ACE balance cookie + https

Similar Messages

• ACE load-balancing-Cookie problem

  In our other load-balancing environments the load-balancer-cookie contains the encrypted (real) servername or ip-address.
  We think it's the same on the cisco, for that reason it's in theory not possible, that there are two 'green'-cookies with different values in the same request.
  There are only two possibilities how this could happen:
  a) The healthmonitor (http_probe) fails, the loadbalancer 'thinks' that the realserver is down and redistributes the traffic.
  But in that case we would expect, that the old cookie will be overwritten by the new one and not simply added to the http-header.
  b) The predictor in the serverfarm chooses a new realserver within the same request.
  If that is really the cause of that problem this would be bug in the cisco ace.
  What we found out, is that the loadbalancer performs a 'Set-Cookie'-Operation an every request even if the client submits the cookie correctly.
  For example:
  GET /ips-opdata/scripts/jquery.js HTTP/1.1
  Host: www.xxxxx.com
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15
  Accept: */*
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 115
  Connection: keep-alive
  Referer: http://www.xxxxx.com/
  Cookie: green=R339366665; JSESSIONID=28D91FC6FD62A3921354BB36826294C4
  HTTP/1.1 200 OK
  Set-Cookie: green=R339366665; path=/; expires=Tue, 29-Mar-2011 06:33:00 GMT
  Server: Apache-Coyote/1.1
  X-Powered-By: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
  ETag: W/"72181-1298537508000"
  Last-Modified: Thu, 24 Feb 2011 08:51:48 GMT
  Content-Type: text/javascript
  Content-Length: 72181
  Date: Mon, 28 Mar 2011 06:15:19 GMT
  As you can see the cookies: green=R339366665 is transmitted from the client, but the loadbalancer does a Set-Cookie Operation of the same cookie once again. This is an unexpected behaviour.
  We hope that this helps you to figure out the reason of the problem.

  The cookie is sent by the ACE on each response to refresh the timeout value on the client. The value of the cookie doesn't change. This is the expected behaviour and shouldn't break anything in the application / browser.
  For browser-based applications, don't forget to add the "browser-expire" parameter to your cookie-based stickyness config.

• HTTP POST with advance balance cookies

  Hello
  I am trying to keep a session sticky for 20 mins based on cookies. The problem is the application is using HTTP POSTs and the balance method only looks into the HTTP GET. How can I get the CSS to look into the HTTP POST?
  Any examples would be great.
  Thanks.
  Donagh

  Hi Gilles
  Thanks for your reply. I have obviously been misinformed about the POST and the GET. That is good but now I don't have an answer to my problem!! I am balancing on a cookie called ASP.NET_SessionId=
  Here is my config
  content Toughbook_PDAs
  vip address 10.40.21.28
  add service w2k-eolasprd1
  add service w2k-eolasprd2
  protocol tcp
  port 80
  string prefix "ASP.NET_SessionId="
  sticky-inact-timeout 20
  advanced-balance cookies
  active
  I have attached a trace and I am looking for
  ASP.NET_SessionId=1w0cql550wou04albf4jrjfoy45
  Hopefully my config is incorrect.
  Thank You
  Donagh

• ACE sticky cookie value

  Hello,
  I have a following configuration:
  sticky http-cookie STICKY_TMP STICKY_TMP
  cookie insert ...
  Cookies are sent and stickiness works. Everything is ok... Almost :-)
  Now I have a question regarding value of cookies created by ACE.
  Currently cookies have values that look like this "R4224709512"
  Is it possible to change this value so it reflects the target node that processes requests for this sticky session. This cookie could contain i.e. ip address of real server.
  Arrowpoint cookie on CSS1150 worked this way...
  Another question. How do I identify this cookie value with sticky-entries in "show sticky database static" output?
  This command doesn't show anything like R4224709512, but only numbers like 18293255029648678255
  best regards
  Kuba

  I am using ACE with version A3(2.1).
  The “sticky-entry” in "show sticky data static"is a hash of the cookie-value set by ACE for the real server. so you need to use "show sticky database http-cookie " to determine which server are serving the client.
  ACE-1/routed(config-pmap-lb-c)# do show sticky database http-cookie
  sticky group : web-sticky
  type : HTTP-COOKIE
  timeout : 5 timeout-activeconns : FALSE
  sticky-entry rserver-instance time-to-expire flags
  ---------------------+----------------------+--------------+-------+
  16820511103801384579 lnx1:0 0 -
  sticky group : web-sticky
  type : HTTP-COOKIE
  timeout : 5 timeout-activeconns : FALSE
  sticky-entry rserver-instance time-to-expire flags
  ---------------------+----------------------+--------------+-------+
  3347854103021350619 lnx2:0 0 -
  ..sometimes they'd only show up w/ the static instead of the cookies option for some reason.
  found some explanation about this:
  http://docwiki.cisco.com/wiki/Session_Persistence_Using_Cookie_Learning_on_the_Cisco_Application_Control_Engine_Configuration_Example
  There is a difference between inserting an ACE-generated cookie or using one learned by the ACE. The cookie-insert feature creates a static cookie.
  To look at static cookies you need to use the command:
  show sticky database static
  if you try static cookie (cookie inserted by ACE), the value is placed in the static sticky table at the time of configuration...
  so no need to send traffic, once the static sticky config is in place, you should see an entry with 'show sticky database static'.
  Do not try to filter the table with some other parameters...they do not work until A2(1.4)
  There are 2 database:
  One for static entries and one for dynamic entries.
  Every show command that does not include the static keyword will look into the dynamic database.
  So, you won't see anything by using those commands.
  You could perform some test to identify which cookie is sent to which server.
  The cookie value is static, so the number of value is limited to the number of servers.
  There is a dynamic cookie learning feature available in ACE.
  Kinly tell me if you want to discuus about that.
  Kindly rate if possible.
  Kind regards,
  Sachin garg

• What is behavior for cookie-http-only?

  I noticed cookie-http-only property available in 9.2 and also 10.3 but what exactly does enabling this do?
  The documentation isn't very clear.
  "Specifies whether HttpOnly cookies are enabled. When this element is set to true, all session cookies would be unavailable to the browser scripts. The default value is true. Therefore, HttpOnly cookies are enabled by default."
  Does that mean it will make my jsessionid as httponly? In 9.2, enabling this property didn't do this.
  Does it just mean it will honor httponly settings? But that would be on the browser end.
  Does it mean it will make my other session cookies as httponly and not jsession id?
  Please clarify

  Smart Mailboxes don't do anything to messages except list them. The messages must reside somewhere else. If the message is deleted from wherever it lives, or if it no longer satisfies the search criteria that define the Smart Mailbox, it will no longer appear. For example, suppose the Smart Mailbox specifies "unread" messages. Once the message has been read, it will not appear in that Smart Mailbox the next time it is opened.

• ACE static cookie

  I leverage "cookie insert broswer-expire" to use ACE generated static cookie.
  Now I add some additional "static cookie-value "xxx" rserver xxx", in order to make cookie more "meanful" and would be easier for troubleshooting.
  But how can I activate the new static cookie, since the previous static cookit never expires? thanks.

  If I understand you question correctly then
  you would like to configure cookie string value when using the COOKIE insert feature.
  This was possible in CSS using string command.
  With ACE currently you cannot configure a cookie-value for the cookie that is inserted by ACE (-- using cookie-insert feature). ACE
  always automatically add a cookie value for the cookie it inserts.
  This cookie value is similar to R2482639152
  If you use
  static cookie-value "xxx" rserver yyy"
  The static cookie option will only work if a client happens to come in with
  the cookie=xxx. Then that connection will be stuck to rserver yyy.
  Syed

• ACE with sticky http-cookies across two server farms issue

  Hi,
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  We need the same sticky http cookie to applied to two server farms (which are actually the same servers but listening on different ports in each farm) to persist sessions to the same real backend server.
  e.g.
  Farm1 (front end HTTP service) - StickyGroup1
  rserver1 - 192.168.0.1:80
  rserver2 - 192.168.0.2:80
  rserver3 - 192.168.0.3:80
  Farm2 (SSL front end authentication service) - StickyGroup2
  rserver1 - 192.168.0.1:443
  rserver2 - 192.168.0.2:443
  rserver3 - 192.168.0.3:443
  We have setup two Sticky Groups (one for each of the farms above) both using the same cookie name e.g. cookieXYZ
  Our service is behind a single virtual server configured as follows (example URL and addresses):
  Virtual Server Configuration
  Virtual server name: www.somedomain.com
  Virtual IP: 2.2.2.2
  TCP/443 (https)
  SSL Termination - Proxy service name: www.somedomain.com (all keys and certs loaded and correct)
  L7 Load Balancing - **inline** rule match HTTP URL:(/AuthenticateMe/).*  Action : Sticky, Group: StickyGroup2, SSL Initiation enabled (www.somedomain.com)
  Default L7 Load Balancing action : Sticky, Group: StickyGroup1
  So normally we would expect users to first hit www.somedomain.com first and therefore Farm1, get cookieXYZ from the ACE (cookie insert is only enabled on StickyGroup1) and then be redirected to www.somedomain.com/AuthenticateMe which matches the inline URL L7 rule which directs the request at Farm2 - at this point we expected the ACE to use cookieXYZ to persist the user to the same real server hit in Farm1 but instead the stickiness doesn't seem to work.
  We suspect that the ACE uses IP:port as the unique value in the Cookie ID and therefore the ACE fails to match the same real host in a different farm because we are using a mix of port numbers across farms. Is this correct? Is there another way of accomplishing what we are after with a different configuration but still the same setup with single VIP and multiple services on the backend servers?
  Any suggestions or solutions appreciated.
  Thanks
  Paul

  The issue is related to the fact that it's not about persistence because there are only "new" services in the backend in SSL, you want to keep the IP address.
  With a little bit of dev, the only way to acheive this is to redirect the user when he has been sent to http and adding a "tag" (cookie / token in the URL), then on the SSL virtual server, when performing SSL offload matching this tag to send to user to the right server. But it will be a 1-to-1 mapping.

• ACE - Balance HTTP and sticky only SSL/TLS

  Hi there,
  I have a situation that I am trying to solve. We have lot of services trough ACE, but now I have to modify one of them, PROXY servers. 
  I have six (6) servers working with Sticky, but with a MASK 255.255.255.0, which produce an unbalanced situation some times, and that affect some servers on depending of how many users connected to that server. We have between 40K and 50K conns in that serverfarm, but in Sticky terms we have arround 700 /24 subnets.
  I want to modify the configuration, specificaly the MASK to 255.255.255.255, which is going to increase a lot Sticky resources. But thinking in optimize Sticky resources, I want to know if there is a way to select only e-commerce, Home Banking or other kind of SSL/TSL traffic (always using port 80 trough proxy servers), so I could use Sticky only  for connections that need it, and leave other HTTP traffic without this feature.
  I´m sorry, may be I'm doing a silly question, but don´t have the experience to make this configuration, and I will apreciate your help.
  Here is the actual configuration:
  probe tcp HTTP
    description Keepalive web servers
    interval 20
    passdetect interval 30
  rserver host Server1
    ip address 10.1.1.1
    inservice
  rserver host Server2
    ip address 10.1.1.2
    inservice
  rserver host Server3
    ip address 10.1.1.3
    inservice
  rserver host Server4
    ip address 10.1.1.4
    inservice
  rserver host Server5
    ip address 10.1.1.5
    inservice
  rserver host Server6
    ip address 10.1.1.6
    inservice
  serverfarm host PRX
    failaction purge
    predictor leastconns
    probe HTTP
    rserver Server1
      inservice
    rserver Server2
       inservice
    rserver Server3
      inservice
    rserver Server4
      inservice
    rserver Server5
      inservice
    rserver Server6
      inservice
  sticky ip-netmask 255.255.255.0 address source sticky-PRX
    timeout 60
    serverfarm PRX
  class-map match-any VIP-PRX
    2 match virtual-address 10.10.10.101 tcp eq www
  policy-map type loadbalance first-match POLICY-L7-PRX
    class class-default
      sticky-serverfarm sticky-PRX
  policy-map multi-match PRX-Balance
    class VIP-PRX
      loadbalance vip inservice
      loadbalance policy POLICY-L7-PRX
      loadbalance vip icmp-reply
  interface vlan 100
    ip address 10.10.10.11 255.255.255.0
    alias 10.10.10.10 255.255.255.0
    peer ip address 10.10.10.12 255.255.255.0
    no normalization
    access-group output SOLO-SLB
    service-policy input PRX-Balance
  Thanks
  Alexis

  You might want to check out this new product called ITD.
  Simple and faster solution:
  ITD provides :
  ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
  No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
  Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
  Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
  IP-stickiness
  Resilient (like resilient ECMP)
  VIP based L4 load-balancing
  NAT (available for EFT/PoC). Allows non-DSR deployments.
  Weighted load-balancing
  Load-balances to large number of devices/servers
  ACL along with redirection and load balancing simultaneously.
  Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
  Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
  Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
  The servers/appliances don’t have to be directly connected to N7k
  Monitoring the health of servers/appliances.
  N + M redundancy.
  Automatic failure handling of servers/appliances.
  VRF support, vPC support, VDC support
  Supported on both Nexus 7000 and Nexus 7700 series.
  Supports both IPv4 and IPv6
  N5k / N6k support : coming soon
  Blog
  At a glance
  ITD config guide
  Email Query or feedback:[email protected]

• Load balancing FTP/HTTP on same VIP

  Hi,
  Please could someone confirm if it is possible to load balance FTP and HTTP on same VIP? Would something like this work in a one-armed design?
  class-map match-any WCVS
    2 match virtual-address 20.0.0.1 tcp eq www
    4 match virtual-address 20.0.0.1 tcp eq ftp
  policy-map multi-match int3
    class WCVS
      loadbalance vip inservice
      loadbalance policy VS-l7slb
      inspect ftp
      nat dynamic 5 vlan 20
  int vl20
  service-policy input int3

  Hello,
  I assume you want to ultimately use cookie sticky, since it is in your config, but not yet used.  The '80' next to the rservers within the serverfarm will keep FTP from working because that will force the ACE to always use a destination port of 80 to the rservers, which is good for HTTP, but not so good for FTP.  Below is your config with some modifications.  I've created a new serverfarm for FTP, created a new probe for that farm, included HTTP cookie-sticky, and created a new L7 policy-map.  There is one line that I would like you to remove and see if it works.  If it does not, then add this line and see if it works.
  Let me know how it goes...
  logging enable
  logging buffered 6
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 16 extended permit icmp any any
  probe http Probe_HTTP
    interval 5
    passdetect interval 60
    expect status 200 200
    open 2
    receive 2
  probe tcp Probe_FTP
    port 21
    interval 5
    passdetect interval 60
    open 2
    receive 2
  rserver host Server1
    ip address 10.10.10.10
    conn-limit max 4000000 min 4000000
    inservice
  rserver host Server2
    ip address 10.10.10.11
    conn-limit max 4000000 min 4000000
    inservice
  serverfarm host FARM-HTTP
    probe Probe_HTTP
    rserver Server1 80
      conn-limit max 4000000 min 4000000
      inservice
    rserver Server2 80
      conn-limit max 4000000 min 4000000
      inservice
  serverfarm host FARM-FTP
    probe Probe_FTP
    rserver Server1
      conn-limit max 4000000 min 4000000
      inservice
    rserver Server2
      conn-limit max 4000000 min 4000000
      inservice
  sticky http-cookie XXX_tempCookie XXX_tempCookie
    cookie insert
    serverfarm FARM-HTTP
  class-map type management match-any Management
    201 match protocol http any
    202 match protocol https any
    203 match protocol icmp any
    204 match protocol kalap-udp any
    205 match protocol ssh any
    206 match protocol telnet any
    207 match protocol xml-https any
  class-map match-any XXX-WCVS-WWW
    2 match virtual-address 10.10.10.100 tcp eq www
  class-map match-any XXX-WCVS-FTP
    2 match virtual-address 10.10.10.100 tcp eq ftp
    3 match virtual-address 10.10.10.100 tcp range 1023 65535   <-- try first without this, then with this
  class-map match-any NAT-VIP
    2 match destination-address 10.10.10.100 255.255.255.255
  policy-map type management first-match Management
    class Management
      permit
  policy-map type loadbalance first-match XXX_VS-l7slb-WWW
    class class-default
      sticky-serverfarm XXX_tempCookie
  policy-map type loadbalance first-match XXX_VS-l7slb-FTP
    class class-default
      Serverfarm FARM-FTP
  policy-map multi-match int3
    class XXX-WCVS-WWW
      loadbalance vip inservice
      loadbalance policy XXX_VS-l7slb-WWW
    class XXX-WCVS-FTP   
      loadbalance vip inservice
      loadbalance policy XXX_VS-l7slb-FTP
      inspect ftp   
    class NAT-VIP
      nat dynamic 5 vlan 12
  interface vlan 12
    ip address 10.10.10.1 255.255.255.0
    alias 10.10.10.3 255.255.255.0
    peer ip address 10.10.10.2 255.255.255.0
    access-group input ALL
    nat-pool 5 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat
    service-policy input Management
    service-policy input int3
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.10.10.254

• Advance Balance and Https pages

  Hello,
  I have setup load blancing on our web server, using a content rule and services, with Protocol tcp and any port.
  I find that it will allow Https traffic through when the Advance Balance option is not enabled but i get a "server or DNS error" when i have A.B enabled.
  My switch is the former Arrowpoint CS-100 software ver 3.02.
  Help!!
  Pearl

  the type of "Advanced Balance" option selected is important. Note that the HTTPS traffic is encrypted so we can NOT do any advanced balance that needs to look at the payload (it's encrypted so the CSS can NOT see it). The "advanced-balance sticky-srcip" would work.
  Cookies can't be used because they are encrypted,
  SSL is not useful as IE will change the SSL session ID,
  URL can't be used because it's encrypted.

• ACE VIP OK HTTP, NOK other TCP port

  Hi,
  we are having issues in configuring load balancing for a TCP port. For HTTP it's working without issues and we have the ACE also balancing for other TCP ports.
  Here goes the relevant config:
  probe http PROBE-HTTP
    interval 5
    passdetect interval 2
    passdetect count 1
    request method get url /idc/
    expect status 200 200
  probe tcp PROBE-TCP
    port 4444
    interval 5
    passdetect interval 10
  rserver host PRD1
    ip address 10.10.10.1
    inservice
  rserver host PRD2
    ip address 10.10.10.2
    inservice
  serverfarm host SF-HTTP
    probe PROBE-HTTP
    rserver PRD1 80
      inservice
    rserver PRD2 80
      inservice
  serverfarm host SF-TCP
    probe PROBE-TCP
    rserver PRD1 4444
      inservice
    rserver PRD2 4444
      inservice
  sticky ip-netmask 255.255.255.255 address source SC-IP-PRD-HTTP
    timeout 10
    serverfarm SF-HTTP
  class-map match-all NAT-VIP-HTTP
    2 match virtual-address 10.10.35.1 any
  class-map match-all NAT-VIP-TCP
    2 match virtual-address 10.10.35.1 tcp eq 4444
  policy-map type loadbalance first-match LB-VIP-HTTP
    class class-default
      sticky-serverfarm SC-IP-PRD-HTTP
      insert-http x-forward header-value "%is"
  policy-map type loadbalance first-match LB-NAT-VIP-TCP
    class class-default
      serverfarm SF-TCP
  policy-map multi-match POLICY-RSERVER-VIP
    class NAT-VIP-TCP
      loadbalance vip inservice
      loadbalance policy LB-NAT-VIP-TCP
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 200
    class NAT-VIP-HTTP
      loadbalance vip inservice
      loadbalance policy LB-VIP-HTTP
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 200
  interface vlan 200
    description SERVER-SIDE
    ip address 10.10.14.2 255.255.255.0
    alias 10.10.14.1 255.255.255.0
    peer ip address 10.10.14.3 255.255.255.0
    access-group input EVERYONE
    nat-pool 1 10.10.4.6 10.10.4.6 netmask 255.255.255.255 pat
    service-policy input AllowICMP
    service-policy input POLICY-RSERVER-VIP
    no shutdown
  The probe are OK, but nothing seems to get to the VIP:
  ACE/CTX# show probe PROBE-TCP
  probe       : PROBE-TCP
  type        : TCP
  state       : ACTIVE
     port      : 4444    address     : 0.0.0.0         addr type  : -
     interval  : 5       pass intvl  : 10              pass count : 3
     fail count: 3       recv timeout: 10
                         --------------------- probe results --------------------
     probe association   probed-address  probes     failed     passed     health
     ------------------- ---------------+----------+----------+----------+-------
     serverfarm  : SF-TCP
       real      : PRD1[4444]
                         10.10.10.1     8853       1          8852       SUCCESS
       real      : PRD2[4444]
                         10.10.10.2     8853       1          8852       SUCCESS
  ACE/CTX# show serverfarm SF-TCP detail
  serverfarm     : SF-TCP, type: HOST
  total rservers : 2
  active rservers: 2
  description    : -
  state          : ACTIVE
  predictor      : ROUNDROBIN
  failaction     : -
  back-inservice    : 0
  partial-threshold : 0
  num times failover       : 0
  num times back inservice : 1
  total conn-dropcount : 0
  Probe(s) :
      PROBE-TCP,  type = TCP
                                                  ----------connections-----------
         real                  weight state        current    total      failures
     ---+---------------------+------+------------+----------+----------+---------
     rserver: PRD1
         10.10.10.1:4444      8      OPERATIONAL  0          0          0
           max-conns            : -         , out-of-rotation count : -
           min-conns            : -
           conn-rate-limit      : -         , out-of-rotation count : -
           bandwidth-rate-limit : -         , out-of-rotation count : -
           retcode out-of-rotation count : -
           load value           : 0
     rserver: PRD2
         10.10.10.2:4444      8      OPERATIONAL  0          0          0
           max-conns            : -         , out-of-rotation count : -
           min-conns            : -
           conn-rate-limit      : -         , out-of-rotation count : -
           bandwidth-rate-limit : -         , out-of-rotation count : -
           retcode out-of-rotation count : -
           load value           : 0
  ACE/CTX# show service-policy POLICY-RSERVER-VIP
  Status     : ACTIVE
  Interface: vlan 1 200
    service-policy: POLICY-RSERVER-VIP
      class: NAT-VIP-TCP
        nat:
          nat dynamic 1 vlan 200
          curr conns       : 0         , hit count        : 0
          dropped conns    : 0
          client pkt count : 0         , client byte count: 0
          server pkt count : 0         , server byte count: 0
          conn-rate-limit      : 0         , drop-count : 0
          bandwidth-rate-limit : 0         , drop-count : 0
        loadbalance:
          L7 loadbalance policy: LB-NAT-VIP-TCP
          VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
          VIP State: INSERVICE
          curr conns       : 0         , hit count        : 0
          dropped conns    : 0
          client pkt count : 0         , client byte count: 0
          server pkt count : 0         , server byte count: 0
          conn-rate-limit      : 0         , drop-count : 0
          bandwidth-rate-limit : 0         , drop-count : 0
        compression:
          bytes_in  : 0
          bytes_out : 0
  I see a lot of this messages in the logging of the ACE:
  show logging | i 4444
  22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
  22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
  22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
  22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
  22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
  22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
  show logging | i 4444
  22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
  22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
  22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
  22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
  22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
  22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
  The client request it's going trough an ASA, in the ASA side I see that the TCP connection it' half-open with SAaB flags. It seems that the VIP never replies with SYN+ACK to the ASA...
  Thank you.
  Best regards

  Hi Norberto,
  The log messages you are getting are most probably the probe connections and not a failure, looking to them you will see your ACE is establishing TCP connection on 4444 then it will teardown the connection with FIN which is expected since you are using TCP keepalives.
  I would recommend to go back and define the problem exactly, what are you exteriancing when you try to telnet on port 4444 toward the VIP from the client?
  Run sniffing software on the client, the server and enable capture on ACE and ASA will give you exact idea what you are experiencing.
  Note: The ASA and the ACE has great capture feature which will show you exactly the packet flows.
  Note: Since you are applying NAT on the client requests, you should see the NATed IP address on the server capture.
  Note: With L4 load balancing the ACE is not spoofing the clients' request, it just forward the SYN, SYN+ACK and ACK between the server and the client.
  Let me know if you have any other questions.
  Best regards,
  Ahmad

• Arrowpoint cookie HTTP Only flag set.

  Hi All,
  I have a site running an application on which we have identified a vulnerability we wish to close. The CSS11501 is using the advance balance arrowpoint cookie method, however tests are showing that the HTTP only parameter is not set. I am unable to find a way of doing this at present. Does anyone know how to acheive this?
  Until I can do so there is a remote possibilty I am leaving my application open to cross site scripting attacks.
  Microsoft use the HTTPOnly cookie option which sets a HTTPOnly flag. he following url has some information for review.
  Thanks in advance for your help.
  Alfie...

  Alfie,
  your security test tool assume the CSS is a webserver and therefore complains when seeing some missing *flag*.
  However, you won't be able to attack the CSS with whatever method that works against a webserver.
  We have our own onboard DOS feature.
  So, there is no option to use this microsoft HTTPOnly flag because there is no need for it.
  Make sure the servers behind the CSS are protected and have your HTTPOnly flag.
  Gilles.

• ACE Module Cookie Parsing causes Reset Connection

  I am trying to upgrade my ACE Modules from A2(1.3) to A2(3.2) . Unfortunately, the cookie parsing breaks when there are illegal characters and causes a connection reset (RST) when there is an invalid cookie, but only on code later than A2(1.3).
  The cookie in question is being passed by a third party so making them change the cookie is not necessarily do-able. The cookie has the following value:
  Cookie:  CurrentUser={"UserKey":{"Key":"anonymous"},"LastUpdated":"10/13/2010 1:35:52 PM"}
  We are using the following parameter map:
  parameter-map type http CASE_PARAM
    case-insensitive
    persistence-rebalance
    set header-maxparse-length 20480
    length-exceed continue
  On the older code, the request is passed on to the server.
  Is there a setting similar to "length-exceed continue" that I can give the ACE to tell it to ignore cookies it cannot parse?

  HTTP inspection is not enabled.
  Did you mean adding a class-default to the policy-map?
  Adding it to the policy-map does make it match the class-default. Unfortunately, cookie parse errors result in the inability to parse both the cookie and the host header as well. It seems that rather than just failing to parse the cookie and being unable to do sticky matching - it completely fails the entire header parsing.
  Here's our setup:
  rserver host test1
    ip address 192.168.1.101
    inservice
  rserver host test2
     ip address 192.168.1.102
     inservice
  rserver host test3
     ip address 192.168.1.103
     inservice
  rserver host test4
     ip address 192.168.1.104
     inservice
  serverfarm host auto
    probe HTTP-diagnostic
    rserver test1
      inservice
    rserver test2
      inservice
  serverfarm host news
    probe HTTP-diagnostic
    rserver test3
      inservice
    rserver test4
      inservice
  sticky http-cookie autoCookie auto-cookie
    cookie insert browser-expire
    replicate sticky
    serverfarm auto
  sticky http-cookie newsCookie news-cookie
    cookie insert browser-expire
    replicate sticky
    serverfarm news
  class-map type http loadbalance match-any auto
    2 match http header Host header-value "www.auto.local"
    3 match http header Host header-value "auto.local"
  class-map type http loadbalance match-any news
     2 match http header Host header-value "www.news.local"
     3 match http header Host header-value "news.local"
  class-map match-all prod_VIP
    2 match virtual-address XXX.XXX.XXX.XXX tcp eq www
  policy-map type loadbalance first-match prod_POLICY
    class auto
      sticky-serverfarm auto-cookie
    class news
      sticky-serverfarm news-cookie
    class class-default
      sticky-serverfarm auto-cookie
  policy-map multi-match aggregate-slb-apps
    class prod_VIP
      loadbalance vip inservice
      loadbalance policy prod_POLICY
      loadbalance vip icmp-reply active
      loadbalance vip advertise
      appl-parameter http advanced-options CASE_PARAM

• Can ACE encrypts cookies?

  I just implemented ACE 4710, A3(2.4) in our network. It is doing loadbalancing with ssl termination. I configured stickiness using server cookies.  My client is telling me cookie is sent in clear text on the Inernet.  Is there a way on ACE to encrypt it?
  your help is greately appreciated.

  This is just not possible.
  The cookie is part of the http header and the complete http data (header + content) is encrypted in the same SSL connection.
  So not possible.
  Have your customer send you the sniffer trace showing the problem.
  Gilles.

• WCF service fronted with SSL enabled NGINX load balancer shows HTTP based WSDL url instead of HTTPS

  Hi,
  I have WCF service hosted using IIS 8.5 on application server. And application servers are fronted with NGINX load balancer with SSL enabled. Backend communication protocol between NGINX to application server is http. 
  When customer visits public domain url (https://xxx.com/service.svc), they can see the WSDL url with http://xxx.com/service.svc?wsdl. 
  What change should I make so that WSDL url will have https instead of http ? 
  This is service side configuration.
  <system.serviceModel>
      <services>
        <service name="Service.IService">
          <endpoint address="" binding="basicHttpBinding" bindingNamespace="http://xyz.com/Service" name="Service_Endpoint" contract="Service.IService" />
        </service>
      </services>
      <bindings>
        <basicHttpBinding />
      </bindings>
      <client />
      <behaviors>
        <serviceBehaviors>
          <behavior>
            <serviceThrottling maxConcurrentCalls="5000" maxConcurrentInstances="2147483647" maxConcurrentSessions="5000" />
            <serviceMetadata httpGetEnabled="true" />
            <serviceDebug includeExceptionDetailInFaults="true" />
          </behavior>
        </serviceBehaviors>
      </behaviors>
      <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    </system.serviceModel>
  Thanks in advance !!

  Hi,
  For this scenario, you could just enable SSL in IIS to get HTTPS endpoints. If your service is exposed at https then you configure the same using “httpsGetEnabled”:
  <behaviors>
  <serviceBehaviors>
  <behavior
  name="MyServiceTypeBehaviors"
  >
  <serviceMetadata
  httpGetEnabled="true"
  />
       </behavior>
  </serviceBehaviors>
  </behaviors>
  For more information, you could refer to:
  http://www.codeproject.com/Articles/327260/What-s-new-in-WCF-Automatic-HTTPS-endpoint-for
  http://blogs.msdn.com/b/brajens/archive/2007/04/26/accessing-description-metadata-wsdl-of-wcf-web-service.aspx
  Regards