HTTPS VIP to HTTPS
Is it possible to do load-balancing (CSS 11503) from a HTTPS (VIP) to other HTTPS Servers? If yes, please provide examples. I do not have a SSL module.
Can't you simply configure the services that you want to use on the content rule ?
Or are the services behind a remote CSS and you need a redirect ?
Because traffic is encrypted and you have no ssl module, you are very limited to what you can do.
Basically, all you can do is route and nat.
Gilles.
Similar Messages
-
Problem accessing VIP via HTTP from service servers
I thought I had a pretty simple config on my CSS11501- but have run into an issue I'm having trouble resolving.
I have two unix webservers (IPs are .99 and .100) on ports e1 and e2, and my uplink for the CSS is on port e8.
The CSS has a VIP address (.105) that load balances HTTP requests to .99 and .100.
From .99 and .100 I can ping the VIP address - and from outside the CSS - almost everything works great for the site I'm hosting on .105.
I do have two web pages however that attempt to make calls directly to the VIP address - I noticed I can't load those pages.
Nor can I just browse the website on the VIP address from either of the servers. The webservers can browse their own pages via IP, and each other's pages via IP.
Just not pages on the VIP.
I think it may be a case of the servers thinking that IP spoofing is occurring - or maybe I missed something simple in the config.
Here's what I see in a 'show flows' when I try and browse the VIp address (.105) from the .100 server.
Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort
65.207.212.100 53758 65.207.212.105 80 65.207.212.100 TCP e2 e2
65.207.212.100 80 65.207.212.100 53758 65.207.212.100 TCP e2 e2
Since it appears that the CSS NATs the request to the same IP the server is using, will the reply from the server ever make it back to the CSS?
Or does it think that it shouldn't need to reply - becauuse it is that IP?
Should I be able to browse the VIP site from the webservers.
Below is the full CSS config if someone can help me figure this out.
Thanks in advnace for any and all help.
Paul
CSS11501# show run
!Generated on 08/30/2005 12:08:11
!Active version: sg0750004
configure
!*************************** GLOBAL ***************************
no restrict web-mgmt
acl enable
logging subsystem acl level debug-7
ip route 0.0.0.0 0.0.0.0 65.207.212.1 1
!************************** CIRCUIT **************************
circuit VLAN1
ip address 65.207.212.104 255.255.255.0
!************************** SERVICE **************************
service www2
keepalive type tcp
keepalive port 80
ip address 65.207.212.99
active
service www3
keepalive type tcp
keepalive port 80
ip address 65.207.212.100
active
!*************************** OWNER ***************************
owner WWW
content rule1
vip address 65.207.212.105
add service www2
add service www3
port 80
protocol tcp
advanced-balance sticky-srcip-dstport
active
!**************************** ACL ****************************
acl 1
clause 10 permit any any destination any
apply circuit-(VLAN1)Paul,
simple config and well-know basic mistake :-)
If a server tries to access the vip, the css will forward the request to the same server or the other one.
Both ways, the response from the server will go directly to the client-server, bypassing the CSS.
For this to work, you need to do client nat so the server making the HTTP connection appears to be coming from the CSS.
Create a group like this
group servernat
vip addr 65.207.212.105
active
and add the following to your acl
clause 5 permit any 65.207.212.99 destination content www/rule1 sourcegroup servernet
Do a similar clause for the 2nd server.
re-apply the acl.
Everything should work now.
Gilles.
Thanks for rating. -
Load balancing FTP/HTTP on same VIP
Hi,
Please could someone confirm if it is possible to load balance FTP and HTTP on same VIP? Would something like this work in a one-armed design?
class-map match-any WCVS
2 match virtual-address 20.0.0.1 tcp eq www
4 match virtual-address 20.0.0.1 tcp eq ftp
policy-map multi-match int3
class WCVS
loadbalance vip inservice
loadbalance policy VS-l7slb
inspect ftp
nat dynamic 5 vlan 20
int vl20
service-policy input int3Hello,
I assume you want to ultimately use cookie sticky, since it is in your config, but not yet used. The '80' next to the rservers within the serverfarm will keep FTP from working because that will force the ACE to always use a destination port of 80 to the rservers, which is good for HTTP, but not so good for FTP. Below is your config with some modifications. I've created a new serverfarm for FTP, created a new probe for that farm, included HTTP cookie-sticky, and created a new L7 policy-map. There is one line that I would like you to remove and see if it works. If it does not, then add this line and see if it works.
Let me know how it goes...
logging enable
logging buffered 6
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
probe http Probe_HTTP
interval 5
passdetect interval 60
expect status 200 200
open 2
receive 2
probe tcp Probe_FTP
port 21
interval 5
passdetect interval 60
open 2
receive 2
rserver host Server1
ip address 10.10.10.10
conn-limit max 4000000 min 4000000
inservice
rserver host Server2
ip address 10.10.10.11
conn-limit max 4000000 min 4000000
inservice
serverfarm host FARM-HTTP
probe Probe_HTTP
rserver Server1 80
conn-limit max 4000000 min 4000000
inservice
rserver Server2 80
conn-limit max 4000000 min 4000000
inservice
serverfarm host FARM-FTP
probe Probe_FTP
rserver Server1
conn-limit max 4000000 min 4000000
inservice
rserver Server2
conn-limit max 4000000 min 4000000
inservice
sticky http-cookie XXX_tempCookie XXX_tempCookie
cookie insert
serverfarm FARM-HTTP
class-map type management match-any Management
201 match protocol http any
202 match protocol https any
203 match protocol icmp any
204 match protocol kalap-udp any
205 match protocol ssh any
206 match protocol telnet any
207 match protocol xml-https any
class-map match-any XXX-WCVS-WWW
2 match virtual-address 10.10.10.100 tcp eq www
class-map match-any XXX-WCVS-FTP
2 match virtual-address 10.10.10.100 tcp eq ftp
3 match virtual-address 10.10.10.100 tcp range 1023 65535 <-- try first without this, then with this
class-map match-any NAT-VIP
2 match destination-address 10.10.10.100 255.255.255.255
policy-map type management first-match Management
class Management
permit
policy-map type loadbalance first-match XXX_VS-l7slb-WWW
class class-default
sticky-serverfarm XXX_tempCookie
policy-map type loadbalance first-match XXX_VS-l7slb-FTP
class class-default
Serverfarm FARM-FTP
policy-map multi-match int3
class XXX-WCVS-WWW
loadbalance vip inservice
loadbalance policy XXX_VS-l7slb-WWW
class XXX-WCVS-FTP
loadbalance vip inservice
loadbalance policy XXX_VS-l7slb-FTP
inspect ftp
class NAT-VIP
nat dynamic 5 vlan 12
interface vlan 12
ip address 10.10.10.1 255.255.255.0
alias 10.10.10.3 255.255.255.0
peer ip address 10.10.10.2 255.255.255.0
access-group input ALL
nat-pool 5 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat
service-policy input Management
service-policy input int3
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.254 -
HTTP/HTTPS on the same ACE VIP - best practice
I currently have a VIP representing one server farm that contains two http servers:-
class-map match-all VIP-HTTP-xxxxx.co.uk
2 match virtual-address 10.79.18.10 tcp eq www
class-map match-all VIP-SSL-xxxxx.co.uk
2 match virtual-address 10.79.18.10 tcp eq https
I have port 80 and 443 open on the VIP and SSL termination performed on the ACE (both http servers are the same and configured for default load balancing behaviour - I've also specified port 80 for ACE to server traffic). Having 80 and 443 on the same VIP (meaning the site can be accessed via one NAT'd external IP) came from a request from the business so the site can have one domain.
The majority of the http server(s) web content is standard http but there is a specific sub-directory of interactive forms that requires https termination.
I have a couple of queries with regards to URL re-writes:-
1) Is the SSL URL re-write functionality limited to just the host part of the URL or can the ACE enforce https for specific sub-directories, i.e. can the ACE intercept and re-write a URL if a user tries to go to a particular https page/directory using http (by just deleting the s from the URL within their browser)? A possible example being:-
ssl url rewrite location "www\.cisco\.com\secure-forms"
2) Can the ACE re-direct users back to a standard http page if they try to 'secure' their session by changing http to https within their browser (basically the opposite of the above).
Basically as I have 80 and 443 on the same VIP I'm interested in the best practice methods of enforcing http and https content segregation using just the ACE (as opposed to having Apache doing the re-writes, etc).
Web services functionality (in terms of SSL and URL re-writes) has traditionally fallen within the domain of a dedicated web development team (who use Apache, Tomcat, etc.) but the introduction of the ACE as a load balancing appliance that is primarily managed by the networks team but with functionality that crosses traditional team boundaries has resulted in lots of questions from web development around what functionality can be moved from Apache, etc. and onto the ACE?
Any advice or personal experiences would be gratefully received.
Thanks
MatthewBack again!
Could someone possibly cast their eye over the following config?
The only bit I'm not sure on (syntactically and whether it can even be done on the ACE) is how to specify a DO NOT match regular expression, i.e. how to capture https URLs that do not match my secure pages so I can re-direct the request back to the normal http URL (class-map type http loadbalance Non-Secure_Pages). What I'd like to avoid is re-directing requests that don't need to be, i.e. re-directing all requests that don't match /secure back to http when the majority will be correctly going to a normal http URL :-
rserver host server1
description *** HTTP server 1 ***
ip address 10.100.194.2
inservice
rserver host server2
description *** HTTP server 2 ***
ip address 10.100.194.3
inservice
rserver redirect REDIRECT_TO_HTTPS
webhost-redirection https://www.website.co.uk/%p 302
inservice
rserver redirect REDIRECT_TO_HTTP
webhost-redirection http://www.website.co.uk/%p 302
inservice
class-map type http loadbalance Secure_Pages
match http url /secure.*
class-map type http loadbalance Non-Secure_Pages
*** DO NOT *** match http url /secure.*
class-map match-all VIP-HTTP-website.co.uk
2 match virtual-address 10.79.18.10 tcp eq www
class-map match-all VIP-SSL-website.co.uk
2 match virtual-address 10.79.18.10 tcp eq https
policy-map type loadbalance first-match VIP-LB-HTTP-website.co.uk
class Secure_Pages
serverfarm REDIRECT_TO_HTTPS
class class-default
serverfarm serverfarm-website.co.uk
policy-map type loadbalance first-match VIP-LB-SSL-website.co.uk
class Non-Secure_Pages
serverfarm REDIRECT_TO_HTTP
class class-default
serverfarm serverfarm-website.co.uk
serverfarm host serverfarm-website.co.uk
failaction purge
rserver server1 80
probe PING_SERVER
probe http-website.co.uk
inservice
rserver server2 80
probe PING_SERVER
probe http-website.co.uk
inservice
serverfarm redirect REDIRECT_TO_HTTPS
rserver REDIRECT_TO_HTTPS
inservice
serverfarm redirect REDIRECT_TO_HTTP
rserver REDIRECT_TO_HTTP
inservice
many thanks -
Can multiple HTTP redirects be applied to the same VIP
Greetings all,
My customer would like to have two redirects to be applied to the same VIP.
Example:
VIP configured name is https://test.company.com
redirect the following:
http://site1.company.com to https://test.company.com
http://site2.company.com to https://test.company.com
I have applied the redirect of 80 to 443 to many VIPs (one for one), but I have not applied one, where two URL redirects go the same VIP.
Hope my question makes sense, and I will be glad to provide additional info.
Thanks,
ramanHi Raman,
There can be only one redirect server with one webhost redirection and hence there cannot be two redirect URL's. I don't think this can be achieved. Best idea would be for the server to issue redirects.
Regards,
Kanwal -
ACE VIP OK HTTP, NOK other TCP port
Hi,
we are having issues in configuring load balancing for a TCP port. For HTTP it's working without issues and we have the ACE also balancing for other TCP ports.
Here goes the relevant config:
probe http PROBE-HTTP
interval 5
passdetect interval 2
passdetect count 1
request method get url /idc/
expect status 200 200
probe tcp PROBE-TCP
port 4444
interval 5
passdetect interval 10
rserver host PRD1
ip address 10.10.10.1
inservice
rserver host PRD2
ip address 10.10.10.2
inservice
serverfarm host SF-HTTP
probe PROBE-HTTP
rserver PRD1 80
inservice
rserver PRD2 80
inservice
serverfarm host SF-TCP
probe PROBE-TCP
rserver PRD1 4444
inservice
rserver PRD2 4444
inservice
sticky ip-netmask 255.255.255.255 address source SC-IP-PRD-HTTP
timeout 10
serverfarm SF-HTTP
class-map match-all NAT-VIP-HTTP
2 match virtual-address 10.10.35.1 any
class-map match-all NAT-VIP-TCP
2 match virtual-address 10.10.35.1 tcp eq 4444
policy-map type loadbalance first-match LB-VIP-HTTP
class class-default
sticky-serverfarm SC-IP-PRD-HTTP
insert-http x-forward header-value "%is"
policy-map type loadbalance first-match LB-NAT-VIP-TCP
class class-default
serverfarm SF-TCP
policy-map multi-match POLICY-RSERVER-VIP
class NAT-VIP-TCP
loadbalance vip inservice
loadbalance policy LB-NAT-VIP-TCP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
class NAT-VIP-HTTP
loadbalance vip inservice
loadbalance policy LB-VIP-HTTP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
interface vlan 200
description SERVER-SIDE
ip address 10.10.14.2 255.255.255.0
alias 10.10.14.1 255.255.255.0
peer ip address 10.10.14.3 255.255.255.0
access-group input EVERYONE
nat-pool 1 10.10.4.6 10.10.4.6 netmask 255.255.255.255 pat
service-policy input AllowICMP
service-policy input POLICY-RSERVER-VIP
no shutdown
The probe are OK, but nothing seems to get to the VIP:
ACE/CTX# show probe PROBE-TCP
probe : PROBE-TCP
type : TCP
state : ACTIVE
port : 4444 address : 0.0.0.0 addr type : -
interval : 5 pass intvl : 10 pass count : 3
fail count: 3 recv timeout: 10
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
serverfarm : SF-TCP
real : PRD1[4444]
10.10.10.1 8853 1 8852 SUCCESS
real : PRD2[4444]
10.10.10.2 8853 1 8852 SUCCESS
ACE/CTX# show serverfarm SF-TCP detail
serverfarm : SF-TCP, type: HOST
total rservers : 2
active rservers: 2
description : -
state : ACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 1
total conn-dropcount : 0
Probe(s) :
PROBE-TCP, type = TCP
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: PRD1
10.10.10.1:4444 8 OPERATIONAL 0 0 0
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: PRD2
10.10.10.2:4444 8 OPERATIONAL 0 0 0
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
ACE/CTX# show service-policy POLICY-RSERVER-VIP
Status : ACTIVE
Interface: vlan 1 200
service-policy: POLICY-RSERVER-VIP
class: NAT-VIP-TCP
nat:
nat dynamic 1 vlan 200
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: LB-NAT-VIP-TCP
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
I see a lot of this messages in the logging of the ACE:
show logging | i 4444
22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
show logging | i 4444
22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
The client request it's going trough an ASA, in the ASA side I see that the TCP connection it' half-open with SAaB flags. It seems that the VIP never replies with SYN+ACK to the ASA...
Thank you.
Best regardsHi Norberto,
The log messages you are getting are most probably the probe connections and not a failure, looking to them you will see your ACE is establishing TCP connection on 4444 then it will teardown the connection with FIN which is expected since you are using TCP keepalives.
I would recommend to go back and define the problem exactly, what are you exteriancing when you try to telnet on port 4444 toward the VIP from the client?
Run sniffing software on the client, the server and enable capture on ACE and ASA will give you exact idea what you are experiencing.
Note: The ASA and the ACE has great capture feature which will show you exactly the packet flows.
Note: Since you are applying NAT on the client requests, you should see the NATed IP address on the server capture.
Note: With L4 load balancing the ACE is not spoofing the clients' request, it just forward the SYN, SYN+ACK and ACK between the server and the client.
Let me know if you have any other questions.
Best regards,
Ahmad -
Intercepting all http traffic and forwarding to VIP on CSM?
We would like to intercept all http traffic from clients from all vlans and redirect them to a VIP on the CSM for loadbalancing to 2 proxy servers. Is this possible? I can't seem to find a solution similar to our issue? Please help thanks!
Thx Giles! Do you mean a policy that uses route-maps with next-hop? So would I point the next-hop address to the CSM client vlan IP? Do you have a support link that covers this in detail? Thx!
-
CSS 11501 Disable plain HTTP to VIP
Hi,
How does one disable plaintext http access to the VIP of the 11501. In other words, is it possible to have the device listen _only_ on 443 and not on port 80 for incoming requests? We are do not want to provide plain http access to the VIP which is handling SSL encryption/decryption for our backend servers.
thanks,
MattMatt,
take a look at the config in my post 'Sticky Situation with CSS-11503'
We are set to only take https traffic inbound and gets routed through the ssl module for decryption, http traffic gets an error msg if it hits the css.
Hope this helps
Mark -
Hi All
I am having problems with HTTPs load balanced connections in one arm mode. When we test direct to the servers in the serverfarm, it is 4 times faster than connections through the VIP to the same servers. I have configured ICMP probes direct to the servers, and an HTTPs probe in the serverfarm itself. I'm using predictor 'least bandwidth. Attached below is the config.I have compared this config to another client site utilising the same design and it looks fine. Also, when we perform the same test at the other client site, we have no problems.... connections direct to the servers and through the LB are the same speed.
Does anybody have any ideas ?Hi,
First thing to be checked would be whether the ACE is the device responsible for the delay or not. With this in mind, I would recommend you to do a traffic capture on the ACE vlan while doing a test connection. With this capture, you should be able to see where is the delay coming from.
If you need help analyzing this, you can always open a TAC service request
Regards
Daniel -
Https front end and http backend
Hi there....I am having a small issue....I have a web app that is https based....I have installed the cert on the CSS, and DNS for this app points to the VIP....the client is wanting to have an https front end, and then load balance in http to the backend servers....the issue I am running into is that this only works if I have an active port 80 rule on that same VIP....if I suspend the port 80 rule and only leave the port 443 rule active on that VIP, it doesn't work....please see appropriate config portions below....Thanks in advance!
Sandeep
ANy suggestions? I have been trying this for a couple of days now...it works fine if the backend sessions are also https, but the client has changed their requirement....
ssl-proxy-list SSL1
ssl-server 1
ssl-server 1 rsakey app1-test
ssl-server 1 rsacert app1-test
ssl-server 1 vip address 10.19.55.10
ssl-server 1 cipher rsa-with-rc4-128-md5 10.19.55.10 81
backend-server 1
backend-server 1 port 81
backend-server 1 server-ip 10.19.55.132
backend-server 1 ip address 10.19.55.132
backend-server 2
backend-server 2 port 81
backend-server 2 server-ip 10.19.55.133
backend-server 2 ip address 10.19.55.133
backend-server 3
backend-server 3 port 83
backend-server 3 server-ip 10.19.55.132
backend-server 3 ip address 10.19.55.132
backend-server 4
backend-server 4 port 83
backend-server 4 server-ip 10.19.55.133
backend-server 4 ip address 10.19.55.133
backend-server 5
backend-server 5 port 85
backend-server 5 server-ip 10.19.55.132
backend-server 5 ip address 10.19.55.132
backend-server 6
backend-server 6 port 85
backend-server 6 server-ip 10.19.55.133
backend-server 6 ip address 10.19.55.133
active
service webserver002:81
ip address 10.19.55.132
port 81
keepalive port 2199
keepalive type tcp
protocol tcp
active
service webserver003:81
ip address 10.19.55.133
port 81
keepalive port 2199
keepalive type tcp
protocol tcp
add ssl-proxy-list SSL1
active
service webserver002:83
ip address 10.19.55.132
port 83
add ssl-proxy-list SSL1
keepalive port 2399
keepalive type tcp
protocol tcp
active
service webserver003:83
ip address 10.19.55.133
port 83
keepalive port 2399
keepalive type tcp
protocol tcp
add ssl-proxy-list SSL1
active
service webserver002:85
ip address 10.19.55.132
port 85
add ssl-proxy-list SSL1
keepalive port 2599
keepalive type tcp
protocol tcp
active
service webserver003:85
ip address 10.19.55.133
port 85
keepalive port 2599
keepalive type tcp
protocol tcp
add ssl-proxy-list SSL1
active
service SSL_Front
slot 2
type ssl-accel
keepalive type none
add ssl-proxy-list SSL1
active
owner app1-test
content app-test_back
vip address 10.19.55.10
add service webserver002:81
add service webserver003:81
add service webserver002:83
add service webserver003:83
add service webserver002:85
add service webserver003:85
balance aca
protocol tcp
port 81
active
content app1-test_front
vip address 10.19.55.10
application ssl
add service SSL_Front
protocol tcp
port 443
advanced-balance ssl
balance aca
activeThanks for the quick reply....there is another port 80 rule setup for that vip....I was using that to test with the app until I got the front end https rules working....
my port 80 rules just says listen to 10.19.55.10 on port 80 and load balance btwn the webervers on port 8x in the back end...
I am trying to do https front end and http backend....
no where in my SSL config have I configured port 80....but when I suspend that rule it all fails....
I am wondering if the backend server sessions are happening properly?
I don't fully get what you mean by "You need to have the rule in port 443 to match traffic coming from the client and the clear text rule (port 81) to match traffic already decrypted coming from the SSL module"
Haven'tI done that?
Thanks again!
Sandeep -
Load Balance https based on url
I am trying to configure ACE 4710 to load balance base on the URL, If it matches the specific URL ( /456/ ), the traffic will be sent to server farm 456 else the traffic will be sent to server farm 123.
I attached an image of the topology.
Ace Config:
rserver host SRV01_123
ip address 192.168.1.101
inservice
rserver host SRV02_123
ip address 192.168.1.102
inservice
rserver host SRV01_456
ip address 192.168.1.111
inservice
serverfarm host farm_123
rserver SRV01_123
inservice
rserver SRV02_123
inservice
serverfarm host farm_456
rserver SRV01_456
inservice
class-map match-all VIP_Application
2 match virtual-address 192.168.1.10 tcp eq https
class-map type http loadbalance match-all L7_server_456
2 match http url /456/
policy-map type loadbalance http first-match LB_Application
class L7_server_456
serverfarm farm_456
class class-default
serverfarm farm_123
policy-map multi-match ServerGroup1_PM
class VIP_Application
loadbalance vip inservice
loadbalance policy LB_Application
loadbalance vip icmp-reply
interface vlan 70
bridge-group 1
no shutdown
interface vlan 700
bridge-group 1
service-policy input ServerGroup1_PM
no shutdown
ThanksHi John,
If you want to do the offload in the ACE also called SSL termination, it is a two step process:
1- You need to upload your certificate and key to the ACE using FTP or one of the available methods.
2- Create the the SSL proxy service where you add these two files and finally add this service under the policy-multimatch for the VIP in question.
You also need to decide whether you want to keep your server listening in the encrypted port (that would be a two way encryption process called End-to-End SSL) or you can change the port to 80 and leave all the decyption process to the ACE (this would be transparent to the client, the site will show up as HTTPS all the time).
Here you can take a look at the SSL termination process (using clear text port in the backend servers).
Oficial Configuration Example
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/terminat.html
Cisco Wiki Example
http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example
HTH
Pablo -
Policy agent using https redirect to AM for authentication
We are using Access Manager 6 2005Q1.
Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
Our load balancer is currently setup as active/failover because it does not support ssl with cookies.
In our AMAgent.properties file if I set 'com.sun.am.policy.am.loginURL = http://<lb-vip>:80/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>.
However, if I set 'com.sun.am.policy.am.loginURL = https://<lb-vip>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am NOT redirected to AM and receive 'Forbidden You don't have permission to access /<url> on this server. Also in the agent log file I see:
2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: in_not_enforced_list():enforcing access control for https://<webserver>:443/<url>
2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: am_web_is_access_allowed https://<webserver>:443/<url>S, GET) no sso token, setting status to invalid session.
2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: Policy Agent: am_web_is_access_allowed returned status=invalid session
2006-01-30 12:42:32.800 Warning 28126:203470 PolicyAgent: am_web_get_redirect_url() unable to find active Identity Server Auth server.
2006-01-30 12:42:32.800 Info 28126:203470 PolicyAgent: do_redirect(): Status Code= invalid session.
Interestingly if I set 'com.sun.am.policy.am.loginURL = https://<am-server>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>. In this scenario the only difference is I am bypassing the load balancer.
Our networking people have monitored the load balancer in front of our AM boxes A/B and see the traffic going to AM in all cases.
From my standpoint it appears the agent is not able to successfully connect to AM via https when going through the load balancer.
Any help with this configuration issue is appreciated.Bernhard,
From our AMAgent.properties... com.sun.am.policy.agents.version=2.1. Is there a way for me to tell if this is truely only 2.1 or 2.1-xx?
Because our LB does not support SSL with cookies we are currently configured as active/failover so all requests are going to the same AM server until it goes down, at which time I know users have to re-authenticate. Also we have set "com.sun.am.loadBalancer_enable = true" in AMAgent.properties.
We understand your point about loginURL. Infact there are two properties dealing with loginURL, com.sun.am.policy.am.loginURL and com.sun.am.policy.am.library.loginURL. Based on the comments in AMAgent.properties my understanding is that com.sun.am.policy.am.loginURL is where the user is redirected for login when no valid SSO token is found and com.sun.am.policy.am.library.loginURL is what the agent uses to authenticate itself "If the previously specified login URL must be exclusively used for redirecting users..." The interesting part is that if we set com.sun.am.policy.am.loginURL to use http everything works just fine, however if we set it to use https the user never gets redirected. Its almost like the agent is trying to connect there first before doing the redirect and can not.
Craig -
Css stickiness based on the http header
there is CSS 11503 that should load balances the traffic between 2 servers running IIS (http port 80). In front of load balancer there is a reverse proxy, that hides all real ip addresses of users that send requests to web-servers.
The customer would like to have stickiness per user. The reverse proxy can add user real ip address to http header.
What kind of load balancing mechanism is better to use to fulfill customer requirements? HTTP load balancing? If "yes", are there standard field-types that is possible to use?You can't do sticky on http header in CSS , best solution is to insert a cookie for stickyness, individula clients will get a cookie and will stick based on cookie ppresented.
see:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.20/configuration/content_lb/guide/Sticky.html#wp1109390
content testing
vip address 192.168.128.131
add service s1
advanced-balance arrowpoint-cookie
active -
I'm using an Ace 4710 Appliance deployed in One-Armed mode, using Source NAT to loadbalance HTTP request to a couple of Proxy servers.
Everything is working fine, but the thing is that I can't see the Clients IP addresses on Proxy's logs, so I can't keep track of them.
The Interfaces and Nat configs are:
interface vlan 200
description Server-Side-VLAN
bridge-group 5
nat-pool 5 10.1.1.5 10.1.1.5 netmask 255.255.255.0 pat
service-policy input VIPS
interface vlan 300
description Client-Side-VLAN
bridge-group 5
interface bvi 5
ip address 10.1.1.3 255.255.248.0
description Client-Server-Virtual-Interface
ip route 0.0.0.0 0.0.0.0 10.1.1.1
and the policy map looks like this
policy-map multi-match VIPS
class Port80
loadbalance vip inservice
loadbalance policy Port80
nat dynamic 5 vlan 200
Resource assignment:
sticky ip-netmask 255.255.255.255 address both RESOURCE-CLASS
timeout 5
serverfarm Service80
Any suggestions will be appreciated,
ThanksHi Kanwal,
Thanks for your quick reply,
I've already tried this but it didn't work. The problem is that I don't manage the proxy servers so I rely on their skills to see the logs.
The Proxies are Squid. Do you know if they need to do something else on the servers to see that field of the HTTP header?
But I'll try again tomorrow and let you know how it goes.
Thank you again. -
Http probe on non-standard tcp port 8021
I've configured http probe on standard port 80 with no issue. I'm now trying http probe on non-standard tcp port 8021, confirmed with packet capture to confirm that the CSM is indeed probing, status code 403 is returned but the reals are showing "probe failed". Am I missing something? Thank you in advance.
CSM v2.3(3)2
probe 8021 http
request method head
interval 2
retries 2
failed 4
port 8021
serverfarm TEST
nat server
no nat client
real 10.1.2.101
inservice
real 10.1.2.102
inservice
probe 8021
vserver TEST
virtual 10.1.2.100 tcp 8021
serverfarm TEST
replicate csrp connection
persistent rebalance
inservice
VIP and real status:
vserver type prot virtual vlan state conns
Q_MAS_8021 SLB TCP 10.1.2.100/32:8021 ALL OUTOFSERVICE 0
real server farm weight state conns/hits
10.1.2.101 TEST 8 PROBE_FAILED 0
10.1.2.102 TEST 8 PROBE_FAILED 0you need to specify what HTTP response code you expect.
The command is :
gdufour-cat6k-2(config-slb-probe-http)#expect status ?
<0-999> expected status - minimum value in a range
The default is to expect only 200.
This is why your 403 is not accepted.
Gilles.
Maybe you are looking for
-
Syncing photos from an iPod Touch to a macbook
a couple of days ago, my macbooks hard drive got fried, and i had lost all my music, videos, and photos. i have found third party apps which let me take my music and videos of my ipod, but im having trouble finding a app. that lets me take my photos
-
Help please: Large photos do not appear in album...
I am having difficulty viewing the large photos in iphoto. All of the photos appear in the "thumbnail size", but when i want to view them "screen size", only the small size photos appear - when i try to view a larger photo, nothing but white screen..
-
Restored from TM; missing default apps like System Preferences, etc.
I restored from my TM last night. Unfortunately, I came back to some missing essential applications, such as System Preferences, Preview, all of my Utilities folder, Games, iCal, Photobooth, etc. I didn't realize I'd have to back up those application
-
How to install a update for a boot rom firmware On a intel iMac mid 2011?
I HAVE A INTEL IMAC 2.5 GHz Intel Core i5 4 G RAM MID 2011 21,5 inches, SOFTWARE VERSION OS X 10.8.3 (12D78), Boot ROM Version: IM121.0047.B1F I try to use boot camp to install windos 8 nad get this dialog box notification: Boot Camp Ass
-
10.4.7 update disabled email
Anyone else having trouble with email after the 10.4.7 update? My Mac Mail and Entourage both time out without connecting to the servers. Reverting back to 10.4.6 or 10.4.5 solves the problem.