ACE VIP OK HTTP, NOK other TCP port

Similar Messages

• HTTP/HTTPS on the same ACE VIP - best practice

  I currently have a VIP representing one server farm that contains two http servers:-
  class-map match-all VIP-HTTP-xxxxx.co.uk
  2 match virtual-address 10.79.18.10 tcp eq www
  class-map match-all VIP-SSL-xxxxx.co.uk
  2 match virtual-address 10.79.18.10 tcp eq https
  I have port 80 and 443 open on the VIP and SSL termination performed on the ACE (both http servers are the same and configured for default load balancing behaviour - I've also specified port 80 for ACE to server traffic). Having 80 and 443 on the same VIP (meaning the site can be accessed via one NAT'd external IP) came from a request from the business so the site can have one domain.
  The majority of the http server(s) web content is standard http but there is a specific sub-directory of interactive forms that requires https termination.
  I have a couple of queries with regards to URL re-writes:-
  1) Is the SSL URL re-write functionality limited to just the host part of the URL or can the ACE enforce https for specific sub-directories, i.e. can the ACE intercept and re-write a URL if a user tries to go to a particular https page/directory using http (by just deleting the s from the URL within their browser)? A possible example being:-
  ssl url rewrite location "www\.cisco\.com\secure-forms"
  2) Can the ACE re-direct users back to a standard http page if they try to 'secure' their session by changing http to https within their browser (basically the opposite of the above).
  Basically as I have 80 and 443 on the same VIP I'm interested in the best practice methods of enforcing http and https content segregation using just the ACE (as opposed to having Apache doing the re-writes, etc).
  Web services functionality (in terms of SSL and URL re-writes) has traditionally fallen within the domain of a dedicated web development team (who use Apache, Tomcat, etc.) but the introduction of the ACE as a load balancing appliance that is primarily managed by the networks team but with functionality that crosses traditional team boundaries has resulted in lots of questions from web development around what functionality can be moved from Apache, etc. and onto the ACE?
  Any advice or personal experiences would be gratefully received.
  Thanks
  Matthew

  Back again!
  Could someone possibly cast their eye over the following config?
  The only bit I'm not sure on (syntactically and whether it can even be done on the ACE) is how to specify a DO NOT match regular expression, i.e. how to capture https URLs that do not match my secure pages so I can re-direct the request back to the normal http URL (class-map type http loadbalance Non-Secure_Pages). What I'd like to avoid is re-directing requests that don't need to be, i.e. re-directing all requests that don't match /secure back to http when the majority will be correctly going to a normal http URL :-
  rserver host server1
  description *** HTTP server 1 ***
  ip address 10.100.194.2
  inservice
  rserver host server2
  description *** HTTP server 2 ***
  ip address 10.100.194.3
  inservice
  rserver redirect REDIRECT_TO_HTTPS
  webhost-redirection https://www.website.co.uk/%p 302
  inservice
  rserver redirect REDIRECT_TO_HTTP
  webhost-redirection http://www.website.co.uk/%p 302
  inservice
  class-map type http loadbalance Secure_Pages
  match http url /secure.*
  class-map type http loadbalance Non-Secure_Pages
  *** DO NOT *** match http url /secure.*
  class-map match-all VIP-HTTP-website.co.uk
  2 match virtual-address 10.79.18.10 tcp eq www
  class-map match-all VIP-SSL-website.co.uk
  2 match virtual-address 10.79.18.10 tcp eq https
  policy-map type loadbalance first-match VIP-LB-HTTP-website.co.uk
  class Secure_Pages
  serverfarm REDIRECT_TO_HTTPS
  class class-default
  serverfarm serverfarm-website.co.uk
  policy-map type loadbalance first-match VIP-LB-SSL-website.co.uk
  class Non-Secure_Pages
  serverfarm REDIRECT_TO_HTTP
  class class-default
  serverfarm serverfarm-website.co.uk
  serverfarm host serverfarm-website.co.uk
  failaction purge
  rserver server1 80
  probe PING_SERVER
  probe http-website.co.uk
  inservice
  rserver server2 80
  probe PING_SERVER
  probe http-website.co.uk
  inservice
  serverfarm redirect REDIRECT_TO_HTTPS
  rserver REDIRECT_TO_HTTPS
  inservice
  serverfarm redirect REDIRECT_TO_HTTP
  rserver REDIRECT_TO_HTTP
  inservice
  many thanks

• Http probe on non-standard tcp port 8021

  I've configured http probe on standard port 80 with no issue. I'm now trying http probe on non-standard tcp port 8021, confirmed with packet capture to confirm that the CSM is indeed probing, status code 403 is returned but the reals are showing "probe failed". Am I missing something? Thank you in advance.
  CSM v2.3(3)2
  probe 8021 http
  request method head
  interval 2
  retries 2
  failed 4
  port 8021
  serverfarm TEST
  nat server
  no nat client
  real 10.1.2.101
  inservice
  real 10.1.2.102
  inservice
  probe 8021
  vserver TEST
  virtual 10.1.2.100 tcp 8021
  serverfarm TEST
  replicate csrp connection
  persistent rebalance
  inservice
  VIP and real status:
  vserver type prot virtual vlan state conns
  Q_MAS_8021 SLB TCP 10.1.2.100/32:8021 ALL OUTOFSERVICE 0
  real server farm weight state conns/hits
  10.1.2.101 TEST 8 PROBE_FAILED 0
  10.1.2.102 TEST 8 PROBE_FAILED 0

  you need to specify what HTTP response code you expect.
  The command is :
  gdufour-cat6k-2(config-slb-probe-http)#expect status ?
  <0-999> expected status - minimum value in a range
  The default is to expect only 200.
  This is why your 403 is not accepted.
  Gilles.

• ACE Probe Config for Blue Coat Proxy TCP Port 74 NETRJS-4

  We are running 4710's with A5(2.2). We use Blue Coat proxies for our internet connections, specifcally TCP port 74. So when we open up a browser connection to www.cisco.com, the HTTP GET is actually encapsulated in TCP port 74 netrjs-4. We want to load-balance these proxies with ACE and I'm trying to setup health probes, but the only ones that work are the tcp probes PROXY_BCC_PROBE and PROXY_PROBE. I'd like to have health probes that hit external websites, but I'm confused whether the "ip address" Probe sub command is all I need, and netrjs is simple encapsulation of the HTTP request (which is what it looks like on a sniffer). Does anyone have Blue Coat proxies/ACE working? If so, how are your probes configured?
  Thanks,
  probe tcp PROXY_BCC_PROBE
    port 8084
    interval 3
    passdetect interval 3
  probe http PROXY_HTTP1_PROBE
    ip address 198.133.219.25
    port 74
    interval 3
    passdetect interval 3
    request method head url /index.html
    expect status 200 299
  probe http PROXY_HTTP2_PROBE
  ip address 198.133.219.25
    port 74
    interval 3
    request method get url /
    expect status 200 299
  probe tcp PROXY_PROBE
    port 74
    interval 3
    passdetect interval 3

  Hi,
  I have seen this working for one of the customer.
  probe http HTTPGET
    description Tests that www.gmail.com returns 302 redirect
    interval 10
    request method get url http://www.gmail.com
    expect status 302 302
  If I modify your probe :
  probe http PROXY_HTTP1_PROBE
    ip address 198.133.219.25
    port 74
    interval 3
    passdetect interval 3 
  request method get url
    http://www.gmail.com
  expect status 302 302
  Give it a try and see if that helps.
  regards,
  Ajay Kumar

• Can a real Server be applied in two different server farms associated with two different VIP IP and TCP Port

  Good day everyone,
  I have a question in regard to real server operation with different server farms, and VIPs
  Can a Real Server be associated ( for simpliciy) with two different Server Farms that have a VIP associated with each, servicing the same TCP Port (443).
  Example:
  SF-A
  RSRV-1: 192.168.1.10 /24
  RSRV-2: 192.168.1.11 /24
  VIP-A: 192.168.1.20 /24
  VIP-A: https:web-A
  Protocol: HTTPS
  SF-B
  RSRV-2: 192.168.1.11 /24
  RSRV-3: 192.168.1.12 /24
  VIP-B: 192.168.1.30 /24
  VIP-b: https:web-B
  Protocol: HTTPS
  Client-A: 172.16.128.10
  Client-B: 172.16.128.15
  I have attached an sketch depicting the connectivity.
  As always any feedback/Suggestions will be greatly apprecaited.
  Cheers,
  Raman Azizian

  Raman,
  This type of config is no problem. What the server is doing is virtual web hosting. The server would have two different web services running for the same IP, but each listening for a unique host header.
  From an IP point of view both connections would be destined to the rserver address on port 80, but in the http header they would have two different Host headers.
  one for www.example1.com and the second for www.example2.com. If the web server is configured correct so each host name is tied to one web service it will not have any issues.
  The config you attached looks ok. The way you have the sticky group is ok doing source IP. If you use cookies for the sticky group I would suggest you create two sticky groups each with a different cookie name and add the same serverfarm to both groups. The client will only send a cookie for the domain it received it from so using the same cookie in two vips could cause problems if the same client hits both vips.
  Hope that helps
  Regards
  Jim

• CSS -Can TCP port number under the VIP be different to real server TCP Port

  Client
  TCPrt : 80 -----------------------------> CSS VIP to the actual server on TCP port 5555 --------------> Server
  The requirement is that client will send a request to VIP on port 80 and VIP has to forward the request to server on a different port(TCP port 5555).

  Yes its possible.
  Port command under service translates the destination port.
  content whol_eiwebsit_80
  add service srvr1
  add service srvr2
  vip address 128.1.1.1 <-- Vip
  port 80 <-- Listening on port 80
  protocol tcp
  url "/*"
  active
  service srvr1
  ip address 10.10.10.1
  protocol tcp
  port 5555 <-- will translate dest port
  keepalive type tcp
  keepalive port 5555
  active
  service srvr2
  ip address 10.10.10.2
  protocol tcp
  port 5555
  keepalive type tcp
  keepalive port 5555
  active
  HTH
  Syed Iftekhar Ahmed

• ACE session persitence "sticky" TCP port

  Hey guys,
  I trying to work up some configurations on the ACE for performing session persistence "sticky" on the ACE based on source TCP port.  All flows are SSL based therefor, I thought the only option was SSL-ID but I've been running into querky behavior due to clients using IE7.  Evidently there are several cases where IE7 causes the SSL-ID to be regenereated causing this weird behavior.
  Anybody have example configs of the layer4-payload offset, length, etc. to perform sticky based on TCP source port?
  Thanks in advance.
  Paul

  Since source port is not part of the layer 4 payload you cannot  use it for sticky. IE changing ssl id is a known problem (does it every 2 minutes).
  So you are left with:
  terminating SSL on the ace and using cookie sticky (you can always re-encrypt on back end if security demands it)
  or
  source IP sticky (practical only if clients are not behind a proxy  device)

• Vip not responding on a specific port

  Configured a vip to LB between 2 servers ,and also specified to balance urls ,and it is absolutely working on port 11090 ,and this all http traffic
  http://10.12.12.34:11090    ( this vip is working)
  serverfarm host vip-1
    probe PROBE_TCP_11090
    rserver s0adcmmapps1
      inservice
    rserver s0adcmmapps2
      inservice
  sticky ip-netmask 255.255.255.255 address source vip-1_STICKY
    timeout 30
    replicate sticky
    serverfarm vip-1
  class-map match-all vip-1_CLASS
    2 match virtual-address 10.12.12.34 tcp any
  class-map type http loadbalance match-any vip_CLASSURL
    2 match http url /jmx-console/*
    3 match http url /web-console/*
    4 match http url /mediamanager/*
    5 match http url /teams/*
    6 match http url /teamswebservices/*
    7 match http url /artesia-ws/*
    8 match http url /artesia/*
    9 match http url /brs/*
    10 match http url /content/*
    11 match http url /OTMedia/*
    12 match http url .*
    13 match http url /mediamanager
    14 match http url /teams
  policy-map type loadbalance first-match vip-1_POLICY
    class vip_CLASSURL
      sticky-serverfarm vip-1_STICKY
  policy-map multimatch POLICY
  class vip-1_CLASS
      loadbalance vip inservice
      loadbalance policy vip-1_POLICY
      loadbalance vip icmp-reply active
      nat dynamic 2 vlan 2
      appl-parameter http advanced-options CASE_PARAM
  interface vlan 2
    ip address 10.12.13.217 255.255.252.0
    peer ip address 10.12.13.216 255.255.252.0
    mtu 1500
    no normalization
    no icmp-guard
    access-group input ALL
    nat-pool 2 10.12.12.34 10.12.12.34 netmask 255.255.255.255 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input POLICY
    no shutdown
  The same servers ,but this need work on port 11443 and its all https traffic,this past is not working
  serverfarm host vip-https,
    probe PROBE_TCP_11443
    rserver s0adcmmapps1
     inservice
    rserver s0adcmmapps2
      inservice
  sticky ip-netmask 255.255.255.255 address source vip-https_STICKY
    timeout 30
    replicate sticky
    serverfarm vip-https 
  class-map match-all vip-https_CLASS
    2 match virtual-address 10.12.12.34 tcp eq 11443
  policy-map type loadbalance first-match vip-https_POLICY
    class class-default
  sticky-serverfarm vip-https_STICKY
  policy-map multimatch POLICY 
      class vip-https_CLASS
      loadbalance vip inservice
      loadbalance policy vip-https_POLICY
      loadbalance vip icmp-reply active
      nat dynamic 2 vlan 2
  interface vlan 2
    ip address 10.12.13.217 255.255.252.0
    peer ip address 10.12.13.216 255.255.252.0
    mtu 1500
    no normalization
    no icmp-guard
    access-group input ALL
    nat-pool 2 10.12.12.34 10.12.12.34 netmask 255.255.255.255 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input POLICY
    no shutdown
  Thi is not working as application team is trying to access https://10.12.12.34:11443  ,this not working
  when they bypass the vip and access the servers directly https://10.12.12.160:11443 its working fine.Please advise on this

  Hi,
  you can start with checking the status of serverfarm "vip-https" and also check the position of class map "vip-https_CLASS" in polic map "POLICY". Ideally it should be before the  class map "vip_1-CLASS" as the later one is hitting port any, and earlier one is designated for TCP port 11443. So if position of class map matching VIP any is above the "VIP 11443", you will never get HIT on this VIP.
  hope you got my point...

• ACS 5.5 SFTP repository non-standard TCP port

  is it possible to change the TCP port in a SFTP repository from 22 to something different  ?
  like this is not working
  repository sftp1
    url sftp://10.10.0.8:22222/user1
    user user1 password hash bc14bc179d2708cc31cbc22ee6a679cd22c095a1

  There is not much information inside the defect. We've been seeing different customer's experiencing this issue. 
  <B>Symptom:</B>
  SFTP stops working after upgrading to  ACS 5.5
  <B>Conditions:</B>
  once we upgrade to ACS 5.5
  <B>Workaround:</B>
  NA
  Try this one, this should work
  https://tools.cisco.com/bugsearch/bug/CSCum93359/?reffering_site=dumpcr
  Regards,
  Jatin
  **Do rate helpful posts**

• Tomcat Servlet - TCP Port Already in Use?

  My problem is that tomcat/servlet is not releasing its TCP port after my servlet closes the port. Next time a servlet tries to use the port it gets an error "Port already in use". Using netstat I can see the port is still in use. If I stop tomcat and restart it, the port is released. I have not had this sort of problem writing C programs that use sockets.
  My setup is Fedora Core 6 with JDK1.5_14 and Tomcat 5.5.26. I know it's not the latest, but sockets and streams have been around for a long time.
  Actual implementation uses a trivial javaserver page to instantiate a class to create/accept connection from a client (JApplet). After connection, it starts a thread to receive data. I am using ServerSocket(), InputStreamReader(), and OutputStreamWriter(). On ServerSocket I set ReuseAddress to true.
  I have try/catch on all my I/O and use tomcat context log for error and OK messages. Data transfer is perfect. Detect close by client works. In the context log I see close of streams and ServerSocket occur with no exceptions. Then, I manually close the jsp window. No indication of any problems. If I use different port 2nd time (e.g. 50001) it all works perfect. If I use my default (50000) again, servlet gets an error during bind, "Port already in use".
  2.5 years with Java. 5 years with Linux and C.
  Please advise or refer

  rwengr wrote:
  My problem is that tomcat/servlet is not releasing its TCP port after my servlet closes the port. Next time a servlet tries to use the port it gets an error "Port already in use". Using netstat I can see the port is still in use. If I stop tomcat and restart it, the port is released. I have not had this sort of problem writing C programs that use sockets.Nice.... Not sure that matters though.
  >
  My setup is Fedora Core 6 with JDK1.5_14 and Tomcat 5.5.26. I know it's not the latest, but sockets and streams have been around for a long time.
  Actual implementation uses a trivial javaserver page to instantiate a class to create/accept connection from a client (JApplet). Bleah! Don't use a JSP for that. Use a servlet at worst. At best use a Servlet to start some other socket manager class which you can/have tested outside the Servlet Container environment.
  After connection, it starts a thread to receive data. I am using ServerSocket(), InputStreamReader(), and OutputStreamWriter(). On ServerSocket I set ReuseAddress to true.
  I have try/catch on all my I/O and use tomcat context log for error and OK messages. Data transfer is perfect. Detect close by client works. In the context log I see close of streams and ServerSocket occur with no exceptions. Then, I manually close the jsp window. Closing the browser window has no affect on the server.
  No indication of any problems. If I use different port 2nd time (e.g. 50001) it all works perfect. If I use my default (50000) again, servlet gets an error during bind, "Port already in use".
  2.5 years with Java. 5 years with Linux and C.
  Please advise or referShow some code. If you just want some generic advice it would be to close the port, as soon as you don't need it anymore. But you know that. Without any further code I think that is about all that can be said.
  P.S. Make the code as small as possible, compilable, but still demonstrating the problem. Also see: [this tutorial as an example...|http://www.javaworld.com/javaworld/jw-12-1996/jw-12-sockets.html?page=1]

• Read data from serial port or TCP port of frontend PC

  Hello Friends,
  I have requirement to read data from device connected to frontend PC which will provide meter reading data.
  Vendor has given me two option.
  1. Device can be connected to seiral port and data transfer will be done through MODBUS RTU protocol.In that case data need to capture from serial port.
  2. Device can be connected to TCP port and Socket program can be provided for data transfer. In that case SAP will act as client and communicate with TCP port.
  There will be multiple workstation with individual meters connected to them.
  I am aware of text file interfacing through front end tools using custom code using VB,JAVA or others.
  Is there any solution availble  to achieve above things using  ABAP other than text file , like direct communication?
  I am using ECC 6.0.

  Hello,
  Socket programming in not available on ABAP, but you may use RFC for the same.
  Use the below links for more details
  [Link 1|http://help.sap.com/printdocu/core/print46c/en/data/pdf/BCFESDE2/BCFESDE2.pdf]
  [Link 2|http://forums.sdn.sap.com/thread.jspa?threadID=1820233]
  Regards,
  Abhishek

• What TCP ports are used by Push notifications

  I believe my Firewall is blocking Push Notifications on my iPod touch. So, I wanted to discover what the TCP Ports are that are used by Push so I could open those ports to pass packets (info) to my iPod.

  See:
  http://support.apple.com/kb/HT3576
  "If you are still unable to receive notifications and you are using a Wi-Fi connection, verify that the network or firewall is not blocking access to port 5223."

• Single Web Dispatcher listening different TCP port

  Dear experts,
  I would like to post a question regarding Web dispatcher.
  Our present environment has a Web dispatcher binding to single domain which is VeriSign Certified. We have received a requirement to support another CA for SSL authentication at Web Dispatcher since VeriSign is not their trusted partner. Hence, i am exploring the below possibilities.
  1. Configure another port for SSL with same WD instance. Is this possible?
  2. In case point 1 not possible, i will setup another WB instance to listen on differnt TCP port. In this case, is it possible to have two WD binding to single Message Server? The XI version is 7.0.
  Appreciate your views and advices.
  Thanks in advance.
  Regards,
  Ravi

  This guide will help you undrstand the senario, yes it is possible to have to ports in the kind of senario mentioned in the guide.
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60d6de2e-085b-2b10-7a8f-bc9ae1e0bba6
  oher info is available at
  https://websmp109.sap-ag.de/instguides netveaver->2004s->installation->webdispatcher install guide.
  Warm regards,
  Dey

• Unable to telnet on command prompt for udp port 514, but able to on cmd for tcp port 514

  I am unable to telnet on command prompt for udp port 514. But when I use packet snifer or wireshark I am able to see traffic going to the targetted server from udp port 514. I thought it might be a firewall issue blocking the port from communicating. But
  I figured out that windows firewall is disabled. I am able to make similar connections on the cmd for tcp port 514.
  I did a netstat -an and see that udp:514 is enabled and listening on the server.
  What am I missing here?

  Telnet actually supports TCP only. You might want to try another tool as suggested here: http://serverfault.com/questions/263032/how-to-connect-to-a-udp-port-command-line
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Monitor a TCP port but alert only if timed out X times

  Hello,
  I need to build a moniotr that will probe a TCP port but alert only if timed out X times
  I was looking at Microsoft.SystemCenter.SyntheticTransactions.TCPPortCheckProbe module but it doesn't have this options
  Thanks,
  Marius

       You can check 
     http://www.ghacks.net/2010/05/25/tcp-port-monitor-port-alert/
       for TCP Port Monitor Port Alert