Header rewrite on ACE
I have a situation that I need the ACE to re-write a portion of the client header. I can configure the class-map to identify the traffic, but am unsure how to configure the policy map. The client header contains an sid value and we want the header to delete that value before forwarding to the server. From a packet capture, the http request contains the following:
Get /testpage?sid=123456789 HTTP/1.1\r\n
Host: http://www.example.com\r\n
Need to change to:
Get /testpage HTTP/1.1\r\n
Host: http://www.example.com\r\n
Note that the /testpage portion of the Get will vary by page.
I also notice the sid value in the Referer header value and may need to change that as well.
Referer: http://www.example.com/otherpage?sid=123456789
TIA for your help.
all we can do with the url is to create a redirect pointing to a different one.
So you could catch with a class-map any url with sid= and create a redirect to a page without the sid.
In a future release, you'll also be able to filter host header but currently this is not possible.
Gilles.
Similar Messages
-
Cisco ACE - dynamic header rewrite
Can the ACE do dynamic http host and URL rewrites using an action list and variables?
I need to rewrite a URL like this...
http://*.domain.com rewritten to http://www.domain.com/user1/*
For example...
http://mikeyd.domain.com would be rewritten to http://www.domain.com/user1/mikeyd
... and so on for a large number of user names at the beginning of the URL string.
I am trying to find the action-list syntax for header rewrite and having trouble figuring this out. Would a redirection be a better option?
Thanks, in advance, for any help with this.It's more related to disaster recovery planning than ACE configuration
The cleanest way is to use L2 extension.
Otherwise you can use VMWare SRM to change the ip addresses of your VMs, or run an OSPF process and replicate all the subnets and put it in the "shutdown state" (or announcing it with a very high cost, proximity routing will do the rest - ACE module can do this for the VIPs with OSPF route health injection, ACE4710 doesn't support RHI but on the upstream router you can define an IP SLA probe and perform conditionnal redistribution), or use a dummy VRF with all your subnets and when enabling DRP, perform route leaking... use NAT with DNS-based failover etc...
There is no generic answer to your problem. -
hi
is there any chance to change my requeste on ace like this?
the request is http://www.xpto.com and i need to be rewrite to http://xpto.com
thanks in advance
AnteroHi Antero,
Yes, this is possible. Just check the link below for more details
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/classlb.html#wp1151822
Assuming "http://www.xpto.com" is the only request you want to rewrite, the syntax of the action would be "header rewrite request Host header-value www.xpto.com replace xpto.com"
If, however, you need to create this action in a more generic way so that any URL is rewritten in the same format, you would need to use a regular expression. In this case, it would be something similar to the following (I didn't test it, so I'm not 100% sure that the regex is correct) "header rewrite request Host header-value www\.(.*)\.com replace %1.com"
I hope this helps
Daniel -
302 Redirect Location Header Rewrite not working with code upgrade
Hi,
Description:
We have a portal webservice hosted by an ACE4710. It has two services (www/https) on the same IP 10.1.1.1.
One is a redirect service that redirects all requests to tcp/80 on this ip to the other which is a 'standard' https proxy service.
The backend servers are http only. Externally everything needs to be https.
So we have an ssl proxy and Location header http to https rewrite on the https service.
The configuration below operates correctly on v5_1_2.
But with a code upgrade to 5_3_1b, the Location header rewrite does not work.
We've tried several different configurations and even 'ssl url location rewrite ".*". It just looks like the ACE is completely ignoring the configuration to rewrite the Location field.
Reverting to the older code fixes the problem.
Problem seen:
Here is the problem as seen on the *client*. The 302 redirect Location header is NOT rewritten:
Response headers:
HTTP/1.1 302 FOUND
Server: nginx
Date: Fri, 20 Mar 2015 10:59:43 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 295
Connection: keep-alive
Location: http://website.liveportal.nhs.uk/homepage/information
Cache-Control: no-cache, no-store
Set-Cookie: information=35a7831d-928d-4122-aef3-39ef48ac4440; Path=/; secure; HttpOnly
X-Frame-Options: DENY
HTTPSampleResult fields:
ContentType: text/html; charset=utf-8
DataEncoding: utf-8
Config extract:
1) Set up the servers (4 normal on tcp/80 and one for a redirect)
rserver host WEBSERVICE-1
ip address 192.168.1.1
conn-limit max 200000 min 160000
inservice
...and the same for the other three
rserver redirect PORTAL_REDIRECT
webhost-redirection https://%h/%p 302
inservice
2) Set up the server farms
serverfarm host PORTAL_LIVE
probe webping
rserver WEBSERVICE-1 80
inservice
rserver WEBSERVICE-2 80
inservice
rserver WEBSERVICE-3 80
inservice
rserver WEBSERVICE-4 80
inservice
serverfarm redirect PORTAL_HTTP_REDIRECT
rserver PORTAL_REDIRECT
inservice
3) Setup the ssl proxy and a location rewrite to https for responses from the servers
action-list type modify http HTTPS_LOCATION
header rewrite response Location header-value "http://(.*)" replace "https://%1"
ssl-proxy service WEB_SSL_PROXY
key webportal.key
cert webportal.crt
chaingroup root-chain
ssl advanced-options SSL-SECURE-STRONG-WEB
4) Set up the L4 services
class-map match-all PORTAL_HTTP
2 match virtual-address 10.1.1.1 tcp eq www
class-map match-all PORTAL_SSL
2 match virtual-address 10.1.1.1 tcp eq https
5) Setup the policy maps - one for the reals servers with header rewrite for redirects
policy-map type loadbalance http first-match PORTAL_HTTP
class class-default
serverfarm PORTAL_HTTP_REDIRECT
policy-map type loadbalance http first-match PORTAL_SSL
class class-default
serverfarm PORTAL_LIVE
action HTTPS_LOCATION
6) Create the service policy
policy-map multi-match EXTERNAL-SERVICES
class PORTAL_SSL
loadbalance vip inservice
loadbalance policy PORTAL_SSL
loadbalance vip icmp-reply
appl-parameter http advanced-options PARAM-HTTP
ssl-proxy server WEB_SSL_PROXY
class PORTAL_HTTP
loadbalance vip inservice
loadbalance policy PORTAL_HTTP
loadbalance vip icmp-reply
7) Apply to the interface
interface vlan 211
description External Access
ip address x.x.x.x 255.255.255.0
alias x.x.x.x 255.255.255.0
peer ip address x.x.x.x 255.255.255.0
access-group input PERMIT-ALL
service-policy input EXTERNAL-SERVICES
no shutdownI found that the v5_3_1b code seems to need a bit of extra configuration and it now works ok.
parameter-map type http PARAM_HTTP
header modify per-request
no persistence-rebalance
case-insensitive -
Guys,
I need to setup ACE to do the below:
The client will call a url: https://server1.com.br
- Ace will terminate this ssl with a certificate of my internal ca imported to ACE;
Then, I need ACE to rewrite the url to https://host01.com.br/appl using a certificate generated by the Application Server and also imported to ACE.
It's possible?So, you have client authentication cofigured on your real server ? (I mean , very often HTTPS only uses certificate on server side)
If yes - no problem you can configure such type of SSL initiation too, however we can rewrite http header but we can't change URL (and https://server1.com.br to https://host01.com.br/app are URLs)
Example of HTTP header and some small explanations :
http://www.http.header.free.fr/http.html
And in that example you can change only these parts :
>> Host: www.http.header.free.fr
>> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
>> Accept-Language: Fr
>> Accept-Encoding: gzip, deflate
>> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)
>> Connection: Keep-Alive
You can't change these :
URL : "http://www.http.header.free.fr/http.html". Your browser connects to www.http.header.free.fr and sends :
>> GET /http.html Http1.1 -
Maximum header size on ACE and CSS
whats the max size for header that u can allocate on CSS and ACE?
The CSS limit is in terms of packets...
501-1(config)# spanning-packets ?
Integer value(Range: 1-20)
501-1(config)# spanning-packets
We can hold max 20 packets per connection.
So, if you are doing L7 loadbalancing and are looking for a cookie, it better be in the first 20 packets.
ACE has a limit in buffers per connection and a limit of header size.
They are controller with a parameter-map
switch/User2(config-parammap-http)# set header-maxparse-length ?
<1-65535> Enter max-parse length for header
G. -
CSS11506 http header rewrite question
Hi
I read the ACE doc, and it said that cisco ACE supports the capability to rewrite http headers in both client requests and server responses. Is CSS11506 can do it?
I have a lot of problems that application on the local server redirect https to http. Because the way they do installation which standard way and it can not fix or hardly to fix.
I would like to get a tip to let css11506 rewrite the server's rewrite. is it possible?
Any comments will be appropriated
Thanks in advice
julxuHello Julxu,
If I understand your question correctly, you are looking for the CSS rewrite the URL from http to https when the server sends a redirect to the client. If I'm correct, then you can find out how to accomplish this in the Specifying Secure URL Rewrite sectioin of the CSS configuration guides.
Hope this helps,
Sean -
ACE module SSL url rewrite and path rewrite
Hi all,
I'm hoping some of you helpful people on this forum can guide me or suggest a solution to a problem I'm faced with.
I am currently load balancing exchange 2010 traffic via an ACE module. Software version is A2(3.3). I have most parts of it working fine however I am having an issue when it comes to SSL termination for Outlook Web Access (OWA).
The problem comes down to a HTTP header (field is location). I have configured an action list to re-write the SSL pure URL as per page 96 of the "Cisco Application Control Engine Module SSL Configuration Guide". example:
ssl url rewrite location bnecas\.mycompany\.com sslport 443
That part works, the http header location field that comes back from the GET request is changed to https://cas.mycompany.com which is great. However, in addition to that url, there is also a path or something following that part. The actual string that is returned is:
https://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0
The first bit of it, (https://cas.mycompany.com) is changed by the ssl url rewrite command, however the last part (http://cas.mycompany.com/owa/&reason=0) isn't changed.
This is where I've been trying to get the http Header Rewrite command to do something. I don't know if it can work in conjunction with the ssl url rewrite function however with the ssl rewrite function it seems it can't change bits of the string that aren't the pure URL at the front.
The end result is that while I have an SSL connection to the OWA login page, when I do login to OWA it reverts back to HTTP. I'm fairly sure it is because of the last part of the location string above. Is there a way to change that location string to do the following:
1. change the first part of the string to be https://cas.mycompany.com (like the ssl url rewrite function)
2. change the last part of the location string to put https in there instead of http
Ideally I would love to have this string
http://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0
replaced with this one
https://cas.mycompany.com/owa/auth/logon.aspx?url=https://cas.mycompany.com/owa/&reason=0
I had originally tried the following in the action list:
header rewrite response location header-value "(owa/auth/logon\.aspx\?url=)http(://bnecas\.thiess\.aus/owa/&reason=0)" replace "%1https%2"
ssl url rewrite location bnecas\.mycompany\.com sslport 443
but it didn't work. I'm probably screwing up the regex somewhere however there doesn't seem to be very clear examples anywhere I can find.
Any help will be greatly appreciated and of course I will be sure to rate every post that responds to my plea for help.
BradHi Brad,
try this:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
action-list type modify http X
header rewrite response Location header-value "http://(.*url=)http://(.*)" replace "https://%1https://%2"
we wont be using ssl url rewrite in this case
Also we will be needing persistence rebalance applied through application parameter map and apply that under the VIP class -
Hi,
I have for example a site http://abc.com which response back with the port on which it's being used on the server ex: http://abc.com:9081
How would I rewrite the response remove the port on the server that is being used.
Thank you,Hi,
You have rewrite the 30x redirect response from server or is it a normal response?
You can try below:
(config)# action-list type modify http H
(config-actlist-modify)# header rewrite response Location header-value http://abc.com:9008 replace http://abc.com
I am using header name as Location. Please use according to your need.
I haven't tried this myself but it should work. Try and let me know.
Regards,
Kanwal -
ACE CLIENT CERTIFIATE INSERTION IN HEADER
Hy guys.
I have a doubt regarding the client cert insertion in the https header.
The exact problem is that in the old SSL module we had an option like this:
policy http-header cert_pass
client-cert pem
As you can see, we configure the option to pass the complete certificate in pem format in one header.
I'm unable to find this optiono in ace 5.1(3) version.
Any idea?
Thanks!Hi David,
May be i didn't understand. Is this what are you looking for? You can find it in the same link.
Configuring HTTP Header Insertion of SSL Client Certificate Information
When you configure the ACE for client authentication, you can instruct the ACE to provide the server with information about the client certificate that the ACE receives from the client. This SSL session information enables the server to properly manage the client request and can include certificate information such as the certificate serial number or the public key algorithm used to create the public key in the certificate. To forward the SSL session information to the server, the ACE inserts HTTP headers containing the client certificate fields that you specify into the HTTP requests that it receives over the client connection. The ACE then forwards the HTTP requests to the server.
Note To prevent HTTP header spoofing, the ACE deletes any incoming HTTP headers that match one of the headers that it is going to insert into the HTTP request.
When you instruct the ACE to insert SSL client certificate information, by default, the ACE inserts the HTTP header information into every HTTP request that it receives over the client connection because persistence rebalance is enabled by default. If you do not want the ACE to insert the information into every HTTP request that it receives over the connection, disable persistence rebalance in an HTTP parameter map. You can also instruct the ACE to insert the information into every HTTP request that it receives over the connection by creating an HTTP parameter map with the header modify per-request command enabled. You then reference the parameter map in the policy map that the ACE applies to the traffic. For information about creating an HTTP parameter map, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.
Note You must have the ACE configured for client authentication to insert an HTTP header with SSL client certificate field information (see the "Enabling Client Authentication" section). If you configure header insertion but do not configure the ACE for client authentication, no header information is inserted and the counters that track the header insertion operation do not increment (see Chapter 6, "Displaying SSL Information and Statistics").
Regards,
Kanwal -
Can anybody point me in the right direction for changing the URL when the ACE is performing the redirection?
I have the standard ace redirection to HTTPS set up and it is working fine.
I have a wildcard certificate *.abc.com but when the application was being tested the URL abc.com kicks up a certificate error in the browser.
Not sure if I should have set the CN as *acb.com when ordering it but its done now.
I am wanting to redirect when http://abc.com is put in the client browser to https://www.abc.com
I have tried reading these forums and using header rewrite to change the location on response but it just doesn't seem to work.
I have tried deleting/renaming/replacing the host header on request and rewrite/delete on response. Tried all sorts of regex nothing works.
I can insert a header so I know the action is being hit, just can't seem to change the host on request or location on response.
Any idea's?
I am guessing the inner workings only allow for modification of these headers when the redirects are being done by the server and the headers are passing through the load balancer.
on latest 5(2.1) version
example of one I tried
action-list type modify http ABC_MODIFY
header rewrite response location header-value "https://abc(.*)" replace "https://www.abc%1"
then applied to policy redirect mapI tried another approach which seemed to work.
rserver redirect RED2A
webhost-redirection https://www.%h 302
inservice
rserver redirect RED2
webhost-redirection https://%h 302
inservice
serverfarm redirect RED2-VIP-IN
rserver RED2
inservice
serverfarm redirect RED2A-VIP-IN
rserver RED2A
inservice
class-map type http loadbalance match-any RED2A-VIP-IN
2 match http header Host header-value "abc.com"
class-map match-any RED2-VIP-IN
2 match virtual-address x.x.x.x tcp eq www
..etc
policy-map type loadbalance first-match RED2-VIP-IN-LB-POLICY
class RED2A-VIP-IN
serverfarm RED2A-VIP-IN
class class-default
serverfarm RED2-VIP-IN
this seemed to redirect the abc.com to https://www.abc.com and the other requests like other.abc.com to https://other.abc.com
I tried regex for the header value match like [^\.]abc.com and ^abc.com but these didn't seem to match. -
ACE Total Connections Failed stats
I have been monitoring connection stats on an ACE Module context (show stats connection).
During recent load testing I observer that about 1/3 of all connections were failing and some timing out.
How can I find out more details about the connections that are failing and timing out?
ie which specific connection are failing, what type of failures increment this counter, etc
Cheers,
Karl
# sh stats conn
+------------------------------------------+
+------- Connection statistics ------------+
+------------------------------------------+
Total Connections Created : 5725
Total Connections Current : 2382
Total Connections Destroyed: 3590
Total Connections Timed-out: 11
Total Connections Failed : 2112Hi Kim,
Thanks for responding.
A load test was run earlier today. I cleared the counters and collected some stats (see below).
I also had a look at various other stats for drops.
As far as I could see all relevant, rservers, serverfarms and service-policies were:
in service BUT
drop stats were not incrementing at anywhere near the same rate as the Total Connections Failed stat.
Another load test is scheduled for tomorrow.
Any thoughts on what to check next?
labcorelb/DZ1ENV# sh stats conn
+------------------------------------------+
+------- Connection statistics ------------+
+------------------------------------------+
Total Connections Created : 131698
Total Connections Current : 3660
Total Connections Destroyed: 67558
Total Connections Timed-out: 70
Total Connections Failed : 64090
+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 91904 , TCP data msgs sent : 187614
Inspect parse result msgs : 0 , SSL data msgs sent : 0
sent
TCP fin msgs sent : 75 , TCP rst msgs sent: : 3
Bounced fin msgs sent : 0 , Bounced rst msgs sent: : 0
SSL fin msgs sent : 0 , SSL rst msgs sent: : 0
Drain msgs sent : 31831 , Particles read : 397303
Reuse msgs sent : 0 , HTTP requests : 64390
Reproxied requests : 58314 , Headers removed : 0
Headers inserted : 0 , HTTP redirects : 0
HTTP chunks : 741 , Pipelined requests : 0
HTTP unproxy conns : 64360 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 0 , Analysis errors : 0
Header insert errors : 0 , Max parselen errors : 0
Static parse errors : 0 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Headers rewritten : 0 , Header rewrite errors : 0
SSL headers inserted : 0 , SSL header insert errors : 0
SSL spoof headers deleted : 0
Unproxy msgs sent : 64362
+------------------------------------------+
+--------- HTTP Inspect statistics --------+
+------------------------------------------+
Total request/response : 0
Total allow decisions : 0
Total drop decisions : 0
Total logging decisions : 0
+------------------------------------------+
+------- Loadbalance statistics -----------+
+------------------------------------------+
Total version mismatch : 0
Total Layer4 decisions : 142
Total Layer4 rejections : 0
Total Layer7 decisions : 64401
Total Layer7 rejections : 0
Total Layer4 LB policy misses : 0
Total Layer7 LB policy misses : 0
Total times rserver was unavailable : 0
Total ACL denied : 0
Total IDMap Lookup Failures : 0
+------------------------------------------+
+----------- Sticky statistics ------------+
+------------------------------------------+
Total sticky entries reused : 0
prior to expiry
Total active sticky entries : 0
Total active reverse sticky : 0
entries
Total active sticky conns : 0
Total static sticky entries : 0
+-----------------------------------------------------+
+---------------- KAL-AP(UDP) statistics -------------+
+-----------------------------------------------------+
Total bytes received : 0
Total bytes sent : 0
Total requests received : 0
Total responses sent : 0
Total requests successfully received : 0
Total queries successfully received : 0
Total responses successfully sent : 0
Total secure requests received : 0
Total secure responses sent : 0
Total requests with errors : 0
Total requests with parse errors : 0
Total requests dropped due to queue overflow : 0
Total response transfer errors : 0
labcorelb/DZ1ENV#sh service-policy Vip_POLICY summary
service-policy: Vip_POLICY
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
xxxx34_HTTP_CLASS xxxx.34 tcp eq 80 ALL IN-SRVC 0 0 0
WCMST-WWW_HTTP_CLASS xxxx.50 tcp eq 80 ALL IN-SRVC 7 48 0
WCMST-FORUM_HTTP_CLASS xxxx.111 tcp eq 80 ALL IN-SRVC 8 577 0
WCMST-SEARCH_HTTP_CLASS xxxx.51 tcp eq 80 ALL IN-SRVC 0 174 0
WCMST-ENGINEADM_HTTP_CLASS xxxx.112 tcp eq 80 ALL IN-SRVC 0 0 0
INTERNET-WWW_HTTP_CLASS xxxx.110 tcp eq 80 ALL IN-SRVC 1794 33919 18 -
ACE 4710 - Internet Explorer cannot display the webpage randomly
We have a ACE 4710 with a basic config, (see below).
When clicking on a tab from a window within Interent explorer we occasionally get an issue with it returning: "Internet Explorer cannot display the webpage" The details show "Access is denied" accessing a particular line of a javascript file.
We have put one web server out of service in the farm to make sure that this isn't a result of stickyness not quite working.
We have tested extensively by going directly to the web server directly without the load balancer and cannot reproduce the problem but we can produce the issue within a few minutes when going to the load balanced address.
Thanks in advance for any advice.
HOST-1/Admin# show run
Generating configuration....
logging enable
logging fastpath
logging standby
logging timestamp
logging trap 6
logging history 6
resource-class SLB_ResourceClass_T_R
limit-resource all minimum 10.00 maximum unlimited
resource-class sticky
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-t1k9-mz.A5_1_2.bin
peer hostname HOST-2
hostname HOST-1
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
description LB003
switchport access vlan 1
shutdown
interface gigabitEthernet 1/4
description LB004
switchport access vlan 2
shutdown
interface port-channel 1
port-channel load-balance src-dst-port
no shutdown
clock timezone standard GMT
switch-mode
context Admin
description SUTLB01
member SLB_ResourceClass_T_R
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe tcp probe_tcp_80
port 80
rserver host Server_S_W301
description Server_S_W301
ip address x.x.32.152
inservice
rserver host Server_S_W302
description Server_S_W302
ip address x.x.32.154
inservice
serverfarm host sfarm_T_R
description sfarm_T_R
predictor leastconns
probe probe_tcp_80
rserver Server_S_W301 80
rserver Server_S_W302 80
inservice
sticky http-cookie Cookie1 T_R_sticky_cookie
cookie insert browser-expire
timeout 3600
serverfarm sfarm_T_R
class-map match-any T_R_L4Class
2 match virtual-address x.x.33.150 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match T_R_L7policy
class class-default
sticky-serverfarm T_R_sticky_cookie
policy-map multi-match T_R_L4Policy
class T_R_L4Class
loadbalance vip inservice
loadbalance policy T_R_L7policy
loadbalance vip icmp-reply active
nat dynamic 2 vlan 1000
interface vlan 1000
ip address x.x.33.148 255.255.254.0
access-group input ALL
nat-pool 2 x.x.33.151 x.x.33.151 netmask 255.255.254.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input T_R_L4Policy
no shutdown
ip route 0.0.0.0 0.0.0.0 x.x.32.1
ssh key rsa 1024 force+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 421347 , TCP data msgs sent : 2099597
Inspect parse result msgs : 0 , SSL data msgs sent : 0
sent
TCP fin msgs sent : 6169 , TCP rst msgs sent: : 769
Bounced fin msgs sent : 5 , Bounced rst msgs sent: : 1
SSL fin msgs sent : 0 , SSL rst msgs sent: : 0
Drain msgs sent : 337811 , Particles read : 5040829
Reuse msgs sent : 0 , HTTP requests : 342499
Reproxied requests : 183422 , Headers removed : 37475
Headers inserted : 342124 , HTTP redirects : 0
HTTP chunks : 224859 , Pipelined requests : 71466
HTTP unproxy conns : 267246 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 71302 , Analysis errors : 0
Header insert errors : 22 , Max parselen errors : 215
Static parse errors : 99 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Headers rewritten : 0 , Header rewrite errors : 0
SSL headers inserted : 0 , SSL header insert errors : 0
SSL spoof headers deleted : 0 , Unproxy msgs sent : 267246
HTTP passthrough stat : 0
NOTE - We did turn on caching at one point to try and resolve the issue but it has since been turned off -
ACE timeout for different Serverfarms
I have a Business unit that publishes an application that is externally available. We Reverse Proxy the VIP to allow the connection externally. They would like to impose different application timeouts for internal users (1 hour) and external users (30 Minutes) . The application can not differentiate between an external or internal source so our option is either seperate serverfarms with seperate real servers with different configuration files.
My question is, is there any other way to do this within the ACE so that we don't have to spin up seperate Servers with different configuration files.
I would also like to maintain one VIP address if possible.You can maintain 1 VIP but you'll have to use header rewrite and work with dev. team of your application.
It's related to the session state tracked by a cookie the application sends (either as a Set-Cookie or a token embedded in URLs)
Make two different serverfarms (with the same set of real servers).
Make a class-map matching the IP addresses of internal users (RFC 1918 ?)
For this class-map, add a field in each HTTP request coming in
"X-Internal:YES"
apply this on each request with the option
header-rewrite per-request
The application team just has to parse each header for the pattern you've just added and then changing the timeout value to the one they want.
For the class-default (external users) you can add "X-Internal:NO", it's cleaner but not strictly necessary. -
We have a new secure site where we are using the ACE as a ssl-proxy. I see connections make it all the way to the servers, but the session eventually times out (Browser responds with "The connection has timed out"). I haven't been able to grab a packet capture yet, but I am looking for some input since I am new to the ACE. We are also set up for sticky connections using cookies.
I see connections to the server but no response back. I also see the cookie places in my browser. Once I close the browser window, the current connection drops.
sh serverfarm SECUREMAIL
serverfarm : SECUREMAIL, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: E01
10.0.0.95:8080 8 OPERATIONAL 1 4 0
rserver: E02
10.0.0.98:8080 8 OPERATIONAL 0 1
I verified the cert and keys match with the verify cryto command. If I bypass https and connect via http, I am able to hit the server test page. I attached the scrubbed config.
Any info is appreciated.Make sure clock on supervisor/device has correct date to avoid not before not after check of cert.
Once the configuration is complete, check to make sure the VIP address can be accessed via HTTPS in a web browser. If any certificate errors are shown, this indicates a problem with the certificate, not with the Cisco ACE configuration. The above commands can be used to verify that SSL sessions are being terminated successfully.
When a client’s web browser connects to an SSL server on any device, the browser and server negotiate which encryption cipher to use for the session. The list and order of ciphers presented by the ACE in a default configuration are as follows.
1. CM_SSL_RSA_WITH_RC4_128_MD5
2. CM_SSL_RSA_WITH_RC4_128_SHA
3. CM_SSL_RSA_WITH_DES_CBC_SHA
4. CM_SSL_RSA_WITH_3DES_EDE_CBC_SHA
5. CM_SSL_RSA_WITH_AES_128_CBC_SHA
6. CM_SSL_RSA_WITH_AES_256_CBC_SHA
7. CM_SSL_RSA_EXPORT_WITH_RC4_40_MD5
8. CM_SSL_RSA_EXPORT1024_WITH_RC4_56_MD5
9. CM_SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
10. CM_SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
11. CM_SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
If this list is not desirable or the order needs to be changed, an SSL parameter map can be configured to make such changes.
Can you send the output of the following commands to suggest more on your config
ACE-1/routed#show crypto authgroup all
ACE-1/routed# show conn display 1000 detail
ACE-1/routed# show crypto files
ACE-1/routed# show crypto certificate all
ACE-1/routed# show crypto key all
ACE-1/routed# show crypto session
ACE-1/routed# show crypto hardware
ACE-1/routed# show service-policy detail
Please Display client SSL statistics by entering the the following command and also attach it here so that I can also see what is happening in your ace device:
ACE_module5/Admin# show stats crypto client
+----------------------------------------------+
+---- Crypto client termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 0
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto client alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto client authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto client cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
To Display SSL server statistics by entering the following command and send the results to us for further suggestions:
ACE_module5/Admin# show stats crypto server
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 0
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto server alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
Also you can Display the number of SSL data messages sent and SSL FIN/RST messages sent by entering the following command and send the output from your ACE devices:
ACE_module5/Admin# show stats http
+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 0 , TCP data msgs sent : 0
Inspect parse result msgs : 0 , SSL data msgs sent : 0 <-------
sent
TCP fin/rst msgs sent : 0 , Bounced fin/rst msgs sent: 0
SSL fin/rst msgs sent : 0 , Unproxy msgs sent : 0 <-------
Drain msgs sent : 0 , Particles read : 0
Reuse msgs sent : 0 , HTTP requests : 0
Reproxied requests : 0 , Headers removed : 0
Headers inserted : 0 , HTTP redirects : 0
HTTP chunks : 0 , Pipelined requests : 0
HTTP unproxy conns : 0 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 0 , Analysis errors : 0
Header insert errors : 0 , Max parselen errors : 0
Static parse errors : 0 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Headers rewritten : 0 , Header rewrite errors : 0
Lastly to Display session cache statistics for the current context by entering the following command:
switch/Admin# show crypto session
SSL Session Cache Stats for Context
Number of Client Sessions: 0
Number of Server Sessions: 0
Please send the output of all the commands requested to see in more detail for your issue.
HTH
Sachin
Maybe you are looking for
-
IDOCTOFILEScenario:Receiver File Adapter
Hi Experts My Scenario is IDOC to File.I am using two message mappings and two Interafce mappings according to our requirement. In ID, in Interface determination we are using condition, and based on the condition it will be routed. My Query is in Rec
-
How to Create new database (copy all table with data excluding 2 table )with existing database.
Please follow the scenario: using C# 1) current database file name is DB20122013. when user click on new year button 2)Create backup copy of current database 3)New database should create with all table(excluding table "Dailytemp" and "DailyMain") wit
-
I backed up my iPhone onto iCloud, and now any new pictures I take don't save in my camera roll. And when I try to open the photo app it turns white and eventually it closes out of the app.
-
Fetch Data from Face Book using Facebook API
HI, I am working on .NET application to fetch user/friend details from face book using API. I am expecting the user details such as user_photos,email,user_location,user_birthday,first_name,last_name,gender. I can able to find the values for first_nam
-
We are using Ejbs2.1 Our system uses Database but we are not writing IT System so we do not need To use trasactions at all. We are using RequiresNew as the Transaction Attribute so every ejb starts in a new transaction and each method only invoke one