Cisco ACE SSL Offloading not working
Dear All,
I have configured SSL offloading on ACE when i tried to test it from the PC i found that:
1. when i try to test the SSL Offloading by (https://192.168.69.110) i can reach the main page on WEB1 but i can't open any virual directory or any link inside this server (ex: https://192.168.69.110/web).
Thanks,
Bader
Hello Mohammed,
The behavior which you are getting is totally expected since you are NOT matching the url.
Why do not you try this?
(config-cmap-http-lb)# class-map type http loadbalance match-all MATCH-URL
(config-cmap-http-lb)# match http url /.*
class-map type http loadbalance match-all MATCH-URL
2 match http url /.*
Also you can try this one instead of the one above, since this one will be more specific:
class-map type http loadbalance match-all MATCH-URL
2 match http url /web.*
policy-map type loadbalance first-match WEB-SERVERS-LB
class MATCH-URL
sticky-serverfarm Sticky-WEB-SERVERS
class class-default
sticky-serverfarm Sticky-WEB-SERVERS
Please mark it, if it fixes your issue.
Jorge
Similar Messages
-
ACE SSL terminate not working ... please help
Hello, I configured cisco ace 4710 with ssl-proxy and it is not working, but http://10.1.40.2 and http://10.1.40.3 is OK. When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage".
The configuration:
ace-demo/Admin# sh run
Generating configuration....
boot system image:c4710ace-mz.A3_2_4.bin
boot system image:c4710ace-mz.A3_2_1.bin
login timeout 0
hostname ace-demo
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 400-401,450
no shutdown
crypto csr-params testparams
country PE
state Lima
locality Lima
organization-name TI
organization-unit TI
common-name www.yyy.com
serial-number 1000
access-list anyone line 8 extended permit ip any any
access-list anyone line 16 extended permit icmp any any
parameter-map type ssl sslparams
cipher RSA_WITH_RC4_128_MD5
version SSL3
rserver host rsrv1
ip address 10.1.40.2
inservice
rserver host rsrv2
ip address 10.1.40.3
inservice
serverfarm host farm-demo
rserver rsrv1
inservice
rserver rsrv2
inservice
serverfarm host site-A
rserver rsrv1
inservice
serverfarm host site-B
rserver rsrv2
inservice
ssl-proxy service testssl
key testkey.key
cert testcert.pem
ssl advanced-options sslparams
class-map type management match-any MGMT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol snmp any
6 match protocol telnet any
7 match protocol ssh any
class-map match-any VIP
6 match virtual-address 10.1.41.10 any
class-map type generic match-any WAN-site-A
2 match source-address 192.168.10.106 255.255.255.255
3 match source-address 192.168.10.125 255.255.255.255
class-map type generic match-any WAN-site-B
2 match source-address 192.168.10.96 255.255.255.255
3 match source-address 192.168.10.93 255.255.255.255
class-map type management match-any icmp
2 match protocol icmp any
class-map match-any vip-ssl-10.1.41.20
2 match virtual-address 10.1.41.20 tcp eq https
policy-map type management first-match ICMP
class icmp
permit
policy-map type management first-match MGMT
class MGMT
permit
policy-map type loadbalance first-match vip-ssl-10.1.41.20
class class-default
serverfarm farm-demo
policy-map type loadbalance generic first-match lb-server
class WAN-site-A
serverfarm site-A
class WAN-site-B
serverfarm site-B
class class-default
serverfarm farm-demo
policy-map multi-match client-side
class VIP
loadbalance vip inservice
loadbalance policy lb-server
policy-map multi-match lb-vip
class vip-ssl-10.1.41.20
loadbalance vip inservice
loadbalance policy vip-ssl-10.1.41.20
loadbalance vip icmp-reply
ssl-proxy server testssl
interface vlan 400
description side-server
ip address 10.1.40.1 255.255.255.0
access-group input anyone
service-policy input ICMP
no shutdown
interface vlan 401
description side-client
ip address 10.1.41.1 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ICMP
service-policy input client-side
service-policy input lb-vip
no shutdown
interface vlan 450
description mgmt
ip address 10.1.45.1 255.255.255.0
access-group input anyone
service-policy input MGMT
no shutdown
ip route 192.168.10.0 255.255.255.0 10.1.45.10
And the proof:
ace-demo/Admin# sh serverfarm farm-demo
serverfarm : farm-demo, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: rsrv1
10.1.40.2:0 8 OPERATIONAL 0 25 19
rserver: rsrv2
10.1.40.3:0 8 OPERATIONAL 0 23 18
ace-demo/Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
admin 887 PEM Yes KEY
testcert.pem 709 PEM Yes CERT
testkey.key 497 PEM Yes KEY
ace-demo/Admin#
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 38
dropped conns : 18
client pkt count : 159 , client byte count: 12576
server pkt count : 16 , server byte count: 640
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
in other time:
ace-demo/Admin# sh service-policy lb-vip class-map vip-ssl-10.1.41.20
Status : ACTIVE
Interface: vlan 1 401
service-policy: lb-vip
class: vip-ssl-10.1.41.20
ssl-proxy server: testssl
loadbalance:
L7 loadbalance policy: vip-ssl-10.1.41.20
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 170
dropped conns : 89
client pkt count : 703 , client byte count: 60089
server pkt count : 85 , server byte count: 3400
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
ace-demo/Admin#
ace-demo/Admin# sh stats crypto server
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 43
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 37
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 6
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto server alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 6
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 47
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 43
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
ace-demo/Admin# crypto verify testkey.key testcert.pem
Keypair in testkey.key matches certificate in testcert.pem.
ace-demo/Admin#
ace-demo/Admin# sh conn
total current connections : 0
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+Hello Alvaro,
The issue here is that your config is missing the clear text port the ACE should use to send the traffic to the backend servers; in this case port 80.
Remove the rservers from the SF "farm-demo" and then configure them back like this:
serverfarm host farm-demo
rserver rsrv1 80
inservice
rserver rsrv2 80
inservice
That should do the trick =)
HTH
Pablo -
Cisco IOS SSL VPN Not Working - Internet Explorer
Hi All,
I seem to be having a strange SSL VPN issue. I have a Cisco 877 router with c870-advsecurityk9-mz.124-24.T4.bin and I cannot get the SSL VPN (Web VPN) working with Internet Explorer (tried both IE8 on XP and IE9 on Windows 7). Whenever I browse to https://x.x.x.x, I get "Internet Explorer Cannot Display The Webpage". It sort of works with Chrome (I can get the webpage and login, but I can't start the thin client, when I click on Start, nothing happens). It only seems to work with Firefox. It seems quite similar to this issue with the ASAs - http://www.infoworld.com/d/applications/cisco-asa-users-cant-use-ssl-vpns-ie-8-901
Below is the config snippet:
username vpntest password XXXXX
aaa authentication login default local
crypto pki trustpoint TP-self-signed-1873082433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1873082433
revocation-check none
rsakeypair TP-self-signed-1873082433
crypto pki certificate chain TP-self-signed-1873082433
certificate self-signed 01
--- omitted ---
quit
webvpn gateway SSLVPN
hostname Router
ip address X.X.X.X port 443
ssl encryption aes-sha1
ssl trustpoint TP-self-signed-1873082433
inservice
webvpn context SSLVPN
title "Blah Blah"
ssl authenticate verify all
login-message "Enter the magic words..."
port-forward "PortForwardList"
local-port 33389 remote-server "10.0.1.3" remote-port 3389 description "RDP"
policy group SSL-Policy
port-forward "PortForwardList" auto-download
default-group-policy SSL-Policy
gateway SSLVPN
max-users 3
inservice
I've tried:
*Enabling SSL 2.0 in IE
*Adding the site to the Trusted Sites in IE
*Adding it to the list of sites allowed to use Cookies
At a loss to figure this out. Has anyone else come across this before? Considering the Cisco website itself shows an example using IE (http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml), surely it should work in IE you'd think?
ThanksHi,
I would check where exactly it is failing, either in the ssl connection itself or something after that. The best way to do that is run a wireshark capture when you try to access the page using IE. You can compare this with the one with Mozilla too just to confirm the ssl is working fine.
Also can you try with different SSL ciphers as one difference between browsers is the ciphers they use. 3des should be a good option to try. -
ACE SSL offloading troubleshooting
Hi All,
I need a help on trobleshooting ACE SSL offloading. Can anybody post the link to know about the commands for troubleshooting?
Regards,
ThiyaguHi Thiyagu
Have a read on the following link, what is the issue you are seeing?
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Troubleshooting_SSL#Troubleshooting_ACE_SSL
Regards Craig -
Hello Friends,
Need ur help on cisco ACE SSL termination.
If i import the certificate and key (.PEM), where this files will be saved ?
can we able to download the .PEM file any time as we need(back-up)?
suppose if my .PEM is got hacked, hacker is sniffing the data packet which going through the web server, can it be possiable to deencrypt the packet and see the exact packet ?
Regards,
NarenNaren,
1. In order to import certs and keys, please see the following link to the command reference. To summarize, any time you import/export/delete keys/certs, you are doing so via commands in exec mode. Regarding how and where the ACE actually saves this information, I do not know this answer.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/execmds.html#wp1616651
2. You can import a key as non-exportable if you do not want it to be able to be exported. If you import it as exportable, you can always export it later for backups or what not.
3. You can decrypt captured HTTPS traffic if you have the private key. It is important to limit access to it. Please see this link for more info on using Wireshark to view decrypted HTTPS traffic: http://wiki.wireshark.org/SSL
Hope this helps!
Regards,
Matt -
SSL Termination not working in ACE
Hi,
The context was configured for Load Balancing Port 80 and 443 traffic before the SSL Configs was Applied.
The SSL Termination is configured on ACE module running the software version A2(1.6a) [build 3.0(0)A2(1.6a)
The load balacing is working without no issues, But when i do a https://abc.www.abc.qa/wps/portal/login
the browser reconganizes the certificate from ACE, but does not show up any thing, just shows this symbol €
in a blank page.
Plese let me know if you have any suggestions.
Thanks in Advance.
Here is the relevant config.
===================
crypto csr-params ABC-II-PRAMS
country XX
state XXXX
locality XXXX
organization-name abc council
common-name abc.www.abc.qa
serial-number 1
email [email protected]
rserver host abcserver1
ip address 10.14.1.165
inservice
rserver host abcserver2
ip address 10.14.1.177
inservice
ssl-proxy service abc.www.proxy
key abc-II-key.pem
cert abc-II-cert.pem
serverfarm host abc.www.abc.qa-443
failaction purge
rserver abcserver1
probe abcicmp
inservice
rserver abcserver2
probe abcicmp
inservice
serverfarm host abc.www.abc.qa-80
failaction purge
rserver abcserver1
probe abcicmp
inservice
rserver abcserver2
probe abcicmp
inservice
sticky ip-netmask 255.255.255.255 address source abc.www.abc.qa-sticky-80
timeout 120
serverfarm abc.www.abc.qa-80
sticky ip-netmask 255.255.255.255 address source abc.www.abc.qa-sticky-443
timeout 120
serverfarm abc.www.abc.qa-443
class-map match-all abc.www.abc.qa-443
match virtual-address 10.14.1.203 tcp eq https
class-map match-all abc.www.abc.qa-80
match virtual-address 10.14.1.203 tcp eq www
policy-map type loadbalance first-match abc.www.abc.qa-VIP-443
class class-default
sticky-serverfarm abc.www.abc.qa-sticky-443
policy-map type loadbalance first-match abc.www.abc.qa-VIP-80
class class-default
sticky-serverfarm abc.www.abc.qa-sticky-80
policy-map multi-match abc-POLICY
class abc.www.abc.qa-80
loadbalance vip inservice
loadbalance policy abc.www.abc.qa-VIP-80
loadbalance vip icmp-reply
class abc.www.abc.qa-443
loadbalance vip inservice
loadbalance policy abc.www.abc.qa-VIP-443
loadbalance vip icmp-reply
ssl-proxy server abc.www.proxy
=============================Hi,
You may want to check this thread I think it would be very helpful.
https://supportforums.cisco.com/thread/2027253
HTH
Pablo
Cisco TAC -
Cisco ace Load balancer not maintaining session persistence
Hi All,
We have observed from the IIS logs on the internal webservers that loadbalancer is not maintaining session persistence for two specific request for the internal servers.
https://123.xyz.com/Webresource.axd
https://123.xyz.com/ScriptResource.axd
Error
Webresource.axd : 500
Scriptresource.axd: 404
Session persistence is maintained for all other requests hitting loadbalancer.
Issue is observerd on hits for these two specified components. WebResource.axd and ScriptResource.axd are Http Handlers used by ASP.NET and Ajax to add client-side scripting to the outgoing web page.
For e.g /WebResource.axd d=t2GXfySdqWmJ-lZSI0KVbw2&t=634868473645172160 is valid for server 1 and return 200 response but the same request is seen on few other servers where the response is 404 even though load balancer cookie is same. This means that if the request for the both the axd contains a valid decrypter and it connects to the right server then the response seen is 200.
The url passed by the user contains d and t parameters when are unique for each user session.
Solution tried:
Accessed website via another VIP without http redirect rule but could not see difference.
Tried to match machine key across all servers : Failed . Could see the ‘d’ value different for each server.
Load balancer VIP :
x.x.x.x
redirect: http > https
SSL Offload : ON
Poool:
WEB1
WEB2
WEB3
WEB4
WEB5
All servers listening on port 80
sticky config:
sticky ihttp-cookie cookie1 vip-1.1.1.1-80-stickyfarm
cookie insert browser-expire
replicate sticky
serverfarm vip-1.1.1.1_80
sticky http-cookie cookie1 vip-farm:1.1.1.1:443
cookie insert browser-expire
replicate sticky
serverfarm farm:1.1.1.1:443
Has anyone else come across similar issue?
Can you plese check if there is any config on cisco ace that will ensure that session persistence is maintained for these 2 requests.
Thank you for all the help.
regards,
SangramHello Sangram,
We would need simultanous packet traces before and after the ACE to get to the root cause of this issue so I would recommend that you open a cisco tac case for more in depth troubleshooing of this issue.
Joel Lamousnery
CCIE R&S - 36768
Engineer, Customer Support
Technical Services -
Hi,
I have ACE 4710 in context mode. I am doing internet browsing (Port 80) redirection to two proxy servers (Transparent Proxy) as well as I am using this ACE box for multiple other servers load balancing.
I have multiple policies applied on my LAN interface (VLAN 300) where all the users and servers are connected.
Now I am facing problem with one application (PLATTS) which is oil company related application. This application is working fine while directly connected with Internet (extrenal internet connection) or by giving explicit proxy in the user browser.
But In transparent proxy This application is not working and my company policy only allow the transparent proxy not explicit proxy.
Now if on my interface vlan 300 i will remove the service-policy input PM_MAIN_BCPROXY my application will start working but i cant redirect the port 80 traffic to my proxy servers which is also my requirement.
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
no normalization
mac-address autogenerate
no icmp-guard
access-group input acl-in
nat-pool 5 172.23.16.5 172.23.16.5 netmask 255.255.255.255 pat
nat-pool 4 172.23.16.4 172.23.16.4 netmask 255.255.255.255 pat
nat-pool 3 172.23.16.3 172.23.16.3 netmask 255.255.255.255 pat
nat-pool 1 172.23.16.2 172.23.16.2 netmask 255.255.255.255 pat
service-policy input PM_BYPASS_PLATTS
service-policy input PM_ENOC_Servers
service-policy input PM_RT_FAX
service-policy input PM_ITSM_Web_Server
service-policy input PM_ITSM_MAPP_Server
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
=============================================================================================
This application use multiple destinations for connectivity and I have even tried by passing the destination IP addresses by making bypass policy but still no luck.
I want this application to work as well as redirection of port 80. I even try re-ordering the policy sequence but no luck. Can you please help me out how to achieve this application to work as well as redirectino of port 80 for Internet.
I have attached the full configuration as welll.
I will be very thankful if someone can help me on this.Hi,
This application has no VIP and serverform.
My traffic is passing through the ACE and when traffic passing ACE policy for redirection of port 80 is droping traffic. If i remove my last service policy on the interface this application will start working
Sent from Cisco Technical Support iPhone App -
Hi. I'm working on the Cisco ACE 4710 to be able to load balance web Traffic between several web servers. but despite following the steps mentioned on the Cisco configuration guide (specially this link and related docs: http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Creating_a_Virtual_Context) we did not managed to make it. we tested both the "bridged scenario" and "routed scenario" but none of them is working. specifically "configuring Nat" in the above link is very confusing and is not clear; because it's not the same as Cisco IOS, which we used to implement it that way.
Routed Scenario:
==========================================
probe http Http_Probe
description Server Healty Check
port 80
request method head url /index.htm
probe icmp ICMP_Check
interval 10
passdetect interval 5
rserver host NetCad_Server_1
ip address 172.16.1.100
probe ICMP_Check
inservice
rserver host NetCad_Server_2
ip address 172.16.1.101
probe ICMP_Check
inservice
rserver host NetCad_Server_3
ip address 172.16.1.102
probe ICMP_Check
inservice
serverfarm host NetCad_Servers
probe Http_Probe
rserver NetCad_Server_1 80
inservice
rserver NetCad_Server_2 80
inservice
rserver NetCad_Server_3 80
inservice
sticky http-cookie Cookie1 1
serverfarm NetCad_Servers
class-map match-all VS_NetCad
2 match virtual-address 192.168.13.162 255.255.252.0 tcp any
policy-map type management first-match mgmt-pm
class class-default
permit
policy-map type loadbalance first-match VS_NetCad-l7slb
class class-default
serverfarm NetCad_Servers
policy-map multi-match int40
class VS_NetCad
loadbalance vip inservice
loadbalance policy VS_NetCad-l7slb
loadbalance vip icmp-reply
interface vlan 40
description Client Side
ip address 192.168.13.161 255.255.252.0
ip options allow
no normalization
no icmp-guard
access-group input Permit_ALL
service-policy input mgmt-pm
service-policy input int40
no shutdown
interface vlan 41
description Server Side
ip address 172.16.1.1 255.255.255.0
ip options allow
no normalization
no icmp-guard
access-group input Permit_ALL
nat-pool 1 172.16.1.110 172.16.1.110 netmask 255.255.255.255 pat
service-policy input mgmt-pm
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.12.1
==========================================Hi,
Let me explain you.
Assuming client IP as 1.1.1.1, VIP as 2.2.2.2 and Real Server as 3.3.3.3
Consider the simple situation where client needs to access an application hosted on 3.3.3.3. Client sends a request which comes to VIP.
src 1.1.1.1----->dst------->2.2.2.2. ACE after matching conditions and taking LB decision decides to send it to 3.3.3.3 real server. Performs destination NAT and forwards the client request to 3.3.3.3. So the above packet L3 header will now look like:
src 1.1.1.1 dst 3.3.3.3. When reply comes from server, ACE will change src 3.3.3.3 back to 2.2.2.2 and forwards the request to client 1.1.1.1. SIMPLE LB.
Now comes a situation where let's say you want to hide the client IP from server or let's say server's default GW is not ACE or client and server are in same subnet but need to communicate through VIP on ACE etc.
Src 1.1.1.1 dst 2.2.2.2
After LB ace decides to send it to 3.3.3.3 but also policy multi match has nat rule (nat dynamic 1 vlan x). But packet would be forwarded from server vlan where you have NAT pool defined. So let's say pool IP is 3.3.3.4. So ACE will perform both destination as well as src NAT here before forwarding the packet to server and packet L3 header will look like:
src 3.3.3.4 ----->dst 3.3.3.3
Now when 3.3.3.3 has to send packet back, ACE will answer ARP for 3.3.3.3 and hence packet will come back to ACE which will again change the L3 header IP's and send it out the client VLAN towards client.
So NAT is always applied to server side vlan and that's why pool is chosen from server side subnet.
Let me know if you have any questions.
Regards,
Kanwal -
The cisco snmp oids do not work, I can't get cpu or memory data.
Hello. I want to monitor the cpu and memory usages on my cisco devices using snmp. I found the snmp oids related to cpu in the following page :
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a94.shtml
I just copy the table here:
But the oids in the table do not work on my devices. For example, I have a cisco 3550 switch with the ip 192.168.1.211, version 12.2(25)when I want to get the informations about the oids up in the table, I got these results:
It shows that the oids cisco given up in the table are not existed in my 3550 switch's MIB. More weird is that when i add a number "1" to
the end of the oid cisco given, I can get some meaningless data for some unkonwn item names like "entreprises.x.x".
For most mib items, the snmp oids work well on my switch. For example, the following graph shows the interface out rate of the swtich:
I think the essence is when I executed the following command:
in all the output results, there's not any item relevant with "cpu" or "memory", but most other items are ok, such as interfaces, as shown below:
IF-MIB::ifDescr.47 = STRING: FastEthernet0/39
IF-MIB::ifDescr.48 = STRING: FastEthernet0/40
IF-MIB::ifDescr.49 = STRING: GigabitEthernet0/1
IF-MIB::ifDescr.50 = STRING: GigabitEthernet0/2
IF-MIB::ifDescr.51 = STRING: Null0
IF-MIB::ifDescr.52 = STRING: Vlan1
IF-MIB::ifType.1 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.3 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.4 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.5 = INTEGER: ethernetCsmacd(6)
So why the cisco given oids won't work on my cisco switch, and how can I get the datas I want? Anyone has some advices? Thanks in advance!
In case the pictures I inserted missing, I attach my problem in the doc.Have you looked at this previous discussion:
Can't Activate FaceTime -
Apach1 .1.3.22+ mod_ssl /Weblogic 5.1 Browser to Apache SSL does not work
We are using Weblogic 5.1 and apache 1.3.22+mod_ssl. HTTPS requests to the apache
server for jsp do not work. However if
a HTTP request for the same jsp is made, it works.
SSL requests only work if the ServerName directive for HTTP
server and the 443 Virtual Server are commented out in httpd.conf. Is this right?Hi.
Firstly, this is not a supported configuration. The latest version of apache we
certify is 1.3.19. See the following link for supported platforms:
http://edocs.bea.com/wls/platforms/index.html#apach.
Without seeing your httpd.conf file this should work. You probably already know this,
but with WLS 5.1 https between the server and the plugin is not supported, so apache
needs to translate all http/https requests to http for WLS.
I recommend you try posting this question to the plugin newsgroup -
weblogic.developer.interest.plugin.
Thanks,
Michael
shakeel rao wrote:
We are using Weblogic 5.1 and apache 1.3.22+mod_ssl. HTTPS requests to the apache
server for jsp do not work. However if
a HTTP request for the same jsp is made, it works.
SSL requests only work if the ServerName directive for HTTP
server and the 443 Virtual Server are commented out in httpd.conf. Is this right?--
Michael Young
Developer Relations Engineer
BEA Support -
Hi,
have anyone been able to get SSL redirect working in ical and address book server?
In Apple documentation it says "redirecting ssl access redirects request for the http port and sends them to the https port". But it does not seems to work. Connecting to https port is working.
Bernt
Message was edited by: kenguruRegarding the redirect, I don't really understand why it's not possible. You can edit the non-SSL website in Web and add a 301 for /Wiki to redirect to https://myserver.com/wiki. In fact you can redirect the entire site to SSL - but that is problematic. I can understand why Mavericks server would be designed to automatically use SSL for wiki logins, if it's available. I only looked at redirects because this was not working. Without a redirect or with a redirect - I can login to Wiki via non-SSL or SSL. Where (specifically in which text file) are these redirects created using Server Admin written to? I can't find them in apache2/httpd.conf. Thanks again for your help.
-
Cisco ISE IP Renewal not working
Hi all,
I am setting up a CWA with Cisco ISE to authenticate Guests and Employees by Web and assign them to Two different vlans. The authentication pass. The authZ Profiles are affected. but The IP address did not change according to vlan until I renew it manually from console ( >ipconfig /release >ipconfig /renew). I desactivated Java in browsers, I activated it again and added the IP of the ISE to the Exception List in Java setting but the IP address still not change automatically.
Any Ideas how to fix this Issue?
Thank you.Hi Bouchaib,
Make sure you have put a check on the VLAN DHCP Release option.
If you are using ISE 1.3 then your path will be,
Guest Access > Configure > Guest Portals > Create, Edit or Duplicate > Portal Behavior and Flow Settings > VLAN DHCP Release Page Settings.
This affects the Central WebAuth (CWA) flow during final authorization when the network access changes the guest VLAN to a new VLAN. The guest’s old IP address must be released before the VLAN change and a new guest IP address must be requested through DHCP once the new VLAN access is in place. The IP address release renew operation varies by the browser and operating system used; Internet Explorer uses ActiveX controls, and Firefox and Google Chrome use Java applets. For non-Internet Explorer browsers, Java must be installed and enabled on the browser.
The VLAN DHCP Release option does not work on mobile devices. Instead, guests are requested to manually reset the IP address. This method varies by devices. For example, on Apple iOS devices, guests can select the Wi-Fi network and click the Renew Lease button.
For ISE 1.2 version, you can find the same option on the Guest Portal settings. -
Folks,
I am trying to configure ACE in transparent mode and it is not working, i can browse to the servers directly,but when i try to hit the vip , I do not get any webpages, all keepalives are up and everything is in inservice.
hostname abc
boot system image:c6ace-t1k9-mz.3.0.0_A1_6_1.bin
access-list ANY line 8 extended permit ip any any
rserver host rs1
ip address 1.1.1.1
inservice
rserver host rs2
ip address 1.1.1.2
inservice
serverfarm host SF1
rserver rs1
inservice
rserver rs2
inservice
class-map type management match-any REMOTE_ACCESS
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
class-map match-all VIP
2 match virtual-address 1.1.1.3 any
class-map type http loadbalance match-any src1
2 match source-address 0.0.0.0 0.0.0.0
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match R-Policy
class class-defaut
serverfarm SF1
policy-map multi-match R-LB
class VIP
loadbalance vip inservice
loadbalance policy R-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise
interface vlan 3
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface vlan 4
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input R-LB
no shutdown
interface bvi 1
ip address 1.1.1.4 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 1.1.1.5I made some progress, but still it is not working.
When the server behind the ACE module default gateway is set to the firewall, i can telnet to the vip at port 80,but i still do not see the page when i open the browser and point to the vip. here are the outputs.
hostname RBharti
boot system image:c6ace-t1k9-mz.3.0.0_A1_6_1.bin
access-list ANY line 8 extended permit ip any any
rserver host rs1
ip address 1.1.1.1
inservice
rserver host rs2
ip address 1.1.1.3
inservice
serverfarm host SF1
rserver rs1
inservice
rserver rs2
inservice
class-map type management match-any REMOTE_ACCESS
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
class-map match-all VIP
2 match virtual-address 1.1.1.5 any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match R-Policy
class class-default
serverfarm SF1
policy-map multi-match R-LB
class VIP
loadbalance vip inservice
loadbalance policy R-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise
interface vlan 3
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input R-LB
no shutdown
interface vlan 4
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface bvi 1
ip address 1.1.1.4 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 202.137.232.193
Ri/Admin# sh service-policy
Policy-map : R-LB
Status : ACTIVE
Interface: vlan 3
service-policy: R-LB
class: VIP
loadbalance:
L7 loadbalance policy: Rediff-Policy
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 54
dropped conns : 54
client pkt count : 81 , client byte count: 3888
server pkt count : 0 , server byte count: 0 -
Hi,
I need to configure ssl offloading so that user will send request on port 443 while ACE will so ssl offload so servers will handle http connection. my current config is as below(i haven't copied probe port80 here):
rserver server1:80
ip add 192.168.1.1
inservice
serverfarm secure-rediect-SF
probe port80
reserver server1:80
inservice
class-map match-any secure-rediect-CM
match virtual-address 10.10.1.1 tcp 80
policy-map type loadbalance first-match secure-rediect-PM
class class-default
sticky-serverfarm secure-rediect-SG
policy-map multi-match LBR-LB
class secure-rediect-CM
loadbalance vip inservice
loadbalance policy secure-rediect-PM
loadbalance vip icmp-reply
could you help! how do I configure SSL offloading? what is required to configure it?Hello, Gavin
Here you have some additional examples which might help you out:
Admin# sh crypto files
Filename File File Expor Key/
Size Type table Cert
cert-test 2088 PEM Yes CERT
key-test 1675 PEM Yes KEY
# crypto verify key-test cert-test
Keypair in key-test matches certificate in cert-test
Admin(config)# crypto chaingroup my-chaingroup
Admin(config-chaingroup)# cert my-root
Admin(config-chaingroup)# cert my-intermediate
ACE-M2/Admin(config-chaingroup)# exit
Admin# sh crypto chaingroup all
chaingroup muflas contains:
my-root
my-intermediate
(config)# ssl-proxy service my-ssl-proxy
Admin(config-ssl-proxy)# chaingroup my-chaingroup
Admin(config-ssl-proxy)# cert cert-test
Admin(config-ssl-proxy)# key key-test
Admin(config-ssl-proxy)# end
Then finally, your configuration should like this:
interface vlan 100
ip address 10.198.16.75 255.255.255.192
access-group input Allow_Access
nat-pool 1 10.198.16.103 10.198.16.103 netmask 255.255.255.192 pat
service-policy input MGMT
service-policy input my-multimatch
no shutdown
policy-map multi-match my-multimatch
class vip
loadbalance vip inservice
loadbalance policy http
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
class ssl
loadbalance vip inservice
loadbalance policy http
loadbalance vip icmp-reply active
nat dynamic 1 vlan 100
ssl-proxy server my-ssl-proxy
class-map match-all ssl
2 match virtual-address 10.198.16.103 tcp eq https
class-map match-all vip
10 match virtual-address 10.198.16.103 tcp eq www
policy-map type loadbalance http first-match http
class class-default
serverfarm http
serverfarm host http
rserver 1-80 80
inservice
rserver 2-80 80
inservice
rserver host 1-80
ip address 10.198.16.99
inservice
rserver host 2-80
ip address 10.198.16.100
inservice
ssl-proxy service my-ssl-proxy
key key-test
cert cert-test
chaingroup my-chaingroup
Hope this helps!!!
Maybe you are looking for
-
Backing up to external HD- Will I be able to access my stuff?
I have an iMac that is bursting at the seams with a huge iPhoto library and huge iTunes library. I absolutely have to clear some stuff out since I have only 6 GB free on my HD. I want to be totally positive that I have easily accessible backups of my
-
There are links on the pages for various Cummulative Updates for SQL Compact v3.5 SP2 which look to relate to the desktop version, but are these also available for Windows Mobile devices? If so, what is the process to get hold of them? We are seeing
-
Mismatch between colour spaces?
I create a text box in Indesign, place an image over this text box with a solid colour as the border in the image, then set the colour of the text box to be the same colour as the border of the image, using the eyedropper. The RGB numbers of the text
-
Hi, In the my query filter field 'staus',this field should have as dropdown values like as Draft/Approved/Executed/Expiry/Cancelled. I configured this field as below.I am not getting these vales Draft/Approved/Executed/Expiry/Cancelled.Can some body
-
Error code 28 LabVIEW Null menu
The error cluster of my VI indicate that the error 28 : LabVIEW Null menu occur in it, but when I open the block diagram of this VI to see which subVI cause the error, the error doesn't reappears anymore and everything is OK. Afterward, if I close m