ACE WEBHOST-REDIRECT logic

Hi guys.
Recenty I see the following config.
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-HTTPS
inservice
I suspect this is a generic config to rewrite a redirection sent from rsever to client when it sends a http redirection and the client need to do a https conection.
My question is: this configuration will rewrite all redirect? What happens if the redirect sent from real server need to reach the client as http (not translated)
Thanks in advance.

Hi David,
The above configuration is for ACE to redirect and not "Rserver". So if a user comes on http://xyz.com and you want ACE to redirect it to https"//xyz.com, you use above configuration. Now there will be a class-map condition as well as policy maps and hence ACE will redirect only those requests which will match the condition. Also, redirect and rewrite are two different functions. If you want the ACE to intercept server response and rewrite it, then you should have a look at "URL Rewrite as well as SSL rewrite" features. Again you will have proper configurations place for ACE to decide what to rewrite and what not.
Let me know if you have any questions.
Regards,
Kanwal

Similar Messages

Cisco ACE A2(2.0) - webhost-redirection

Hello,
We are currently running the version ACE A2(2.0), pretty old one on Cisco ACE Module. We have applied webhost-redirection https://%h%p 302 but it doesn't seem to take effect and always go back to the host header value.
Is it a bug or a missing feature within A2(2.0) build ?
Please assist.
Thanks.

Also is there a way to check in ACE logs as to what are the redirects taking place to identify any issues etc.
Thanks.

Use ACE to redirect or insert a WWW in a client request

I am using ACE 4710s running 4.1 to load balance web traffic across our web server farms. Redirection is configured to redirect http to https. There is a new requirement to redirect a request that does not include the "www" in the URL to include the "www". In other words, if a client merely types "mytesturl.com/test1" the ACE is to redirect or rewrite and insert the www so the request becomes"www.mytesturl.com/test1". I am searching through the documentation, but thought I would pick the collective brains of the community at the same time to see who can come up with the correct answer first. Below is a sample of the working config.
Thanks in advance,
mb
rserver host RS_TEST_01
description ***Test Producation Host***
ip address 10.64.64.45
inservice
rserver redirect RD_EC
description ***TEST Sub-Site***
webhost-redirection https://www.test.com/EC/
inservice
rserver redirect http
webhost-redirection https://%h%p 301
inservice
serverfarm redirect REDIRECT
rserver http
    inservice
serverfarm host SF_TEST
rserver RS_TEST_01 80
    inservice
serverfarm redirect SF_EC
description ***Test Sub-Site***
rserver RD_EC
    inservice
sticky ip-netmask 255.255.255.0 address both STICKY_TEST_1
timeout 600
replicate sticky
serverfarm SF_TEST
ssl-proxy service SSL_TEST_1
key TEST_KEY
cert TEST_CERT
chaingroup VERISIGN
ssl advanced-options SSL_TERMINATION
class-map match-any TEST_VIP_01
description ***VIP for TEST***
2 match virtual-address 10.64.74.45 tcp eq https
class-map type http loadbalance match-all TEST_EC
2 match http url /ec*
policy-map type loadbalance first-match LB_TEST_01
description ***Load Balancing Policy for Test***
class TEST_EC
    serverfarm SF_EC
policy-map type loadbalance first-match LB_REDIRECT
description L7SLBPolicy-Redirect
class class-default
    serverfarm REDIRECT
policy-map multi-match NEW_WEB_POLICY
class TEST_VIP_01
    loadbalance vip inservice
    loadbalance policy LB_TEST_01
    loadbalance vip icmp-reply active
    ssl-proxy server SSL_TEST_1
interface vlan 474
description ***Front End VIP interface***
ip address 10.64.74.254 255.255.255.0
alias 10.64.74.252 255.255.255.0
peer ip address 10.64.74.253 255.255.255.0
access-group input TEST_WEB
service-policy input TEST_WEB_POLICY
no shutdown

Hi Michael,
The configuration to achieve this would be something like the one below. I wrote it without trying it in the lab first, so, make sure to test it before putting it in production (specially the syntax of the regular expressions)
rserver redirect http
webhost-redirection https://%h%p 301
inservice
rserver redirect http_and_www
webhost-redirection https://www.%h%p 301
inservice
serverfarm redirect REDIRECT
rserver http
    inservice
serverfarm redirect REDIRECT_and_www
rserver http_and_www
    inservice
class-map type http loadbalance match-all http_with_www
2 match http header Host header-value www.*
policy-map type loadbalance first-match LB_REDIRECT
description L7SLBPolicy-Redirect
class http_with_www
    serverfarm REDIRECT
class class-default
    serverfarm REDIRECT_AND_WWW
I hope this helps
Daniel

ACE http redirect on probe fail & others

Hi everyone,
I have multiple http based application running on 2 servers and they all be referenced behind the publised VIP from the load balancer.
The probes are already there, applications are accessed but one criteria from the business is not to fail the whole server for one application. There is some independance between the apps that if one fails, the other would need to still load balanced.
I would like, if the application fails on both server, to maybe be able to redirect to another URL any request for a particular App/URL.
Any suggestions ?

Hi,
To not declare a real server down if one of its applications fail, you should configure your probes in your serverfarm, and (if not already done) create a serverfarm per application.
If you want to be able to redirect a request send to a failed serverfarm, you can configure a backup serverfarm in you L7 policy map like this:
serverfarm name1 backup name2
The second serverfarm should then be of the type:
serverfarm redirect name2
webhost-redirection relocation_string [301 | 302]
where the relocation_string is the URL that should be used, 301 is permanently moved and 302 is temporarily.
For the relocation_string, you can use following special characters:
%h Inserts the hostname from the request Host header
%p Inserts the URL path string from the request
Mor info can be found in this doc:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/slbgd.html
Hope this helps.
Kr,
Dario

ACE: URL redirect - not working

Hi,
I've to do url redirection from port 80 to port 443. I've following configured:
rserver redirect url.test.com-rd
webhost-redirection https://url.test.com/
inservice
serverfarm redirect url.test.com:80
description url.test.com - port 80 redirect ***
rserver url.test.com-rd
    inservice
class-map match-any url.test.com:80
2 match virtual-address 192.168.1. tcp eq www
policy-map type loadbalance first-match url.test.com:80
class class-default
    serverfarm url.test.com:80
policy-map multi-match LOAD_BALANCE
   class url.test.com:80
    loadbalance vip inservice
    loadbalance policy url.test.com:80
    loadbalance vip icmp-reply active
===
with above configuration, ACE is redirection port 80 to port 443 but it also rewrites the header. i.e. ACE send me to
"https://url.test.com/" if I type "http://url.test.com/abc" in the browser. It should have redirected to "https://url.test.com/abc" ( it shouldn't have removed "/abc")
could you advice how to accomplish it.
Thanks in advance...

Hi,
thanks pablo. but that isn't expected response. redirected url shows the load balanced server. i.e. for the following serverfarm of port 443:
serverfarm host url.test.com:443
description url.test.com - Port 7777 ***
failaction purge
probe url.test.com:7777
rserver server1.test.com 7777
    inservice
redirected url comes as "http://server1.test.com:7777/abc/" ...instead of what I expect .i.e. i expect "
https://url.test.com/abc/"

ACE 4710 Redirect to Different Server Farm based on URL

I have a weblogic 11 serverfarm where i want to redirect to a different serverfarm based on the URL. I am able to do it and it appears to be working however I am having issues with the cookies. I seem to be getting logged out of our App when switching between the serverfarms. Is there any way to fix this issue? My configuration is below.
Thanks!
-Andy
Generating configuration....
crypto chaingroup WWW-PROD-CHAINGROUP
cert AddTrustExternalCARoot.crt
cert COMODOHigh-AssuranceSecureServerCA.crt
access-list allow line 8 extended permit ip any any
probe http HTTP_PROBE
port 7001
interval 10
passdetect interval 5
request method get url /login.jsp
expect status 200 299
connection term forced
probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
receive 5
probe tcp TCP7001_PROBE
port 7005
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice
rserver host WLS11Host1
ip address 192.168.211.250
inservice
rserver host WLS11Host2
ip address 192.168.211.14
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-HTTPS
inservice
serverfarm host SPEND-FARM
probe HTTP_PROBE
rserver WLS11Host1 7001
inservice
serverfarm host WLS11FARM
probe HTTP_PROBE
rserver WLS11Host2 7001
inservice
parameter-map type http HTTP-PARM
persistence-rebalance
set secondary-cookie-start none
parameter-map type http PARSE
persistence-rebalance
set header-maxparse-length 8192
length-exceed continue
parameter-map type ssl SSL_MAP
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
sticky http-cookie ACE_COOKIE-7001 7001_STICKY
cookie insert browser-expire
serverfarm WLS11FARM
replicate sticky
sticky http-cookie ACE-COOKIE-SPEND SPEND_STICKY
cookie insert browser-expire
serverfarm SPEND-FARM
replicate sticky
ssl-proxy service WWW-PROD-SSLPROXY
key client_ssl.pem
cert pastar.crt
chaingroup WWW-PROD-CHAINGROUP
ssl advanced-options SSL_MAP
class-map type http loadbalance match-any HTTP-MARKETING
2 match http url /index.html
class-map type http loadbalance match-any HTTPS-SPEND
2 match http url /spend/.*
class-map type http loadbalance match-any L5
2 match http url /.*
class-map match-all WLS-7001-CLASS
2 match virtual-address 192.168.215.28 tcp eq www
class-map match-all WLS11-HTTPS-CLASS
2 match virtual-address 192.168.215.28 tcp eq https
policy-map type loadbalance first-match HTTPS
class HTTPS-SPEND
sticky-serverfarm SPEND_STICKY
insert-http x-forward header-value "%is"
class L5
sticky-serverfarm 7001_STICKY
insert-http x-forward header-value "%is"
policy-map type loadbalance first-match WLS11-7001-Policy
class HTTP-MARKETING
sticky-serverfarm 7001_STICKY
insert-http x-forward header-value "%is"
class HTTPS-SPEND
serverfarm REDIRECT-SERVERFARM
class L5
serverfarm REDIRECT-SERVERFARM
policy-map multi-match WLS11-SLB
class WLS-7001-CLASS
loadbalance vip inservice
loadbalance policy WLS11-7001-Policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
appl-parameter http advanced-options HTTP-PARM
class WLS11-HTTPS-CLASS
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
appl-parameter http advanced-options PARSE
ssl-proxy server WWW-PROD-SSLPROXY
interface vlan 1000
ip address 192.168.215.27 255.255.255.0
access-group input allow
nat-pool 1 192.168.215.28 192.168.215.28 netmask 255.255.255.255 pat
service-policy input WLS11-SLB
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.215.1
snmp-server community poweradvocaterw group Network-Monitor

Hi,
So when you come with " http url /index.html", you go to "sticky-serverfarm 7001_STICKY" and ACE must be inserting sticky "ACE_COOKIE-7001". Now when you get redirected because you match "HTTPS-Spend", ACE will loadbalance the request which will now come on HTTPS and insert sticky " ACE-COOKIE-SPEND". That's why i guess you see two sticky entries. Now i guess ACE will keep the connection to servers in "sticky-serverfarm SPEND_STICKY" or you see that ACE is not doing the same or you expected the ACE to send the requested to "sticky-serverfarm 7001_STICKY" even though it matches the HTTPS-Spend class-map condition?
Regards,
Kanwal

ACE - HTTPS redirection

Hi,
How to configure the ACE to redirect a https request to different url.
For example
Clients requesting https://www.mycompany.com shall be redirected to https://www1.mycompany.com.
Please let me know.Thanks in Advance

Hi Gilles,
I am having the certificate and the key.
Please check the config and confirm whether this looks fine or not.
I am using GSS to resolve www.mycompany.com and www1.mycompany.com
probe http Server1
interval 15
passdetect interval 60
request method head url /keepAlive.html
expect status 200 202
open 10
parameter-map type ssl PARAMMAP_SSL_TERMINATION
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA priority 2
cipher RSA_WITH_AES_256_CBC_SHA priority 3
rserver redirect HTTPS-REDIRECT
conn-limit max 4000000 min 4000000
webhost-redirection https://www1.mycompany.com.au 301
inservice
serverfarm host SFARM_HTTPS
rserver Server1_http 80
inservice
serverfarm redirect https-redirect
rserver HTTPS-REDIRECT
inservice
ssl-proxy service SSL_PSERVICE
key MYKEY.PEM
cert ACE-SP2.CER
ssl advanced-options PARAMMAP_SSL_TERMINATION
class-map type http loadbalance match-any HTTPS1
2 match http header Host header-value "www[.]mycompany[.]com"
class-map type http loadbalance match-any HTTPS2
2 match http header Host header-value "www1[.]mycompany[.]com"
policy-map type loadbalance first-match HTTPS
class HTTPS1
serverfarm https-redirect
class HTTP2
serverfarm SFARM_HTTPS
class class-default
serverfarm SFARM_HTTPS
policy-map multi-match HTTPS-PM
class HTTPS-RED
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip icmp-reply active
ssl-proxy server SSL_PSERVICE
Also let me know know if there is any another way to configure the redirection other than matching host header.
Thanks in Advance

ACE URL Redirect

Hello,
I am trying to redirect inbound connections from http://foo.com to http://foo.com/this/is/a/test 301. The relevant portion of the redirect config is as follows:
rserver redirect RD_QA_ANONYMOUS_LOGIN
description Redirect Inbound Connections to Anonymous Login Page
webhost-redirection https://foo.com/this/is/a/test 301
inservice
serverfarm redirect SF_QA_ANON_LOGIN
description Redirect Inbound Connections to Anonymous Login Page
rserver RD_QA_ANONYMOUS_LOGIN
    inservice
parameter-map type http REDIRECT
description Redirect Inbound Connections to Anonymous Login Page
case-insensitive
persistence-rebalance
class-map match-any RD_PORTAL_QA_VIP_1
description ***VIP for QA Customer Portal***
2 match virtual-address 10.145.19.135 any
class-map type http loadbalance match-all RD_QA_ANON_01
2 match http header Host header-value ".*foo.com/"
policy-map type loadbalance first-match LB_RD_EXTPORTAL_QA_1
class RD_QA_ANON_01
    serverfarm SF_QA_ANON_LOGIN
policy-map multi-match EXT_TEST_POLICY
class RD_PORTAL_QA_VIP_1
    loadbalance vip inservice
    loadbalance policy LB_RD_EXTPORTAL_QA_1
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options REDIRECT
Right now, the client is not receiving the redirect message, only a FIN. I've tried several variations of the above config, with no success. Any ideas?
Thanks,
Michael

Hello Kanwal,
Good question. The answer is yes, both. The first goal was to enable redirection without SSL. After that was working, then next goal was to enable SSL. Working with TAC, we came up with the following config, which enabled the redirection with SSL. BTW: The SSL config was already in place. I am adding the SSL config for the sake of completeness. Also we are re-writing headers in both directions:
crypto chaingroup CHAINGROUP
cert ROOT
cert WC_INTER_1
cert WC_INTER_2
rserver redirect RD_REDIRECT_SERVICE
webhost-redirection https://%h/this/is/a/test 301
inservice
rserver host RS_REAL_SERVER_01
ip address 10.10.10.10
inservice
serverfarm host SF_REAL_SERVERFARM_01
rserver RS_REAL_SERVICE_01 1000
    inservice
serverfarm redirect SF_REDIRECT_SERVICE
rserver RD_REDIRECT_SERVICE
    inservice
parameter-map type http REWRITE
description Enable Header Rewrites
persistence-rebalance
header modify per-request
parameter-map type ssl SSL_TERMINATION
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
sticky ip-netmask 255.255.255.0 address both STICKY_SERVERFARM_01
timeout 600
replicate sticky
serverfarm SF_REAL_SERVERFARM_01
action-list type modify http MODIFY_HEADER_LIST
header rewrite response location header-value "http://inside[.]foo[.]net(.*)" replace "https://outside.foo.com%1"
header rewrite response location header-value "http://inside[.]foo[.]com(.*)" replace "https://outside.foo.com%1"
header rewrite request Host header-value "outside\.foo\.com" replace "inside.foo.com"
ssl url rewrite location "outside\.foo\.com%1"
ssl-proxy service SSL_WC_01
key WC_KEY
cert WC_CERT
chaingroup RAPID_SSL
ssl advanced-options SSL_TERMINATION
class-map match-any VIP_1
2 match virtual-address 10.10.10.210 any
class-map type http loadbalance match-any LB_L7
2 match http url /.*
class-map type http loadbalance match-all REDIRECT_01
2 match http url /
policy-map type loadbalance first-match LB_POLICYMAP_1
class REDIRECT_01
    serverfarm SF_REDIRECT SERVICE
class LB_L7
    sticky-serverfarm STICKY_SERVERFARM_01
    action MODIFY_HEADER_LIST
policy-map multi-match MM_POLICY
class VIP_1
    loadbalance vip inservice
    loadbalance policy LB_POLICYMAP_1
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 60
    appl-parameter http advanced-options REWRITE
    ssl-proxy server SSL_WC_01

ACE port redirection message to client

Hi,
I need to configure a new VIP so that if the requests come on port 80 it sends a redirection message to clients saying to try on port HTTPS://*:9443, is the configuration below correct?
rserver host server1
description host1
ip address 1.1.1.1
probe probe-http
inservice
rserver host server2
description host2
ip address 1.1.1.2
probe probe-http
inservice
serverfarm host sfarm1
rserver server1
    inservice
rserver server2
    inservice
rserver redirect sfarm1_redirect_9443
webhost-redirection https://%h:9443%p 301
inservice
serverfarm redirect sfarm_redirect_9443
rserver sfarm1_redirect_9443
    inservice
class-map match-all VIP_HTTP
description Match HTTP
2 match virtual-address 2.2.2.2 tcp eq www
class-map match-all VIP_HTTPS
description Match HTTPS
2 match virtual-address 2.2.2.2 tcp eq 9443
policy-map type loadbalance first-match http_Redirect_Policy
class class-default
    serverfarm sfarm_redirect_9443
policy-map type loadbalance first-match https_9443
class class-default
    serverfarm sfarm1
policy-map multi-match VIPS
class VIP_HTTP
    loadbalance vip inservice
    loadbalance policy http_Redirect_Policy
    loadbalance vip icmp-reply active
class VIP_HTTPS
    loadbalance vip inservice
    loadbalance policy https_9443
    loadbalance vip icmp-reply active

Hi,
%h and %p are usually used when host and path remain same as is the case in redirection from http to https.
You can also use the actual hostname and path if the above doesn't work. I think it should work but i haven't tested it before.
You can try something like below:
webhost-redirection https://test.com:9443 301
Let me know how it goes.
Regards,
Kanwal

ACE/Server redirects

I'm looking for some guidance/thoughts on a problem I'm coming across. I have an SSL termination configuration as follows:
Client to VIP:80 does redirect to VIP:443
Client to VIP:8080 does redirect to VIP:8443
Client to VIP:443 load balances to Real:80
Client to VIP:8443 load balances to Real:8080
On the real server I'm running apache on 80 and tomcat on 8080.
Apache handles the main site while Tomcat handles java applets/authentication/etc.
The problem we're encountering is when apache needs to hand off to tomcat and the reverse. What's the best way to accomplish this while maintaining the connection to the same real server. What is happening is that the ACE is re-load balancing the request to a different real.
Thanks.

you could use static cookies [ cookie insert ].
Since you have 2 serverfarms, you'll get 2 different set of cookies.
So, for each sticky group, you need to learn the cookie value associated with each rserver.
Then for the other group, configure a static entry for each cookie value.
Do the same for each group.
Learning the cookie value requires the use of a sniffer. Sniff traffic going to the ACE slot. Open a connection to the vip and see which server is being used and what cookie value is returned. Delete the cookie and repeat until you get the cookie value for each server.
This is the only idea I have right now.
Gilles.

ACE 4710 Redirection based on incoming Spanish Language

I have a customer that wants to redirect incoming traffic to a different url or host based on the end users language. Spanish in particular. What is the best way to accomplish this task with the least amount of issues.
Stan

If you capture a sniffer trace of any HTTP traffic, you will see that every request contains a line like this :
"Accept-Language: de"
So, in this example the request contains information that the browser accept German (DE).
If you sniff a request from a spanish browser, you should see a similar line with the "SP" letters.
Then with ACE, you can match those requests with a class-map like below :
AceC6k2/Admin(config)# class-map type http load Spanish
AceC6k2/Admin(config-cmap-http-lb)# match http heade Accept-Language header-value sp
AceC6k2/Admin(config-cmap-http-lb)#
Then inside your policy-map you can use this class-map to differentiate spanish request from the others.
policy-map type
AceC6k2/Admin(config)# policy-map type loadbalance http first-match Web
AceC6k2/Admin(config-pmap-lb)#
AceC6k2/Admin(config-pmap-lb)# class-map Spanish
<.....do something here for spanish browsers .....>
AceC6k2/Admin(config-pmap-lb)# class class-default
<..... do something here for the other browsers ......>
gilles.

ACE port redirection problem

I am using standard http port 80 in front end (between the end user and ACE module ) and I am using port 9080 for backend (between the ACE and servers).
I don't want the port number 9080 to show up in the url
http://www.Trading.com:9080/ANTOnline
how can i hide the port 9080 from the end user

Try this config:
rserver host Server001
ip address 10.1.1.1
inservice
rserver host Server002
ip address 10.1.1.2
inservice
serverfarm host SF001
probe CHECK.HTML
rserver Server001 9080
inservice
rserver Server002 9080
inservice
class-map match-all R001
2 match virtual-address 1.1.1.1 tcp eq www
policy-map type loadbalance first-match P001
class class-default
serverfarm SV001
policy-map multi-match L4-LB
class R001
loadbalance vip inservice
loadbalance policy P001
loadbalance vip icmp-reply
It should solve your problems

ACE Port redirection

Hi,
I am configuring load balancing for my web server which running on port 3636. But for users I want to give only http://172.23.15.87. not http://172.23.15.87:3636
Earlier I was having CSS in which I am able to achive this by creating two content rules one for the port 80 and one for port 3636. But here I dont know how to achieve it.
rserver MOSS_1
ip address 192.168.200.38
inser
rserver MOSS_2
ip address 192.168.200.40
inservice
serverfarm host SF_MYEM
probe PROBE_3636
rserver MOSS_1
inservice
rserver MOSS_2
    inservice
sticky ip-netmask 255.255.255.255 address source SF_MYEM_STICK
replicate sticky
serverfarm SF_MYEM
class-map match-any MYEM
2 match virtual-address 172.23.15.87 tcp eq 3636
policy-map type loadbalance first-match PM_LB_MYEM
class class-default
    sticky-serverfarm SF_MYEM_STICK
policy-map multi-match PM_ENOC_Servers
class MYEM
    loadbalance vip inservice
    loadbalance policy PM_LB_MYEM
    loadbalance vip icmp-reply active
Please let me know how to configure it so that users in the browser only put the VIP without the port 3636.

Hi,
I have tried the configuration but only port 80 is working I am not able to open the page
on port 3636.
rserver host MOSS_1
ip address 192.168.200.38
inservice
rserver host MOSS_2
ip address 192.168.200.40
inservice
serverfarm host SF_EM
probe PROBE_3636
rserver MOSS_1 3636
    inservice
rserver MOSS_2 3636
    inservice
serverfarm host SF_MY
probe PROBE_TCP
rserver MOSS_1
    inservice
rserver MOSS_2
    inservice
sticky ip-netmask 255.255.255.255 address source SF_MY_STICK
replicate sticky
serverfarm SF_MY
sticky ip-netmask 255.255.255.255 address source SF_MYEM_STICK
replicate sticky
serverfarm SF_MYEM
class-map match-any MYEM
3 match virtual-address 172.23.15.87 tcp eq www
class-map match-any MY
2 match virtual-address 172.23.15.86 tcp eq www
policy-map type loadbalance first-match PM_LB_MYEM
class class-default
    sticky-serverfarm SF_MYEM_STICK
policy-map type loadbalance first-match PM_LB_MY
class class-default
    sticky-serverfarm SF_MY_STICK
policy-map multi-match PM_ENOC_Servers
class MYEM
    loadbalance vip inservice
    loadbalance policy PM_LB_MYENOC
    loadbalance vip icmp-reply active
class MY
    loadbalance vip inservice
    loadbalance policy PM_LB_MYENOC
    loadbalance vip icmp-reply active
interface vlan 200
service-policy input PM_ENOC_Servers
I can ping the VIP and I can telnet on port 3636 successfully. But Web page is not showing for port 3636 but the website on port 80 is working fine.
Please assist me what I am missing.

Ace Redirect and re-write

Can anybody point me in the right direction for changing the URL when the ACE is performing the redirection?
I have the standard ace redirection to HTTPS set up and it is working fine.
I have a wildcard certificate *.abc.com but when the application was being tested the URL abc.com kicks up a certificate error in the browser.
Not sure if I should have set the CN as *acb.com when ordering it but its done now.
I am wanting to redirect when http://abc.com is put in the client browser to https://www.abc.com
I have tried reading these forums and using header rewrite to change the location on response but it just doesn't seem to work.
I have tried deleting/renaming/replacing the host header on request and rewrite/delete on response. Tried all sorts of regex nothing works.
I can insert a header so I know the action is being hit, just can't seem to change the host on request or location on response.
Any idea's?
I am guessing the inner workings only allow for modification of these headers when the redirects are being done by the server and the headers are passing through the load balancer.
on latest 5(2.1) version
example of one I tried
action-list type modify http ABC_MODIFY
header rewrite response location header-value "https://abc(.*)" replace "https://www.abc%1"
then applied to policy redirect map

I tried another approach which seemed to work.
rserver redirect RED2A
webhost-redirection https://www.%h 302
inservice
rserver redirect RED2
webhost-redirection https://%h 302
inservice
serverfarm redirect RED2-VIP-IN
rserver RED2
inservice
serverfarm redirect RED2A-VIP-IN
rserver RED2A
inservice
class-map type http loadbalance match-any RED2A-VIP-IN
2 match http header Host header-value "abc.com"
class-map match-any RED2-VIP-IN
2 match virtual-address x.x.x.x tcp eq www
..etc
policy-map type loadbalance first-match RED2-VIP-IN-LB-POLICY
class RED2A-VIP-IN
serverfarm RED2A-VIP-IN
class class-default
serverfarm RED2-VIP-IN
this seemed to redirect the abc.com to https://www.abc.com and the other requests like other.abc.com to https://other.abc.com
I tried regex for the header value match like [^\.]abc.com and ^abc.com but these didn't seem to match.

ACE Redirect not working

We have a ACE redirect configured on 3 physically seperate ACE modules with the following config. It works on one ACE Module and not on the other 2.
Capture on the ACE and sniffer gives this error.R [bad tcp cksum 2d41!] ACE sends resets to the client. Anyone run into this issue?
The software version is   system:    Version A2(1.0a) [build 3.0(0)A2(1.0a)
rserver redirect Test
webhost-redirection http://www.test.com
inservice
serverfarm redirect Test
rserver Test
    inservice
class-map match-any Test
2 match virtual-address 192.168.10.10 tcp eq www
policy-map type loadbalance first-match Test
class class-default
    serverfarm Test
class Test
    loadbalance vip inservice
    loadbalance policy Test
    loadbalance vip icmp-reply active

Sorry maybe I didn't explain what I was getting at good enough...
I guess I'm basically asking if there's potential for asymmetry at the site that's not working.
For example.
Say I have a load balanced server. It has two interfaces a "front end" and a "back end". I manage the server on the backend from my laptop, for which the server has a route. Now if I try to hit the public VIP of the LB, traffic is routed to the VIP, then to the server, but because the server already has a route to my laptop via the backend, it bypasses the load balancer on the return and replies directly to me, thus putting the flow out of sync and never completing the connection...
Not saying that's it, but I've had so many asymmetry issues that are tough to figure out that It's usually one of the first things I rule out...
It's possible if the site that's not working is local to you and the others aren't, this may be a potential issue??

ACE WEBHOST-REDIRECT logic

Similar Messages

Maybe you are looking for