ACE as Proxy
Dear *,
Based on the below cisco link:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/terminat.html#wp1159517
SSL Termination Overview
SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server.
Now i would like to clarify the following:
•1) When ACE terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server, in this case what is the source IP that the server will see? Will it see client IP or ACE IP as source? I believe it should see the source IP of the ACE Or here the ACE only terminates and re-initiates the TCP session without changing the source IP?
•2) If we don’t want to use SSL can ACE work as normal proxy, can we terminate a connection from the client and then establish a new session to the HTTP server? If yes then servers will see the source IP of ACE?
Thanks,
Aamir
Hello Aamir-
1.) It depends on your configuration, however, ACE will use the client IP by default and a Source Nat Pool if you have it configured to do so. Even with SSL on the front and backend, this still holds true.
2.) No.
ACE is not a prxoy server in any means. Even with a layer 5 content rule where ACE needs to terminat the client session to make a loadbalancing decision, once it creates a backend session, it steps out of the way and lets the client/server handle everything. In otherwords, you would never point your client browser to ACE as a proxy.
Regards,
Chris Higgins
Similar Messages
-
Using ACE for proxy server load balancing
Hello groups,
I wanted to know your experiences of using ACE for proxy server load balancing.
I want to load balance to a pool of proxy servers. Note: load-balancing should be based on the HTTP URL (i can't use source or dest. ip address) so that
a certain domain always gets "cached/forwarded" to the same proxy server. I don't really want to put matching
criteria in the configuration (such as /a* to S1, /b* to S2, /c* to S3,etc..), but have this hash calculated automatically.
Can the ACE compute its own hash based on the number of "online" proxy servers ? ie. when 4 servers are online, distribute domains between 1,2,3,4 evenly.
Should server 4 fail, recalculate hash so that the load of S4 gets distributed across the other 3 evenly. Also load-balancing domains of S1 ,S2 and S3 should not change if S4 fails.....
regards,
GeertThis is done with the following predictor command:
Scimitar1/Admin# conf t
Enter configuration commands, one per line. End with CNTL/Z.
Scimitar1/Admin(config)# serverfarm Proxy
Scimitar1/Admin(config-sfarm-host)# predictor hash ?
address Configure 'hash address' Predictor algorithms
content Configure 'hash http content' Predictor algorithms
cookie Configure 'hash cookie' Predictor algorithms
header Configure 'hash header' Predictor algorithm
layer4-payload Configure 'hash layer4-payload' Predictor algorithms
url Configure 'hash url' Predictor algorithm
Scimitar1/Admin(config-sfarm-host)# predictor hash url
It does hash the url and the result takes into account the number of active proxies dynamically.
This command has been designed for this kind of scenario that you describe.
Gilles. -
Ace ssl-proxy problem, Online store.
Hello!
I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.
The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.
The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.
If i have missed something in the config or if someone have any other idea why this dont work for me..
Appreciate any help!
My config:
(at the moment only web5 is in use)
ACE-1/CO-WEB1# show run
access-list ANY line 10 extended permit ip any any
access-list icmp line 8 extended permit icmp any any
probe http PROBE-HTTP
interval 3
passdetect interval 10
passdetect count 2
expect status 200 200
expect status 300 323
parameter-map type ssl SSLPARAMS
cipher RSA_WITH_RC4_128_MD5
rserver host vmware-server1
description testserver1
ip address 219.222.4.180
probe PROBE-HTTP
inservice
rserver host vmware-server2
description testserver 2
ip address 219.222.4.181
probe PROBE-HTTP
inservice
rserver host web5
description testserver from windows nlb
ip address 219.222.4.185
probe PROBE-HTTP
inservice
ssl-proxy service SSL-PROXY-SE
key cert-se.key
cert cert-se.pem
ssl advanced-options SSLPARAMS
serverfarm host WM-ware_servers
rserver vmware-server1
inservice
serverfarm host webtest
description testserver-farm
predictor leastconns
rserver vmware-server1 80
rserver vmware-server2 80
rserver web5
inservice
sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1
timeout 60
serverfarm webtest
class-map match-all VIP-HTTP
2 match virtual-address 219.222.4.178 tcp eq www
class-map match-all VIP-HTTPS
2 match virtual-address 219.222.4.178 tcp eq https
class-map type management match-any icmp
description for icmp reply
2 match protocol icmp any
policy-map type management first-match icmp
class icmp
permit
policy-map type loadbalance first-match VIP-HTTP
class class-default
sticky-serverfarm STICKY-GROUP1
policy-map type loadbalance first-match VIP-SSL
class class-default
serverfarm webtest
policy-map multi-match SLB-VIP-HTTP
class VIP-HTTP
loadbalance vip inservice
loadbalance policy VIP-HTTP
loadbalance vip icmp-reply
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy VIP-SSL
loadbalance vip icmp-reply
ssl-proxy server SSL-PROXY-SE
interface vlan 21
description ### ACE OUTSIDE mot FW ###
ip address 219.222.4.171 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
service-policy input SLB-VIP-HTTP
no shutdown
interface vlan 22
description ### ACE INSIDE Gateway for Web-servers ###
ip address 219.222.4.177 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
no shutdown
ip route 0.0.0.0 0.0.0.0 219.222.4.161
ACE-1/CO-WEB1#
as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):
ACE-1/CO-WEB1# show conn
total current connections : 4
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB
14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB
11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB
3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB
ACE-1/CO-WEB1#Hello Krille
i had the same problem.
The HTT Probe you define will do a check if
the return code is
expect status 200 200
expect status 300 323
Now if a user is accessing the hppts site, in the flow there will be an expect status like 404, the ACE now is not establish an sticky connection, cause it think that the flow is not ok.
The only output after ther Certificates is a blank site.
If you change the Probing to ICMP you will be able to access the https site and the connection is sticky. With a litte tool like IE Watch you will be able to see the wrong Status codes.
regards
eberhard -
Hello, I have a client that needs to reverse proxy sessions to two backend servers. Can the ACE preform reverse proxies?
Gregg,
you need to create an action-list and assign it to your policy-map
switch/Admin(config)# action-list type optimization http avs_default
switch/Admin(config-actlist-optm)# ?
Configure optimization actions:
appscope Appscope measurement against optimization
cache Cache optimization
delta Delta optimization
do EXEC command
dynamic Enable just-in-time object accelaration
end Exit from configure mode
exit Exit from this submode
flashforward Flashforward optimization
flashforward-object Flashforward object optimization
no Negate a command or set its defaults
You will probably want to use cache forward or cache dynamic.
More info at
http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/2.0/user/guide/UG_optimization.html
Gilles. -
ACE SSL Proxy performance issue
Hi I've got an ACE module in a 6500 that is being used as an SSL Proxy For a web service.
So the configuration is fairly basic, matches a VIP which has been Nat'ed from the public IP address port 443 and load balances over a number of reservers with the server ports being set to 80.
The problem is the main web site is hosted elsewhere and so when they switch to checkout on a secure port the browser page requests multiple https:// files .
The users are seeing very slow page loads a considerable amount longer than equivalent on http and more than you'd expect. The ACE is no where near any throughout or transaction limits.
My concern is on how the session is tracked, would the ACE attempt to renegotiate with every https:// get? I've seen example configs for stickiness inserting cookies for normal end-end load balancing but not with an SSL proxy configuration.
Sent from Cisco Technical Support iPad AppHi Craig,
The SSL negotiation/handshake will happen everytime a client opens a new TCP connection i.e comes with a different source port.
To make sure that ACE doesn't renegotiate you can try and use this command:
(config-parammap-ssl)# session-cache timeout . You can use 24 hours or anytime you think is suitable.
This is basically to enable SSL session reuse. A little explanation below for your reference:
When client connects to a server over SSL, the server creates a session for that connection. This session ID is sent as a part of the Server Hello message. This is to make things efficient, in case the client has any plans of closing the current connection and reconnect in the near future. Most of the servers have a time out for these sessions (I think 24 hours is a common value, unless pressed for space).
When the client connects to the same server again, it can send the same session ID as a part of the Client Hello. The server will first look up if it can find any sessions with that ID. If found, the same session will be reused. Thus the time spent in verifying the certs and negotiating the keys is saved. If the server cannot find a matching session, then it responds with a new session ID and its certificate in Server Hello message. The client knows that it has to verity the cert and negotiate the key again.
Considerable amount of time is spent in validating server certs. Reusing SSL session will save this time.
Having said that you need to check if the client is coming with a session ID which it got in previous handshake or not. If it doesn't and it is a new TCP connection then SSL handshake will happen. Please enable that command before testing.
Also, ensure that you have allocated proper SSL resources to your context. Lack of resources can also cause dropped connections and sluggish performance.
Regards,
Kanwal -
ACE 4710 like Proxy Log?
Hi guys!
I have one question to the ACE.
We using the ACE as Proxy.
Can write the ACE a proxy log? (GET, Post requests)
Like so
192.168.0.1 - - [09/Oct/2010:02:12:40 +0200] "GET / HTTP/1.1" 302 304 "http://www.cisco.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.10) Gecko/20100914 AskTbCDS/3.9.0.12758 Firefox/3.6.10"
192.168.0.1 - - [09/Oct/2010:06:17:14 +0200] "GET /oks/app HTTP/1.1" 200 3861 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)"
192.168.0.1 - - [09/Oct/2010:06:17:15 +0200] "GET /css/default.css HTTP/1.1" 304 - "https://blablbla.at/oks/app" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C
did anybody know that the ACE can do this.
He can also forward the events to a sys Server. Is it posible?
Thanks
regards MarkusHi Markus,
The short answer is no.
This kind of logging you are looking for is more common in HTTP caching devices. However, the ACE will only proxy connections in order to get enough information to make a load-balancing decision.
Regards
Daniel -
ACE behind Reverse Proxy - performance issue
Hi,
I've got a config working to accommodate the required use of reverse proxy servers infront of my application servers. Traffic comes into the Front ACE and I insert a header "SRCIP" with the original client IP address which is preserved through the Rev Proxy servers and is then inspected on the Back ACE to create a sticky to a given application server/SRCIP pairing. The use of the RP's appears to require using the persistence-rebalance option otherwise the traffic get stuck to the wrong app server. The app functions perfectly with this config; however, there is a severe performance impact. Using load-runner, we see response times go from 1.5 seconds to 16 seconds for the same transactions comparing this config to a previous config which used static sticky to bind the RP to the app servers..
Question: Is there a better way to do this and remain dynamic, or some way to optimize this approach to reduce the performance impact.
Relevant Config for both ACE's here:
!!Front ACE
parameter-map type http HTTP_REBAL
persistence-rebalance
length-exceed continue
sticky ip-netmask 255.255.255.255 address source ALPHA-SRCIP-sticky
timeout 60
replicate sticky
serverfarm ALPHA
policy-map type loadbalance first-match vip-R1A-ALPHA
class class-default
sticky-serverfarm ALPHA-SRCIP-sticky
insert-http SRCIP header-value "%is"
policy-map multi-match PREP-VIP
class VIP-ALPHA-R1A
loadbalance vip inservice
loadbalance policy vip-R1A-ALPHA
appl-parameter http advanced-options HTTP_REBAL
ssl-proxy server SSL_ALPHA_R1A
!!Back ACE
parameter-map type http HTTP_REBAL
persistence-rebalance
length-exceed continue
sticky http-header SRCIP ALPHA-SRCIP-sticky
timeout 60
replicate sticky
serverfarm coresoms-ALPHAfarm
class-map type http loadbalance match-all SRCIP-MAP
2 match http header SRCIP header-value ".*"
policy-map type loadbalance first-match vip-lb-ALPHA
class SRCIP-MAP
sticky-serverfarm ALPHA-SRCIP-sticky
policy-map multi-match lb-vip
class VIP-ALPHA
loadbalance vip inservice
loadbalance policy vip-lb-ALPHA
appl-parameter http advanced-options HTTP_REBALHi Joseph,
To achieve this you need to do stickiness based on some L7 parameter (either the header you are currently using or some cookie), so, whatever you do you will have to use persistence rebalance.
I have one possible theory for your issue.
The ACE has two different ways of treating the L7 connections internally, that we call "proxied" and "unproxied". In essence, the proxied mode means that the traffic will be processed by one of the CPU (normally to inspect/modify the L7 data), while, on the unproxied mode, the ACE sets up a hardware shortcut that allows forwarding traffic without the need to do any processing on it.
For a L7 connection, the ACE will proxy it at the beginning, and, once all the L7 processing has been done it will unproxy the connection to save resources. Before it goes ahead with the unproxying, it needs to see the ACK for the last L7 data sent. This wait, on a Internet environment can introduce around 100-200ms of delay for each HTTP request, which can end up adding into a very big delay. By default, if the ACE sees that the RTT to the client is more than 200ms, the connection will never be unproxied to avoid these delays, so I think we could fix your issue by tweaking this threshold.
From what you described, I asssume you don't have many connections (because they all come through a proxy) and that the connections will have a lot of HTTP requests inside. With that in mind, I would suggest setting the threshold to 0 to ensure to keep connections always proxied. To do this, you would nee to configure a parameter map like the one below and add it to your VIP
parameter-map type connection
set tcp wan-optimization rtt 0
Even though this setting may avoid your issue, it also has some drawbacks. The main one is that the ACE20 only supports up to 512K simultaneous L7 connections in proxied state (which includes also the connections towards the servers, so, it would be 250K for client connections), so, if the amount of simultaneous connections reaches that limit, new connections would be dropped. The second issue, although not so impacting, would be that the maximum number of connections per second supported would also go down slightly due to the increased processing needed.
I hope this helps
Daniel -
Using ACE to load balance HTTP/S traffic between client & proxy server using tcp 8080
Folks,
I have a scenario where ACE is in load balancing connections to a bunch of Websense servers in a one-armed topology. ACE presents a single VIP to web browser clients and each client's browser proxy configuration is populated with the VIP DNS name. Traffic then gets load balanced between the Websense servers. The problem arises due to Websense requiring the 'X-Forwarded-For' HTTP header in order to obtain the source IP of the client.
ACE inserts this header into the standard HTTP 'proxied' traffic but doing this for HTTPS traffic has required the configuration of the ACE SSL proxy client server.
So the problem I have is this:
How to configure ACE to load balance both HTTP & HTTPS applications using a single VIP and tcp port number ie tcp 8080
The ACE hardware being used is ACE20-MOD-K9 - MODULE
I have attempted to use a L7 class map to match all ciphers and attach this to a L7 Policy-Map but the documentation highlights the fact the 'match cipher' configuration is only available on the ACE appliance.
I believe I am on the correct track. The HTTPS traffic must be identified and used to match against PolicyA and HTTP traffic matched against PolicyB
I'm looking for ideas! I'm hopeful someone must have solved this problem previously!!
Regards,
SimonHi Simon,
The classification has to work on different ports. Whether client types http or https doesn't matter to client. His request will reach VIP which will classify the traffic based on port, protocol first and then it can look into further detail to send the traffic to appropriate serverfarm.
You can class-map match-any xxxxx
2 match virtual-address x.x.x.x tcp any
and then you configure further classification on the basis of L7 like url, header etc.
But again, you will still need SSL termination on ACE.
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
HI
I've asked a part of this question before, but need further clarifications. Hope some one can help.
We are trying to deploy an ACE to transparently re-direct http traffic to a set of proxy servers, that are also doing some content filtering. following is the expected high level setup.
clients -----[ACE] ---- internet
|
|
|
| | |
[proxy 1] [proxy 2] [proxy 3]
The proxy servers have to go through the ACE again to access the internet. The returning traffic should also go back through the ACE to the same proxy server that catered for the forward traffic. As the proxy does not modify the source IP of the forward traffic (source IP of the packets going to the internet remians to be the actual client IP) , this appears to be a problem. Would you be able to suggest a solution ?
Many thanksyes, but two problems.
1.) Since the return packet from the internet has actual client (not the proxy) IP address as the destination IP, will that traffic go back to the proxy rather than directly to client?
2.) Even if it can be sent back to the proxy server farm, how can I ensure that it will go to the same proxy that originated the http request/etc. ?
Sorry to bother you this much
thanks again
Din -
I'm using an Ace 4710 Appliance deployed in One-Armed mode, using Source NAT to loadbalance HTTP request to a couple of Proxy servers.
Everything is working fine, but the thing is that I can't see the Clients IP addresses on Proxy's logs, so I can't keep track of them.
The Interfaces and Nat configs are:
interface vlan 200
description Server-Side-VLAN
bridge-group 5
nat-pool 5 10.1.1.5 10.1.1.5 netmask 255.255.255.0 pat
service-policy input VIPS
interface vlan 300
description Client-Side-VLAN
bridge-group 5
interface bvi 5
ip address 10.1.1.3 255.255.248.0
description Client-Server-Virtual-Interface
ip route 0.0.0.0 0.0.0.0 10.1.1.1
and the policy map looks like this
policy-map multi-match VIPS
class Port80
loadbalance vip inservice
loadbalance policy Port80
nat dynamic 5 vlan 200
Resource assignment:
sticky ip-netmask 255.255.255.255 address both RESOURCE-CLASS
timeout 5
serverfarm Service80
Any suggestions will be appreciated,
ThanksHi Kanwal,
Thanks for your quick reply,
I've already tried this but it didn't work. The problem is that I don't manage the proxy servers so I rely on their skills to see the logs.
The Proxies are Squid. Do you know if they need to do something else on the servers to see that field of the HTTP header?
But I'll try again tomorrow and let you know how it goes.
Thank you again. -
ACE best practice for proxy servers
Dear,
I would like to know which is the best practice scenario to load balance proxy servers:
1- Best practice to have transparent proxy or proxy setting on the web browser?
2- for transparent proxy: best practice to use ip wccp or route-map pointing to the ACE VIP?
3- What are the advantages and disadvantages of transparent proxy V/S web browser proxy setting.
Regards,
PierreHi,
Sorry, that seem to be an internal link.
You can also check the below post where a sample config is posted here for transparent cache.
https://supportforums.cisco.com/thread/129106
Best practice :
VIP would be a catch all address.
To optimize the caching predictor hash url is used.
You can also use mac-sticky on interface so proper flow persistence is used within ACE
The mode is transparent so we preserve the destination ip address.
Regards,
Siva -
ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client
Hi
Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.
Example:
Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server
The "client" Server does not support SSL.
Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)
Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.
RegardsHello Byron,
Yes, the ACE can do it
Here you have some of the flavors of SSL with the ACE.
Here you have a sample about it:
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
class-map match-all CLEAR_TEXT_VIP
2 match virtual-address 172.20.120.19 tcp eq www
policy-map multi-match JORGE-MULTIMATCH
class CLEAR_TEXT_VIP
loadbalance vip inservice
loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
class class-default
serverfarm ENCRYPTED-SERVERFARM
ssl-proxy client SSL-PROXY-JORGE
ssl-proxy service SSL-PROXY-JORGE
key TAC-key
cert TAC-cert
serverfarm host ENCRYPTED-SERVERFARM
rserver JORGE-SERVER 443
inservice
Here you have some additional details under the configuration guide:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html
Here you have some additional samples:
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
Hope this helps for you and fix your issue
Jorge -
ACE 4710, reverse proxy?
Hello All,
Please forgive my ignorance but can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time. Thanks for your input.Hi Mate,
The reverse proxy servers can perform many tasks, like:
Note: this info from Wikipedia: http://en.wikipedia.org/wiki/Reverse_proxy
Reverse proxies can hide the existence and characteristics of the origin server(s), The ACE will do that.
Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult, The ACE has some built-in security features, you can refer to this document for full detail:
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/security/guide/securgd.html
In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead offloaded to a reverse proxy that may be equipped with SSL acceleration hardware. The ACE can do this:
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/ssl/guide/sslgd.html
A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource. The ACE can do that perfectly.
A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator. A reverse proxy can optimize content by compressing it in order to speed up loading times. Please check this link for more detail about ACE Application Acceleration and Optimization:
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/app_acc_and_opt/guide/appaccoptgd.html
Best regards,
Ahmad -
ACE to load balance proxy servers
Hi,
i have a set of 4 proxy servers that are already load balanced. But they are using a incorrectly configured health probe on the ace. I need to know a good configuration for a heath probe that will send a http request over port 80 , wait for response, and read it? I searched the forum and the cisco pages but could not find a proper answer.
the current probe is as follows:
probe http HTTPGET
description Tests that www.gmail.com returns 302 redirect
interval 10
request method get url http://www.gmail.com
expect status 302 302
-GordonHi Gordon,
This is what you want to achieve :
I need to know a good configuration for a heath probe that will send a http request over port 80 , wait for response, and read it?
So ideally you have to choose what content you want to request and what you expect as response.
Any HTTP request will assume that the request is going to the web server or the device can understand HTTP and respond accordingly.
If you ask me I would say that the probes which you are using make sense.
If the probe fails that means the proxy is unable to reach "www.gmail.com" which is almost as good as proxy is not working.
Let me know your thought about it.
regards,
Ajay Kumar -
ACE - TCP Options for Proxy-Connections
Hi all,
I have the issue that my ACE does not seem to allow tcp options with L7 proxied connections to the servers. For the client side connection I see the TCP option timestamp for example, but unfortunately the ACE itself does not put the timestamp option into its own TCP connection to the rserver. A 'parameter-map type connection' does only seem to have an effect on L4 connections, not proxied ones. Does anybody know a way how to tell the ACE to have e.g. a timestamp option in the TCP connection to the server as part of a L7 loadbalancing?
Any help is highly appreciated!
Thanks,
DanielDaniel,
we do not support timestamp at L7.
I think we only support window scaling.
Gilles.
Maybe you are looking for
-
Errors needed to solve!!!
Hi all, I have these errors: 1. JBO-25017: Error while creating a new entity row for Member. 2. oracle.jbo.server.DBTransactionImpl2 I don't know what they mean?? and what should I do to solve them?? Thanks, Dha_Suh
-
7 wont install says error try again
I'm going mental. have been trying for 2 weeks. itunes and ichat now have application symbols on my dock. error message says try again. have done so tons of times. have moved things on to desk top, hasn't helped. I have 2 seperate accounts on my mini
-
Problem to install Oracle 8 in Windows 98
I have a problem to install the Oracle 8 client in the Windows 98. The machine is a Pentium IV 1.6 128 Mb RAM. After install the Oracle client, when I try to execute SQL Net Easy Configuration, appears the Windows Message "Java - This program execute
-
Keywords in Metadata of original pictures files
I have added a number of keywords to a group of photos. I have not exported them. They are still on my hard drive in the original location that I imported them from. I imported with the option to leave the photos where they were. When I go to look at
-
Snmp for oids with multiple values
Hi, So if we have array of OIDs defined in the mib file (eg, 1.3.6.1.4.1.22.1.1, 1.3.6.1.4.1.22.1.2, 1.3.6.1.4.1.22.1.3 and so on each having different values). does anyone know how can we capture this using SNMP fetchlet? or do we need to specify ea