006 16:07:22 o'clock IST> <Debug> <TLS> <000000> <SSL/Domestic license found>
    <29-Sep-2006 16:07:22 o'clock IST> <Debug> <TLS> <000000> <Not in server, Certicom SSL license found>
    <29-Sep-2006 16:07:23 o'clock IST> <Debug> <TLS> <000000> <SSL Session TTL :90000>
    <29-Sep-2006 16:07:23 o'clock IST> <Debug> <TLS> <000000> <Trusted CA keystore: D:/eclipse/workspace/LoadBalancerTest/ssl/keystores/cssKeyS
    ore.keystore>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 886220>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLSocket will NOT be Muxing>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <write SSL_20_RECORD>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <3941240 received HANDSHAKE>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHello>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <3941240 received HANDSHAKE>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Certificate>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <validationCallback: validateErr = 0>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> < cert[0] = [
    Version: V3
    Subject: EMAILADDRESS="[email protected] ", CN=10.51.0.200, OU=Web Administration, O=Revenue Commissioners, L=Dublin, ST=Dublin,
    =IE
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key: SunJSSE RSA public key:
    public exponent:
    010001
    modulus:
    a8f60248 b87c5860 229b9044 a666a9ae 27eb488c 424d9e67 e7b9d6d0 c292f081
    cfa76c04 f3d89b28 1bf544f9 5de2b66d 576ebeca 5dc5ca8a fceead9a 52e2ce6c
    2b91afef e4da5071 49b8784c 12d7f5f3 99f76482 79efe1d8 0a24f664 4c8d6e9e
    b0bc63be 1faf8319 eeb23e8a 019b65b2 59dd086d 1b714d4c 01618804 66f416bb
    Validity: [From: Fri Sep 08 11:44:28 BST 2006,
                   To: Mon Sep 05 11:44:28 BST 2016]
    Issuer: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
    SerialNumber: [    0131]
    Certificate Extensions: 4
    [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
    0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
    0020: 65 e
    [2]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 0E 6E 72 2E B1 3B B6 A3 59 79 5A C5 41 26 B7 B6 .nr..;..YyZ.A&..
    0010: A2 39 4C 73 .9Ls
    [3]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
    0010: AA 97 05 0D ....
    [CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE]
    SerialNumber: [    00]
    [4]: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
    CA:false
    PathLen: undefined
    Algorithm: [MD5withRSA]
    Signature:
    0000: 2C A0 0C 34 4E 0D CA 24 A5 C3 03 3A 71 A1 2D D3 ,..4N..$...:q.-.
    0010: 65 A2 FA EF C1 5D D4 4A 28 8C 1A 70 5F 92 73 5E e....].J(..p_.s^
    0020: 7B 13 D4 AE 36 A8 86 EA 60 7F A5 E3 86 6E 84 1F ....6...`....n..
    0030: 5E 5F 30 06 B4 AA 2E 5C A7 65 74 32 09 0A 91 14 ^_0....\.et2....
    ]>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> < cert[1] = [
    Version: V3
    Subject: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key: SunJSSE RSA public key:
    public exponent:
    010001
    modulus:
    bc61b29f a830c97a 7a76883e 1665a241 a68b891f 8e4167eb 62e578ac 9e342c3e
    53c9de8b e756634b e364010f 4d36c1c5 21a65b37 b64b4861 6f4dda29 b932191f
    Validity: [From: Mon May 31 15:22:15 BST 2004,
                   To: Thu May 29 15:22:15 BST 2014]
    Issuer: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
    SerialNumber: [    00]
    Certificate Extensions: 3
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
    0010: AA 97 05 0D ....
    [2]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
    0010: AA 97 05 0D ....
    [CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE]
    SerialNumber: [    00]
    [3]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    Algorithm: [MD5withRSA]
    Signature:
    0000: 3C 64 7C 9E 0B 90 48 9D 70 74 06 80 7F 2C AF 73 <d....H.pt...,.s
    0010: 92 1C C3 39 DD C3 45 B6 A4 8E 11 27 8E 21 18 4B ...9..E....'.!.K
    0020: FD AA 31 5E 35 FC DF 9E 70 42 F4 65 5C DF 56 9A ..1^5...pB.e\.V.
    0030: DD 8C 6B B7 3B BE E5 A7 D5 4A 16 23 C1 91 07 CA ..k.;....J.#....
    ]>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLTrustValidator returns: 0>
    <29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <Trust status (0): NONE>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <Performing hostname validation checks: 10.51.0.200>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 received HANDSHAKE>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHelloDone>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 134>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 16>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 received CHANGE_CIPHER_SPEC>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 received HANDSHAKE>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 272>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3445873 read(offset=0, length=2048)>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3941240 received APPLICATION_DATA: databufferLen 0, contentLength 372>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3445873 read databufferLen 372>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3445873 read A returns 372>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 339>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3445873 read(offset=372, length=1676)>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 6771926>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLSocket will NOT be Muxing>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 93>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 SSL3/TLS MAC>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 received HANDSHAKE>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHello>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 SSL3/TLS MAC>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 received CHANGE_CIPHER_SPEC>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 SSL3/TLS MAC>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 received HANDSHAKE>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 16>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 402>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 1707>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <23328673 read(offset=0, length=2048)>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 SSL3/TLS MAC>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 received APPLICATION_DATA: databufferLen 0, contentLength 174>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <23328673 read databufferLen 174>
    <29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <23328673 read A returns 174>
    <29-Sep-2006 16:07:44 o'clock IST> <Debug> <TLS> <000000> <NEW ALERT with Severity: WARNING, Type: 0
    java.lang.Exception: New alert stack
    at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
    at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
    at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
    at weblogic.net.http.HttpClient.closeServer(HttpClient.java:466)
    at weblogic.net.http.KeepAliveCache$1.run(KeepAliveCache.java:120)
    at java.util.TimerThread.mainLoop(Unknown Source)
    at java.util.TimerThread.run(Unknown Source)
    >
    <29-Sep-2006 16:07:44 o'clock IST> <Debug> <TLS> <000000> <avalable(): 23328673 : 0 + 0 = 0>
    <29-Sep-2006 16:07:44 o'clock IST> <Debug> <TLS> <000000> <write ALERT, offset = 0, length = 2>
    <29-Sep-2006 16:07:44 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.removeContext(ctx): 6771926>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <3941240 received APPLICATION_DATA: databufferLen 0, contentLength 98>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <3445873 read databufferLen 98>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <3445873 read A returns 98>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 8406772>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLSocket will NOT be Muxing>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 93>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 SSL3/TLS MAC>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 received HANDSHAKE>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHello>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 SSL3/TLS MAC>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 received CHANGE_CIPHER_SPEC>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 SSL3/TLS MAC>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 received HANDSHAKE>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 16>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 339>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <5618579 read(offset=0, length=2048)>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    Exception in thread "main" javax.naming.CommunicationException [Root exception is java.net.ConnectException: https://10.51.0.200:8143: Boot
    trap to: 10.51.0.200/10.51.0.200:8143' over: 'https' got an error or timed out]
    at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:47)
    at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:636)
    at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:306)
    at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:239)
    at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:135)
    at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
    at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
    at javax.naming.InitialContext.init(Unknown Source)
    at javax.naming.InitialContext.<init>(Unknown Source)
    at TestAllManagedServers.main(TestAllManagedServers.java:54)
    Caused by: java.net.ConnectException: https://10.51.0.200:8143: Bootstrap to: 10.51.0.200/10.51.0.200:8143' over: 'https' got an error or t
    med out
    at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:200)
    at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:125)
    at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:296)
    ... 7 more
    o work for a simple JNDI lookup. With SSL debugging turned on, the following output is given:
    When I compare the Server HTTP logs I see that an initial context lookup involves 3 HTTP requests, e.g.
    25.2.1.210 - - [29/Sep/2006:16:29:12 +0100] "GET /bea_wls_internal/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+8.1.5+dummy+%0A&r
    and=3018901804201457976&AS=255&HL=19 HTTP/1.1" 200 17
    25.2.1.210 - - [29/Sep/2006:16:29:12 +0100] "GET /bea_wls_internal/HTTPClntRecv/a.tun?connectionID=0&rand=7332722597180897050 HTTP/1
    .1" 200 2341
    25.2.1.210 - - [29/Sep/2006:16:29:12 +0100] "POST /bea_wls_internal/HTTPClntSend/a.tun?connectionID=0&rand=3415396992694182025 HTTP/
    1.1" 200 17
    When my request goes through the load balancer I see the following in the HTTP logs:
    10.51.0.200 - - [29/Sep/2006:16:31:33 +0100] "GET /bea_wls_internal/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+8.1.5+dummy+%0A&
    rand=8279752507152372405&AS=255&HL=19 HTTP/1.1" 200 17
    10.51.0.200 - - [29/Sep/2006:16:31:33 +0100] "POST /bea_wls_internal/HTTPClntSend/a.tun?connectionID=0&rand=1051450669479197885 HTTP
    /1.1" 200 17
    10.51.0.200 - - [29/Sep/2006:16:32:28 +0100] "GET /bea_wls_internal/HTTPClntRecv/a.tun?connectionID=0&rand=6035654607615870287 HTTP/
    1.1" 200 5
    10.51.0.200 - - [29/Sep/2006:16:33:13 +0100] "GET /bea_wls_internal/HTTPClntRecv/a.tun?connectionID=0&rand=8245112057388607005 HTTP/
    1.1" 200 5
    Notice the time delay in some of the messages.
    The following error appears in the WebLogic server log, however I've verified that all IP addresses referenced by the load balancer configuration match those in the WebLogic configuration:
    <29-Sep-2006 16:31:43 o'clock IST> <Error> <RJVM> <BEA-000572> <The server rejected a connection attempt JVMMessage from: '266014296
    868812899C:25.2.1.210R:2462711729186814398S:10.51.0.2:[8113,8113,8114,8114,8113,8114,-1,0,0]:10.51.0.1:8103,10.51.0.1:8105,10.51.0.1
    :8107,10.51.0.2:8109,10.51.0.2:8111,10.51.0.2:8113:risIntCluster01:ms06' to: '0S:10.51.0.200:[-1,-1,-1,8143,-1,-1,-1,-1,-1]' cmd: 'C
    MD_IDENTIFY_REQUEST', QOS: '102', responseId: '0', invokableId: '0', flags: 'JVMIDs Sent, TX Context Not Sent', abbrev offset: '228'
    probably due to an incorrect firewall configuration or admin command.>
    When a JNDI lookup is made directly to a WebLogic server on the https port, the client gives the following output:
    Getting Initial context from ms01
    <29-Sep-2006 16:29:22 o'clock IST> <Debug> <TLS> <000000> <SSL/Domestic license found>
    <29-Sep-2006 16:29:22 o'clock IST> <Debug> <TLS> <000000> <Not in server, Certicom SSL license found>
    <29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <SSL Session TTL :90000>
    <29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <Trusted CA keystore: D:/eclipse/workspace/LoadBalancerTest/ssl/keystores/cssKeySt
    ore.keystore>
    <29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
    <29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 7860099>
    <29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <SSLSocket will NOT be Muxing>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <write SSL_20_RECORD>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <32915800 received HANDSHAKE>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHello>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <32915800 received HANDSHAKE>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Certificate>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <validationCallback: validateErr = 0>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> < cert[0] = [
    Version: V3
    Subject: CN=10.52.0.3, OU=Revenue Integration Server, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key: SunJSSE RSA public key:
    public exponent:
    010001
    modulus:
    ac47cae5 45e55fe4 8ec06362 84aab923 af35d7f1 8b7e8aaa 32772d8a d8185106
    0ba91363 07162207 6eaa33b4 db8a3fbb 1e228e93 841ff322 e319242a 04ae7447
    Validity: [From: Mon May 31 16:45:21 BST 2004,
                   To: Thu May 29 16:45:21 BST 2014]
    Issuer: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
    SerialNumber: [    05]
    Certificate Extensions: 4
    [1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
    Extension unknown: DER encoded OCTET string =
    0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
    0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
    0020: 65 e
    [2]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: D7 B3 92 7B C7 4E 2F 5D F3 97 CB 3B F9 FB 0A 1E .....N/]...;....
    0010: 97 C5 DD F1 ....
    [3]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
    0010: AA 97 05 0D ....
    [CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE]
    SerialNumber: [    00]
    [4]: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
    CA:false
    PathLen: undefined
    Algorithm: [MD5withRSA]
    Signature:
    0000: 57 B6 54 4E 1A 54 91 66 5C A8 FE AF B6 50 AB 23 W.TN.T.f\....P.#
    0010: 6A 32 42 77 06 44 D5 7D 40 81 E4 DD 84 E3 7B 55 [email protected]
    0020: 96 A6 BC E9 E9 51 96 B9 E4 01 56 F9 41 B7 0C C3 .....Q....V.A...
    0030: 0A 92 C0 17 6E 6B 9D D6 9A 87 6D 6E 15 5A 86 F4 ....nk....mn.Z..
    ]>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> < cert[1] = [
    Version: V3
    Subject: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
    Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
    Key: SunJSSE RSA public key:
    public exponent:
    010001
    modulus:
    bc61b29f a830c97a 7a76883e 1665a241 a68b891f 8e4167eb 62e578ac 9e342c3e
    53c9de8b e756634b e364010f 4d36c1c5 21a65b37 b64b4861 6f4dda29 b932191f
    Validity: [From: Mon May 31 15:22:15 BST 2004,
                   To: Thu May 29 15:22:15 BST 2014]
    Issuer: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
    SerialNumber: [    00]
    Certificate Extensions: 3
    [1]: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
    0010: AA 97 05 0D ....
    [2]: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
    0010: AA 97 05 0D ....
    [CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE]
    SerialNumber: [    00]
    [3]: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    Algorithm: [MD5withRSA]
    Signature:
    0000: 3C 64 7C 9E 0B 90 48 9D 70 74 06 80 7F 2C AF 73 <d....H.pt...,.s
    0010: 92 1C C3 39 DD C3 45 B6 A4 8E 11 27 8E 21 18 4B ...9..E....'.!.K
    0020: FD AA 31 5E 35 FC DF 9E 70 42 F4 65 5C DF 56 9A ..1^5...pB.e\.V.
    0030: DD 8C 6B B7 3B BE E5 A7 D5 4A 16 23 C1 91 07 CA ..k.;....J.#....
    ]>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLTrustValidator returns: 0>
    <29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <Trust status (0): NONE>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <Performing hostname validation checks: 10.51.0.1>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 received HANDSHAKE>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHelloDone>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 70>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 16>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 received CHANGE_CIPHER_SPEC>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 received HANDSHAKE>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 270>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <30340343 read(offset=0, length=2048)>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
    <29-Sep-2006 16:29:28 o'clock IST> <Debug> <TL

    You will need an AAM set with the internal (http) address.
    http://blogs.msdn.com/b/ajithas/archive/2009/09/11/alternate-access-mapping-in-reverse-proxy-configuration.aspx
    Dimitri Ayrapetov (MCSE: SharePoint)

  • Source Nating in CSM one armed design

    What is the best practice for creating Source Nating in CSM One armed design? I am doing CSS to CSM migration. I have created the NATPOOL used the VIP address like natpool CSS0 10.xxx.xx.xxx 10.xxx.xx.xxx netmask 255.255.255.0. I did experience some latency after migrating to CSM. Then I used diffrent Ip address is the NATPOOL that improved the latency. Is there any documentation which clearly explains this issue?
    Thanks

    the natpool will have no impact on performance.
    The problem must come from somewhere else.
    You should capture a sniffer trace and verify what is going on.
    Gilles.

  • ACE in one-arm model. VIP on Client Side, servers in other vlan

    Hello All
    i have a LAN whit many servers,but only 2 need to be balanced. So i think in one-arm model, due to the higth trafic that not be pass trought ACE.
    i have a vlan 900 where is the client side and the VIP also. (10.0.9.64/26)
    the servers are in vlan 503 (10.12.3.0/24)
    it mi first design with ONE-arm but i thinks something is missing, because doesn't work.
    the configuration is the next:
    MSFC:
    svclc module 1 vlan-group 1,2,
    svclc vlan-group 1 503,900-902
    svclc vlan-group 2 511
    interface Vlan503
    description OSS_&_Otros
    ip address 10.12.3.253 255.255.255.0
    standby 10 ip 10.12.3.254
    standby 10 priority 150
    standby 10 preempt delay minimum 305
    interface Vlan900
    description MSF_<->_ACE
    ip address 10.0.9.126 255.255.255.192
    end
    access-list 101 permit ip 10.12.3.0 0.0.0.255 10.0.9.64 0.0.0.63
    access-list 101 deny ip any any
    route-map From_Server_OSS_to_ACE permit 10
    match ip address 101
    set ip next-hop 10.0.9.125
    ACE_1/admin#
    ip route 0.0.0.0 0.0.0.0 10.0.9.126
    context OSS
    allocate-interface vlan 511
    allocate-interface vlan 900
    allocate-interface vlan 902
    member Max20
    ACE_1/OSS# sh run
    Generating configuration....
    access-list EVERYONE line 10 extended permit ip any any
    access-list EVERYONE line 20 extended permit icmp any any
    rserver host OSS_FES_1
    description OSS_Front_End_Server_1
    ip address 10.12.3.140
    inservice
    rserver host OSS_FES_2
    description OSS_Front_End_Server_2
    ip address 10.12.3.150
    inservice
    serverfarm host SERVER_farm_OSS
    rserver OSS_FES_1
    inservice
    rserver OSS_FES_2
    inservice
    class-map match-all VIP-OSS
    2 match virtual-address 10.0.9.66 any
    policy-map type loadbalance first-match OSS-LB-POLICY
    class class-default
    serverfarm SERVER_farm_OSS
    policy-map multi-match OSS-POLICY-MAP
    class VIP-OSS
    loadbalance vip inservice
    loadbalance policy OSS-LB-POLICY
    loadbalance vip icmp-reply
    interface vlan 900
    description Clients-side
    ip address 10.0.9.125 255.255.255.192
    access-group input EVERYONE
    access-group output EVERYONE
    service-policy input OSS-POLICY-MAP
    no shutdown
    ip route 0.0.0.0 0.0.0.0 10.0.9.126
    maybe a i need to allocate the vlan 503 in OSS Context, any advice?
    Thanks in advace,
    Gianni From Chile

    Since you server are not behind the ACE in either bridge or routed mode add the follwoing to your config and use nat to get the traffic back to the ace.
    This is how one-armed mode works.
    ACE_1/OSS# sh run
    Generating configuration....
    access-list EVERYONE line 10 extended permit ip any any
    access-list EVERYONE line 20 extended permit icmp any any
    rserver host OSS_FES_1
    description OSS_Front_End_Server_1
    ip address 10.12.3.140
    inservice
    rserver host OSS_FES_2
    description OSS_Front_End_Server_2
    ip address 10.12.3.150
    inservice
    serverfarm host SERVER_farm_OSS
    rserver OSS_FES_1
    inservice
    rserver OSS_FES_2
    inservice
    class-map match-all VIP-OSS
    2 match virtual-address 10.0.9.66 any
    policy-map type loadbalance first-match OSS-LB-POLICY
    class class-default
    serverfarm SERVER_farm_OSS
    policy-map multi-match OSS-POLICY-MAP
    class VIP-OSS
    loadbalance vip inservice
    loadbalance policy OSS-LB-POLICY
    loadbalance vip icmp-reply
    nat dynamic 10 vlan 900
    interface vlan 900
    description Clients-side
    ip address 10.0.9.125 255.255.255.192
    nat-pool 10 0.9.126 10 0.9.126 netmask 255.255.255.192 pat
    access-group input EVERYONE
    access-group output EVERYONE
    service-policy input OSS-POLICY-MAP
    no shutdown

  • ACE 4710 one-arm L4 load balancing removes accept-encoding?

    We have built a simple one-arm PAT config to round robin load balance two Varnish servers. In the "Default L7 load-balancing action" we have left compression to "N/A". It looks like the ACE removes "Accept-Encoding: gzip, deflate" from the client header.
    Is this normal behaviour? We would like the Varnish to do the compression. Do we need modify the headers to get this through the ACE?

    Hi,
    Yes this does seem to be the behavior. Please read below:
    HTTP compression is a capability built into web servers and web browsers to improve site performance by reducing the amount of time required to transfer data between the server and the client. Performing compression on the ACE offloads that work from the server, thereby freeing up the server to provide other services to clients and helping to maintain fast server response times.
    When you enable HTTP compression on the ACE, the appliance overwrites the client request with "Accept-Encoding identity" and turns off compression on the server-side connection. HTTP compression reduces the bandwidth associated with a web content transfer from the ACE to the client.
    So ACE rewrites the ACCEPT-ENCODING header to IDENTITY to indicate to the server that it should not compress the return data. That would be done by ACE.
    Also, default method is used when client comes with both gzip or deflate for "ACCEPT ENCODING". For compression to work, a client must send a request with an ACCEPT-ENCODING method of gzip or deflate. If a client sends both methods, then the ACE uses the configured method(default method).
    Also, you can see if ACE is compressing the packets or in "show service-policy detail.
    switch/Admin#
    show service-policy L7_COMP_SLB_POLICY detail
    Status     : ACTIVE
    Description: -----------------------------------------
    Interface: vlan 1 108
      service-policy: L7_COMP_SLB_POLICY
        class: vip
         VIP Address:    Protocol:  Port:
         2.0.5.1         tcp        eq    80
          loadbalance:
            L7 loadbalance policy: pm
            VIP ICMP Reply       : ENABLED
            VIP state: OUTOFSERVICE
            Persistence Rebalance: ENABLED
            curr conns       : 0         , hit count        : 0
            dropped conns    : 0
            client pkt count : 0         , client byte count: 0
            server pkt count : 0         , server byte count: 0
            conn-rate-limit      : 0         , drop-count : 0
            bandwidth-rate-limit : 0         , drop-count : 0
            L7 Loadbalance policy : pm
              class/match : h
                ssl-proxy client : c
                LB action :
                   primary serverfarm: sf1
                        state: DOWN
                    backup serverfarm : -
                hit count        : 0
                dropped conns    : 0
                compression      : on  <------------------------------ Compression is enabled if the value is "on"
    compression  bytes_in  : 0       bytes_out : 0  <--- Number of bytes transmitted after compressing the server response
    Compression ratio : 0.00%  <------------------------------ Percentage of data compressed
    Gzip: 0               Deflate: 0  <--------------- Number of times the method is used
    compression errors:                                     _
    User-Agent  : 0               Accept-Encoding    : 0   |
    Content size: 0               Content type       : 0   |
    Not HTTP 1.1: 0               HTTP response error: 0   |-- Check these error counters to see if they are increasing
    Let me know if you have any questions.
    Regards,
    Kanwal

  • Probe fail on Standby ACE in One-armed mode

    Hi there
    I'm Kilsoo.
    I made One-armed mode using ACE.
    Real servers are in away Vlan from ACE.
    So, I configured the PBR with ACE alias ip address for the next-hop on the real server's gateway interface.
    And, the probe from active ACE works well.
    But, the probe from standby ACE was fail.
    At this point, my first question
    Is it normal situation that the probe fail from standby ACE????
    So, I made the route-map for PBR like below for temporary solution.
    route-map deny PBR 5
    match ip address Probe_ACL
    route-map permit PBR 10
    match ip address L4_ACL
      set ip next-hop <Alias IP address>
    ip access-list extended Probe_ACL
      pemit ip any <Standby ACE's IP address>
    ip access-list extended L4_ACL
    permit tcp <Real server's IP address> eq 80 any
    Second question...
    Do you have any other good solutions???
    Thanks

    Hi Cesar
    Thanks for your reply.
    But I think I was confuse when I wrote the message.
    I used both ace's vlan ip address for next-hop ip address like your advice.
    Do you know the standby ace can't check probe without route-map in one-armed mode like below diagram???
    Backbone Router
             |
             |
             |
    Supervisor --------------------ACE(vserver: 172.19.100.100)
             |         (vlan 200)
             |
             |
             |(vlan 110)
             |
             |
    Real servers
    (172.19.110.111)

  • CSS11500 one arm design configuration assistance.

    Is it possible to configure the CSS11500 as single arm design? if yes how to configure the source nat on the CSS11500, it is not possibe for me to change the default gateway as well as configure CSS as inline.
    Regards

    yes you can configure CSS in one armed mode. You would do the nat with a group config ie:
    service yada
    ip address 192.168.20.40
    active
    content yadayada
    vip address 192.168.20.55
    add service yada
    group yadayadayada
    vip address 192.168.20.55
    add destination service yada

  • Web Dispatcher with SSL termination for EP

    Hi All,
    I want to configure SAP Web Dispatcher (installed on windows) for SSL
    termination scenario. I did all the configuration steps, SSL Basic,
    SSL termination steps without Metadata Exchange scenario.
    But , when i am trying to access the portal using "<b>
    https://<DispatcherHost>:<Port>/irj/portal</b>", its giving <b>page
    can not be displayed</b> error
    <i>This is how the profile file of the dispatcher looks like,</i>
    profile file **************
    Profile generated by sapwebdisp bootstrap
    unique instance number
    SAPSYSTEM = 2
    Accessibility of Message Servers
    rdisp/mshost = <portal server>
    ms/http_port = 8101
    SAP Web Dispatcher Parameter
    wdisp/auto_refresh = 120
    wdisp/max_servers = 100
    wdisp/shm_attach_mode = 6
    configuration for large scenario
    icm/max_conn      = 16384
    icm/max_sockets   = 16384
    icm/req_queue_len = 6000
    icm/min_threads   = 100
    icm/max_threads   = 250
    mpi/total_size_MB = 500
    mpi/max_pipes     = 21000
    #maximum number of concurrent connections to one server
    wdisp/HTTP/max_pooled_con = 2000
    wdisp/HTTPS/max_pooled_con = 2000
    SAP Web Dispatcher Ports
    SAP Web Dispatcher Web Administration
    icm/HTTP/admin_0 = PREFIX=/sap/wdisp/admin,DOCROOT=./admin
    icm/server_port_0 = PROT=HTTPS,PORT=5000
    icm/server_port_1 = PROT=HTTP,PORT=0
    icm/HTTPS/verify_client = 0
    DIR_INSTANCE=D:\SAP_SSL\secudir
    ssl/ssl_lib=D:\SAP_SSL\secudir\sapcrypto.dll
    sss/server_pse=D:\SAP_SSL\secudir\SAPSSL.pse
    wdisp/ssl_encrypt = 0
    wdisp/add_client_protocol_header = true
    profile file **************
    After modifying the profile file, restarting the dispatcher gives the
    following information in the command prompt,
    Information in command prompt *******
    D:\SAP_SSL\sapwebdisp\sapwebdisp pf=sapwebdisp.pfl
    **Warning: Could not start service 5000 for protocol HTTPS on host
    <hostname>" <on all adapters>
    *SAP Web Dispatcher up and operational <pid: 1700>*
    Information in command prompt *******
    What may be problem? Did i miss out any steps ?
    Please help !
    Regards,
    Sandip

    Hi Sandip,
    Please check this thread..
    /thread/41459 [original link is broken]
    cheers,
    Prashanth
    P.S : Please mark helpful answers

  • CSS 11503 One-arm Design and Server Default Gateway

    Our problem is determining the correct default gateway for our web servers. All IP addresses are in the same subnet (VIP, interfaces, and servers). Should the servers default gateway be the L3 switch, or the CSS?
    Thanks!
    Tom

    Hi Tom,
    If you have one arm mode, you might have problems with asymmetric flows, due that the CSS behaves similar to a firewall when it comes to flows, as it needs to see both sides of the flow ( client and server side ) in order to handle things correctly. Having this kind of setup, and even when the server pointing to the CSS as its default gateway, ICMP redirects might force the traffic to change dynamically.
    You can put as default gateway the L3 switch, but you need to force the traffic that has been load balanced by the CSS to go back to the CSS, otherwise the flow would fail. You can do this by using a group on the CSS, adding the service with the following command: 'add destination service xxxx'. This would NAT the client's IP address for the VIP that you use on the group and would force the flow to go back to the CSS.
    Another thing that you can do is to use the CSS as the server's DG, but you must make sure that all L3 devices, including the CSS have ICMP redirects turned off on this subnet. If you have a firewall on this subnet, you would need to turn off proxy ARP as well.
    I hope you find this helpful. Thanks!
    Regards,
    Jose Quesada.

  • One-armed LB with Trunk

    What are the downsides of using a one-armed LB solution? I am trunking multiple VLANs across one interface instead of using multiple interfaces to connect to my server farm. The servers still have their default gateway as the CSS.

    Thee are performance issues if the CSS has to LB over one interface. These should not be under estimated !!
    However if you are trunking in to the CSS, you may not have this. It depends on how you configure your "logical" network. You could use one physical interface, but run two vlans over it (a trunk), these vlans are two logical interfaces, so in fact you are not running true one-armed. On CSS the vlans bind to the circuits to form the interfaces, it is only when you are LB over one circuit that you get performance issues.
    Hope that made sense :-)

  • ACE - SSL Termination is not working

    HTTPS is not working from official IE browser but it is working from test Firefox browser. However HTTP is working with both IE and Firefox browsers. This is true for multiple implementations on the ACE service module with SSL termination.
    ACE software 3.0(0)A1(4a)
    IE v6 SP3 Cipher 128
    Firefox v3.6.3
    Sample configuration:
    access-list FT ethertype permit bpdu
    access-list ALL-ACCESS extended permit icmp any any
    access-list ALL-ACCESS extended permit ip any any
    crypto chaingroup ROOT-CERT
      cert abc.PEM
      cert xyz.PEM
    parameter-map type ssl SSL-PARAMETER-1
      cipher RSA_WITH_RC4_128_MD5
      cipher RSA_WITH_RC4_128_SHA
      cipher RSA_WITH_AES_128_CBC_SHA priority 2
      cipher RSA_WITH_AES_256_CBC_SHA
      cipher RSA_EXPORT1024_WITH_DES_CBC_SHA
    parameter-map type ssl SSL-PARAMETER-2
      cipher RSA_WITH_AES_128_CBC_SHA priority 2
    ssl-proxy service SSL-1
      key KEY-1.PEM
      cert CERT-1.PEM
      chaingroup ROOT-CERT
      ssl advanced-options SSL-PARAMETER-1
    ssl-proxy service SSL-2
      key KEY-1.PEM
      cert CERT-1.PEM
      chaingroup ROOT-CERT
      ssl advanced-options SSL-PARAMETER-2
    ssl-proxy service SSL-3
      key KEY-1.PEM
      cert CERT-1.PEM
      chaingroup ROOT-CERT
    rserver host server1
      ip address 10.100.15.89
      inservice
    rserver host server2
      ip address 10.100.15.121
      inservice
    probe http PROBE-1
      interval 30
      faildetect 2
      request method get url /keepalive.htm
      expect status 200 200
    serverfarm host SERVERFARM-1
      probe PROBE-1
      rserver server1 80
        inservice
      rserver server2 80
        inservice
    sticky ip-netmask 255.255.255.255 address both STICKY-1
      timeout 30
      replicate sticky
      serverfarm SERVERFARM-1
    class-map type management match-any REMOTE-ACCESS
      match protocol icmp any
      match protocol snmp any
      match protocol ssh any
      match protocol https any
    class-map match-all VIP-1
      match virtual-address 10.100.15.140 tcp eq https
    class-map match-all VIP-2
    match virtual-address 10.100.15.140 tcp eq www
    policy-map type management first-match REMOTE-ACCESS
      class REMOTE-ACCESS
        permit
    policy-map type loadbalance first-match POLICY-1
      class class-default
        sticky-serverfarm STICKY-1
    policy-map multi-match LB-1
      class VIP-1
        loadbalance vip inservice
        loadbalance vip icmp-reply active
        loadbalance policy POLICY-1   
        ssl-proxy server SSL-1
    (i have tried with ssl-proxy server SSL-2 and ssl-proxy server SSL-3 but did not helP)
    policy-map multi-match LB-2
      class VIP-2
        loadbalance vip inservice
        loadbalance vip icmp-reply active
        loadbalance policy POLICY-1
    interface vlan 15
      description client vlan
      bridge-group 15
      mac-sticky enable
      access-group input FT
      access-group input ALL-ACCESS
      access-group output ALL-ACCESS
      service-policy input REMOTE-ACCESS
      service-policy input LB-1
      service-policy input LB-2
      no shutdown
    interface vlan 2015
      description server vlan
      bridge-group 15
      mac-sticky enable
      access-group input FT
      access-group input ALL-ACCESS
      access-group output ALL-ACCESS
      service-policy input REMOTE-ACCESS
      no shutdown
    interface bvi 15
      description bridge group
      ip address 10.100.15.5 255.255.255.0
      peer ip address 10.100.15.6 255.255.255.0
      alias 10.100.15.4 255.255.255.0 
      no shutdown
    ip route 0.0.0.0 0.0.0.0 10.100.15.1
    note: Subnet, Server Name, Certificate Name and Key Name are modified for security reason.

    Hello,
    We will not be able to determine why your SSL terminated connections fail with only your config.  You may want to take a look at a similar thread where someone else was having problems with IE and SSL termination, but Firefox worked fine.  It also includes a solid action plan you can use to gather data needed to diagnose root cause.  That thread can be viewed at the following link:
    https://supportforums.cisco.com/thread/2025417?tstart=0
    Also, the ACE software you are running is extremely old now and very buggy.  I would strongly urge you to upgrade to A2(2.4) as soon as possible.  It will help you avoid some headaches as you move forward.
    Hope this helps,
    Sean

  • ACE 4710 and load balancing with sticky cookie

    Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers.  I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall.  The ACE is in bridged mode to load balance web servers that reside in the DMZ.  Everything seems to work just fine, but the cookie stickiness does not seem to be working.

    Hi David,
    As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
    When using cookie-insert, the ACE will not create any dynamic cookie entries.  It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value.  So what you see there is what is expected.
    You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie.   The cookie is included in the server's response, and the ACE will look for the value as configured.  The cookie will also be sent to the client.  If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses.  If the browser opens new connections with that cookie, then the ACE will stick to the same server.
    My suggestion would be to get sticky working with cookie-insert first.  Then if that meets your needs, go with that permanently.  If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
    Sean

  • Can I configure csm as one arm and routing mode at the same time?

    My csm currently is configured as the routing mode and bridge mode, resently I have a service requirement which I think the one arm mode should be the best resolution. Can anybody let me know if there will be any affect if I add the one arm mode to the currently production environment?
    Thanks in advance.
    Jason

    Gille,
    Thanks for your quick response. I notice you have same opinion about the one arm mode in your other post, but I think in the multi-tire data center design with fw in bridge mode and csm in one arm mode with RHI, do give us a lot of flexibilty. If I use policy routing instead of source nat, can I overcome these limit you metioned?
    Do you know who csm could handle the TFTP traffic? I may have too much question, I am realy looking for your suggestion.
    Thanks
    Jason

Maybe you are looking for