ACE: SourceIP-based Loadbalancing
Hi There,
I'm new to this forum and have a question regarding ACE Loadbalancing based on Source-IP.
The customer wants there internal client having full access to the VIP, while clients from Extranet should be limited/redirected to a special URL.
Both (internal/Extranet) should use the same VIP and the same realservers (costs). So far I have only seen configuration examples where based on source-ip, requests were send to different serverfarm with different realservers.
Could I rewrite the URL based on source address as well?
Thanks in advance,
Anke
Hi Pablo,
I tried to adopt your configuration, but get an redirection error (never ending redirection). Maybe I explained not detailed enough ... I want to have a class like your "Internal" - based on source IP. These clients should use rserver like your Web-1 and Web-2 in serverfarm HTTP, but restricted to only one subdomain. Alle other should use every subdomain possible. My class ist called Wiki_Extranet.
I tried the following, but it seems not completely work as I wanted:
rserver redirect Wiki_Extranet_Redirect
webhost-redirection http://7it.wiki.intra.de
inservice
serverfarm redirect Wiki_Extranet_Redirect
rserver Wiki_Extranet_Redirect
inservice
serverfarm host Wiki_SF
probe HTTP_Wiki
probe PING_Wiki
rserver Wiki1
inservice
rserver Wiki2
inservice
rserver Wiki3
inservice
sticky http-cookie JSESSIONID Wiki_http_stickgroup
replicate sticky
serverfarm Wiki_SF
class-map type http loadbalance match-any Wiki_Extranet
10 match source-address 10.127.31.68 255.255.255.255
class-map match-all VIP_Wiki_http
description filter http traffic
2 match virtual-address 10.37.13.10 tcp eq www
policy-map type loadbalance first-match LB_Wiki_http
class Wiki_Extranet
serverfarm Wiki_Extranet_Redirect
nat dynamic 401 vlan 401 serverfarm primary
class class-default
sticky-serverfarm Wiki_http_stickgroup
nat dynamic 401 vlan 401 serverfarm primary
policy-map multi-match Wiki_Balancing
class VIP_Wiki_http
loadbalance vip inservice
loadbalance policy LB_Wiki_http
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options HTTP_Parameter
If you had time to have a look, would be so helpful.
Thank you - Anke
Similar Messages
-
Hi,
I'm trying to configure a cookie-based slb method which corresponds to my current CSS11503-configuration. Basicly, my CSS performs slb purely based on the content of the arrowpoint-cookie, using the following config:
advanced-balance arrowpoint-cookie
arrowpoint-cookie name WPS6
The cookie contains the real ip of the underlying webserver and the CSS fowards traffic based on that particular content of the cookie. Whenever we need to do an unscheduled shutdown of a webserver, we gracefully take the webserver out of service by setting the weight to 0, but also, my webdepartment have implemented a feature in Websphere, that somehow sends a cookie-expire to both the SESSIONID-cookie and the WPS6 cookie. So once the subsequent http-req hits the CSS, the cookie is gone and the CSS lb'es the req to a diffent server. We've intentionally left out the sticky-option, as it didn't work well with the before mentioned Websphere-feature.
Now I'm trying to configure something similar on the ACE, but so far without luck. I did start by configuring sticky-group with the cookie-insert option and a http-parametermap with persistence-rebalance. But all attempts to recreate the above mentioned scenario, have failed. It's seems, that even with persistence-rebalance, the client-session is still stuck to the webserver and a display of the sticky-database shows, that the sticky-entry persists. Even when I manually delete the cookie-container on the client and verify with the Live-HTTP-plugin, that the subsequent http-req does not contain the WPS6 cookie, the req is still forwarded to the realserver. Even when the real-server is placed in 'inservice standby'.
Is it possible to staticly define a cookie-value for, say, 4 webservers, each with their own unique cookie? And when the initial part of the tcp is completed and the ACE decides which realserver is to be used, it sets a cookie containing that particular value and includes it in the http-response. So if any subsequent http-req's are not containing that cookie, the ACE re-balancences that req and sends it to a different webserver.
/Ulrich
PS! Merry X-masUlrich,
what you're asking for is what ACE does currently.
The static cookies are created at configuration time.
You can see the values with "show sticky cookie-insert"
ie:
switch/Admin# show sticky cookie-insert group portalap
Cookie | HashKey | rserver-instance
------------+----------------------+----------------------------------------+
R4181073320 | 11105909834649097754 | vmware-http/vmware-27:80
R4181109257 | 10017312105356339124 | vmware-http/vmware-28:80
R4183409225 | 15537882249682767338 | vmware-http/vmware-46:80
R4183517036 | 1787657754489574767 | vmware-http/vmware-49:80
Whenever we see the cookie "R...." we check if the associated server is alive and forward the connection to that server.
Otherwise we loadbalance to a new server and include the new cookie in the response.
For established connections, persistence rebalance is indeed required to inspect every request and rebalance the connection to a new server if a new cookie is detected. However ACE will try not to rebalance when not needed.
If you need a new loadbalancing decision each time, you need 'persistence rebalance strict'.
An alternative could be the configuration of 'failaction purge' to force the connection to be terminated when the server goes down.
'inservice standby' is described @ http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1000333
•Tears down existing non-TCP connections to the server
•Allows current TCP connections to complete
•Allows new sticky connections for existing server connections that match entries in the sticky database
•Load balances all new connections (other than the matching sticky connections mentioned above) to the other servers in the server farm
•Eventually takes the server out of service
As you can see, this option still allows connection to the server if it matches a sticky entry.
Gilles. -
ACE MODULE IN BRIDGE MODE NOT LOADBALANCING
Hi,
I setup an ace module in bridge mode as follows:
mfsc(vla80) > (vla80)outside fwsm, fwsm inside(vla40) > (vla40)ace-clientside, aceserverside(vla41)
and the servers have the fwsm svi(vla40) as their gateway. But, the ace is not loadbalancing.
The config script is attached. Is their anything I am missing?
AttachCheck my troubleshooting guide on this forum.
There are few things to do to narrow down the issue.
Gilles. -
ACE not creating session to rserver (sending a RST)
Having a ACE-Deployed for loadbalancing web-requests which are coming from a reverse-proxy. The session persistency is based on the x-forwarded-for HTTP-header entry.
The situation works fine but in certain situations it looks like the ACE (172.16.3.200) is sending a RST shortly after an ACK in direction of the reverse-proxy (172.16.2.10).
Investigating this RST shows me that ACE is not creating a session towards to the real-server, meaning session from reverse-proxy to ACE is there but session from ACE to real-server doesn’t get created (no SYN sent from ACE).
Example:
(1) 11:20:07.677541 src:172.16.2.10 dst:172.16.3.200 proto:TCP info: 38776 > http (SYN)
(2) 11:20:07.677891 src:172.16.3.200 dst:172.16.2.10 proto:TCP info: http > 38776 (SYN, ACK)
(3) 11:20:07.677920 src:172.16.2.10 dst:172.16.3.200 proto:TCP info: 38776 > http (ACK)
(4) 11:20:07.677979 src:172.16.2.10 dst:172.16.3.200 proto:HTTP info: GET /media/global/stylesheets/class.css?v=0.20 HTTP/1.1
(5) 11:20:07.678553 src:172.16.3.200 dst:172.16.2.10 proto:TCP info: http > 38776 (ACK)
(6) 11:20:07.678553 src:172.16.3.200 dst:172.16.2.10 proto:TCP info: http > 38776 (RST, ACK)
Normally, for every session from the reverse-proxy to ACE, ACE creates a session to the real-server. In this particular trace, ACE only creates the incoming one but not the outgoing to the real-server. The real-server is alive at this time, requests just some milliseconds before and after packet four (4) are processed to the same real-server correctly.
Normalization is disabled and we’re running in routed mode.
Any idea why ACE itself doesn’t creates this new session ?I just verified "show stats http" and there is a zero (0) for max parslen errors and static parse errros, so we should be fine on the length and on the value we're expecting.
Here the relevant snippets from the configuration.
sticky http-header X-Forwarded-For STICKY_HTTP-HEADER
timeout 180
serverfarm SF_FRONTEND
class-map type http loadbalance match-all CM_STICKY_HTTP-HEADER
2 match http header X-Forwarded-For header-value ".*"
class-map match-any CM_VIP_FRONTEND
description VIP for FRONTEND
5 match virtual-address 172.16.3.200 tcp eq www
policy-map type loadbalance first-match PM_LB_FRONTEND
class CM_STICKY_HTTP-HEADER
sticky-serverfarm STICKY_HTTP-HEADER
class class-default
serverfarm SF_FRONTEND
I would love to share the broken capture with you (see attached). -
ACE SSL Reverse Proxy for multible URLs
Hi,
I am trying to setup an ACE as a reverse proxy (one-arm mode) for HTTPS connections for multiple URLs to multiple serverfarms. From what i know i have two options:
1. Use different VIP for each URL and do
L4 loadbalancing or use a
combination of IP address and port.
2. Use different VIP for each URL, do
SSL offloading and do L7 URL based
loadbalancing.
So with these options i am bind to use different IPs for each site. Is there a way i can use one VIP and then offload SSL and do URL based loadbalancing? From my knowledge we are restricted by the nature of the SSL. The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the problem is that the SSL session is a separate transaction that takes place before the HTTP session even starts so there is no visibility of the HTTP header.
Any comments appreciated
George GeorgiouGeroge,
your understanding is absolutely correct.
We need to know the site in order to decrypt te traffic because the certificate is associated to a domain name.
But without decrypting, we can't see the domain name.
So, the only way to know the domain without decrypting is to allocate a single ip to each domain.
There is no other solution.
Gilles. -
ACE- From one real server to another VIP
Hi,
I have a problem with ACE;
We have multiple serverfarms configured in the ACE module based on the application and different VIPs related to it. We are running the ACE in bridging mode. Now the requirement is from one serverfarm real server wants communicate to the VIP of the second serverfarm...Is this possible..???? Wil some NATing help in this situation. Below is the configuration.
======================
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
access-list LAN_Traffic remark For all IP Traffic
access-list LAN_Traffic line 10 extended permit ip any any
access-list LAN_Traffic line 20 extended permit icmp any any
probe http PORTAL_HTTP
passdetect interval 20
passdetect count 2
request method get url http://portal
expect status 0 600
probe http RMS_HTTP
request method get url /_wmcs
expect status 0 600
rserver host PORTAL1
ip address 172.22.11.241
inservice
rserver host PORTAL2
ip address 172.22.11.243
rserver host QGLRSPW1
inservice
rserver host RMS01
ip address 172.22.10.12
inservice
rserver host RMS02
ip address 172.22.10.8
inservice
serverfarm host PORTAL
failaction purge
probe PORTAL_HTTP
rserver PORTAL1
inservice
rserver PORTAL2
inservice
serverfarm host RMS
failaction purge
probe RMS_HTTP
rserver RMS01
inservice
rserver RMS02
inservice
class-map match-any PORTAL
2 match virtual-address 172.22.10.166 tcp any
class-map match-any RMS
2 match virtual-address 172.22.10.52 tcp eq www
3 match virtual-address 172.22.10.52 tcp eq https
policy-map type loadbalance first-match RMS-POLICY
class class-default
serverfarm RMS
policy-map type loadbalance first-match PORTAL-POLICY
class class-default
serverfarm PORTAL
policy-map multi-match SFARM-LB-POLICY
class RMS
loadbalance vip inservice
loadbalance policy RMS-POLICY
loadbalance vip icmp-reply active
class PORTAL
loadbalance vip inservice
loadbalance policy PORTAL-POLICY
loadbalance vip icmp-reply active
interface vlan 800
description ACE Client Interface
bridge-group 1
mac-sticky enable
service-policy input SFARM-LB-POLICY
no shutdown
interface vlan 898
description ACE Server Interface
bridge-group 1
mac-sticky enable
no shutdown
interface bvi 1
ip address 172.22.11.151 255.255.252.0
alias 172.22.11.153 255.255.252.0
peer ip address 172.22.11.152 255.255.252.0
description Bridge Group for 800 and 898 Interfaces
no shutdown
ip route 0.0.0.0 0.0.0.0 172.22.8.17
===================================
Pleae help..Thanks in advanceHello!
Well yes it would work. BUT...you have to change your config a bit. First you need to apply your accesslist to both interfaces, or the ACE will reject it, because it is acting as a firewall by default. And second you have to apply the policymap to both interfaces as well or you put the policymap globally on the ACE. -
Using the ACE 4710 for loadbalancing a Sharepoint site.
We currently have a HTTP probe setup to check the port 80 status of the rserver.
Is there anyway to get the HTTP probe to check a DNS entry for each of the application sites? For instance http://info vs http://site are two different web sites running on the same IP. One site could have a problem but the actual port 80 for the IP may be still alive.
Thanks for any information.Has anyone figure this out? I am tring to get healthchecks/probes setup in this same fashion. I have 2 servers with 1 IP but have many sites. I want to probe each side and ensure I get a 200 code. I also have to provide credentials to the site. It seems that if i open IE I can log in just fine to the site with the credentials. However there is an active x control box that is wanting to be installed. When I set this up on my ACE it seems I am getting a http 401 unauthorized error. I have done a wireshark capture while I was browsing and I see the 401 however it also reports a 200 code after that. Do you think this is a problem because of the active x control wanting to be downloaded? Or is this an issue with the first http code that is recieved by the probe, that being the 401 and then the 200? Below is my config (cleaned of course).
probe http HTTP-80-OUR.DOMAIN.COM
interval 15
passdetect interval 60
credentials
request method get url http://our.domain.com/default.aspx
expect status 200 200
header Host header-value "our.domain.com"
open 1
rserver host SERVER-A
ip address X.X.X.47
inservice
rserver host SERVER-B
ip address X.X.X.48
inservice
serverfarm host FARM-AB
predictor leastconns
probe HTTP-80-OUR.DOMAIN.COM
rserver SERVER-A
inservice
rserver SERVER-B
inservice
ACE4710# show probe HTTP-80-OUR.DOMAIN.COM detail
probe : HTTP-80-OUR.DOMAIN.COM
type : HTTP
state : ACTIVE
description :
port : 80 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 60 pass count : 3
fail count: 3 recv timeout: 10
http method : GET
http url : http://our.domain.com
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
serverfarm : OUR.DOMAIN.COM-10.25.4.12-L3-FARM
real : SERVER-A[0]
X.X.X.47 80 DEFAULT 414 406 8 FAILED
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 2
No. Probes skipped : 0 Last status code : 401
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Wed Jun 2 17:44:18 2010
Last fail time : Wed Jun 2 13:37:04 2010
Last active time : Wed Jun 2 13:34:19 2010
real : SERVER-B[0]
X.X.X.48 80 DEFAULT 414 406 8 FAILED
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 2
No. Probes skipped : 0 Last status code : 401
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Wed Jun 2 17:44:20 2010
Last fail time : Wed Jun 2 13:37:06 2010
Last active time : Wed Jun 2 13:34:21 2010 -
ACE FTP issues with "inspect ftp"
Hello.
My clients want to access an FTP server, via ACE, and I am having some issues. They can login and issue only one command... the second command will not be accepted an after a few seconds the prompt shows the message "connection closed by remote host".
I have sniffed traffic and I see that the connection between the client and the ACE has a strange behaviour because ACE open connection to data using an source port of 1039 (it should be 20, since we are usind an active mode client); between the ACE and the real server runs in active mode (I see normal ftp-data packets).
Other strange thing is that I have FWSM and they let traffic pass from ACE to client (they should expect traffic comming from port 20 and not 1039)
I am doing source NAT and ACE is doing all the necessary changes on source IP adresses.
Anyone has seen similar behaviour?
Any help would be appreciated.
In attach I send my config and traffic sniffing.
Thanks in advance.
Joao Ribau
P.S. - client is 10.1.44.98; VIP is 10.1.9.150; real server 10.1.36.124Hello.
I didn´t mentioned this before but the gateway of all my networks is an ACE that is loadbalancing traffic to two firewall clusters. I think this is not important because I have a "catch all" VIP in all my interfaces; I assume that ACE forwards traffic with no restrictions or inspections leaving the inspection job to the firewalls and to the ACE that I use to load balance services.
Don´t think this could be the problem but just to make sure I decided to post it.
Best regards,
Joao Ribau.
P.S. - my configs on the ACE that loadbalance traffic to the firewalls are very straightforward. Serverfarms (interfaces of the firewalls), a class-map with a "catch-all" VIP, policy-map to for the serverfarm, a policy-map to tie the class to the serverfarm and finally a service-policy apllied to each interface. -
ACE & ACE application Firewall
Hi,
What is the difference between ACE appliance and the new ACE web based application firewall appliance? Is it different appliances? Also what is the best scenario to combine the two appliances in the same network?
ThanksCisco ACE Web Application Firewall is a new member of Cisco Application Control Engine (ACE) family of products.The Cisco ACE Web Application Firewall is a reverse proxy that protects important backend resources from security threats or misuse.
For more information about ACE refer the url below:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_bulletin0900aecd8045859e.html
For information related to ACE Web Application Firewall refer the following url:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_waf/v60/user/guide/waf_ug_intro.html -
i need the best practice of ACE 4710 for loadbalance webserver , application server and database server
i need the best practice of ACE 4710 for loadbalance webserver , application server and database server
Hi,
Check out the belowlink for configuration of ACE 4710 for loadbalancing servers
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/device_manager/guide/UG_lb.html#wp1044682
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/device_manager/guide/UG_lb.html#wp1044806
Hope to help !!
If helpful do rate the post
Ganesh.H -
F5-asm and ace forward and reverse traffic
Hi all,
In our datacentre setup , we have f5 asm & ace- cisco for loadbalancing
in which f5 is configured with self ip& below the selfip,the nodeip is there which is inturn the
virtual ip for Ace t2 context
the incoming traffic on f5 is like
Publicip:xx--> f5.selfip:80-->Ace virtualip:yy
for the ace request handling is of below
Ace.virtualip:yy-->Rserver:xx
but here the issue is that reverse http response flow is some what not analogous
rserver:xx-->f5.selfip:80 & back to the Public ip
myquery is that why the reply back from the rserver is not given back to ace virtual ip, but to the
selfip of f5Good morning,
You need to configure your routing in a way that the return traffic goes through the ACE. If you don't, you may end up in the situation you are seeing
Daniel -
CRM ACE gives authorization error(sy-subrc 4) when executing CRM_ORDER_READ
Hi,
In R pipe, ACE work package is created for ONEORDER service request objects. i have written code in the ACE Class based on the rules required by the business. in that code, i need to call the function module, CRM_ORDER_READ to get the related products and partners of the service request object guid that is being passed. this function module gives me no_change_authority error which is sy-subrc = 4, even though i have given my user id, FULL(read, write,delete) access in the ACE workpackage.
Any suggestions?
thanks,
Anisha.Hi Benoit ,
Thanks for your reply , can you please tell me how we can use CRM_ORDER_INITIALIZE FM , what exporting parameters should I pass :
CALL FUNCTION 'CRM_ORDER_INITIALIZE'
EXPORTING
it_guids_to_init = lt_guid
EXCEPTIONS
error_occurred = 1
OTHERS = 2.
Thanks & regards,
Akhilesh Bhagat. -
ACE Routing Load-Balance problem
I'm trying to configure a routing load-balance with Cisco ACE Module based on the following scenario:
local users has a router (R1) as it default gateway, this router (R1) has a default route to the VIP that represent the serverfarm with two linux servers that should be used for Data Shaping over the WAN. I need to balance the traffic over the two linux servers and not necessary over the WAN.
The problem is that when I set up the local network router default route to VIP the routing process simply stop work ! If I change the route to the real server ip address everything start working again without any problem.
Follow the configs:
Local network Router - Static route
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Follow the ACE configs:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
access-list 100 line 8 extended permit ip any any
rserver host rout001
ip address 10.0.0.32
inservice
rserver host rout002
ip address 10.0.0.31
inservice
serverfarm host BLC_ROUTING
predictor leastconns
rserver rout001
inservice
rserver rout002
inservice
class-map match-any VIP
2 match virtual-address 10.0.0.1 any
class-map type management match-any mgmt
2 match protocol icmp any
3 match protocol telnet any
4 match protocol ssh any
policy-map type management first-match access
class mgmt
permit
policy-map type loadbalance first-match INT_router
class class-default
serverfarm BLC_ROUTING
policy-map multi-match VIP
class VIP
loadbalance vip inservice
loadbalance policy INT_router
loadbalance vip icmp-reply
interface vlan 6
bridge-group 10
access-group input 100
service-policy input access
service-policy input VIP
no shutdown
interface vlan 8
bridge-group 10
access-group input 100
service-policy input access
service-policy input VIP
no shutdown
interface bvi 10
ip address 10.0.0.5 255.255.255.0
no shutdown
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I tried to change some parameters like "transparent" at serverfarm config and change the "predictor" method to "hash address source" but there was no good results at all.
Anyone has any idea why this process is not working ?
Is there any special configuration for this scenario ?
Regards,
RicardoRicardo,
What is this route ??
ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
You can't have 0.0.0.0/24.
You must be missing something ?
Also, since the vip is part of a vlan with subnet 10.0.0.0/24 you don't need to add a static route to reach that vip.
It should normally be directly connected to your router.
With the static route, do you see traffic coming to the ACE module ?
Does it loadbalance to the server ?
'show service-policy detail' check the packet counters
Gilles. -
ACE match http url with post data
I need to make a layer-7 load balancing decision at the ACE module based on a URL string that includes form POST data. It is important that the balancing decision include and parse the part of the URL after the question mark. This doesn't seem to work with the "match http url" config on the ACE. My interpretation is that the ACE does not consider the POST data to be part of the URL string, and therefore does not include it in the regular expression matching. Am I missing something here, or have I run into a limitation of the ACE module?
class-map type http loadbalance match-any L7__URL_MATCH_CLASS
2 match http url index.php\?field=content.*Hi
The '?' has a special meaning in the URL. It means the end of the main URL and the beginning of the URL query.
Its not possible to match ? in the url.
One option could be using secondary cookie matching in ACE.
class-map type http loadbalance match-any xyz
2 match http cookie secondary field cookie-value content
Thanks
Syed -
ACE - x-forwarded-for equivalent for other protocols than HTTP
Hello you guys
Need your help. I have an ACE architecture based on source-nat but I want to have the real source IP info on the destination real server.
For HTTP packets I can set up x-forwarded-for, but is there a way to do the same for other TCP protocols? And, just for the fun of it, UDP also?
Best wishesHi,
it is designed specifically for HTTP. ACE cannot insert the same to any other protocol.
Even if you look at the commands it says :
"insert-http x-forward header-value "%is"
which itself indicate that it is desinged for HTTP. This is a process of adding a header to HTTP message.
Hope that helps.
regards,
Ajay Kumar
Maybe you are looking for
-
GR Price different from PO price
Hi Experts, We are continuously having a scenario wherein the per unit price at time of GR is showing more than then PO per unit price. The new price is relevant and fair too. As an example: In PO per unit price is Rs 150/-, quantity 100 units. So to
-
Shared photo streams on/off switch not visible
Just trying to set up Shared Phot Streams on my iPad and my parents. Got as far as setting one up on ours, and the email has arrived OK on my parents, with a link to Join this Photo Stream. When I click on the link, I get a prompt to Join this Photo
-
Radius Authentication for FWSM
Hello, this is my first posting so I apologize if I accidentally disobeyed any posting rules. Thank you to any and all that respond. My problem is setting up Authentication to my FWSM through my Radius server. My Radius server is set up by the ASDM,
-
For a long time now I have been looking for a fast useful organizer that will allow me to organize my research PDFs, financial documents, etc. Basically trying to go towards a paperless home office if possible, and at the same time using it to keep u
-
Did anyone have this problem?Please Read
Can anyone tell me if they had the problem that the screen froze with a song's info. You can still listen to songs but the screen DOES NOT change. I can even turn it off but the screen will not shut off. Does anyone know how to fix this??