Two circuit vlan in one-armed config mode

Similar Messages

• One Armed Config for multiple C classes

  Hi,
  I am trying to implement one armed config in the existing network for several c classes.  Do I need to configure multiple Circuit vlan IP addresses corresponding to different C classes or one Circuit VLAN IP is sufficient.
  Can I configure VIP in a different C class than Circuit VLan IP.
  I intend to use Source groups to get the traffic from servers back to CSS.
  Many thanks in advance.
  SS

  Two options are all ok.
  1. The CSS will allow you to create a secondary address on the circuit.
  for example,
  circuit VLAN2
  ip address 148.1.2.1 255.255.255.0
  ip address 148.1.3.1 255.255.255.0
  2. You could also create another interface "circuit" on the CSS and assign it with  the new subnet IP. Then trunk the vlan to core network.
  If you uses one arm mode, then you can use either source "groups" to get the traffic from servers back to CSS or PBR from switch.
  You can configure VIP in a different C class than Circuit VLan IP. However, you need to control the routing tables of all other devices. Generally speaking, I would not recommend this setup to the customer.

• Please verify the CSS and SCA configuration for one-armed transparent mode

  I have a problem to configure one-armed transparent mode. I cannot access the server with "https://9.9.9.1" even "http://9.9.9.1:80" and "http://9.9.9.1:81" operational. looks CSS cannot communicate properly with SCA.
  I couldn't figure out from CCO sample configuration. please correct the attached configuraiton.
  Thanks,
  ** connectivity ********
  <client>----<router>----<CSS>---<SCA>,<Server>
  - client=7.7.7.100
  - router's e0/0=7.7.7.1, e0/1=8.8.8.3(connect to VLAN2 of CSS)
  - SCA=11.11.11.100, connect to VLAN3 of CSS
  - server=10.147.153.12 and 10.147.153.15 on the same box, connect to VLAN4 of CSS
  ** configuration *********
  CSS11050# sh run
  !Generated on 01/01/2079 00:00:47
  !Active version: ap0500105
  configure
  !*************************** GLOBAL ***************************
  acl enable
  ip route 0.0.0.0 0.0.0.0 11.11.11.100 1
  ip route 7.7.7.100 255.255.255.255 8.8.8.3 1
  ip route 7.7.7.200 255.255.255.255 8.8.8.3 1
  !************************* INTERFACE *************************
  interface e2
  bridge vlan 2
  interface e3
  bridge vlan 3
  interface e4
  bridge vlan 4
  interface e5
  bridge vlan 4
  !************************** CIRCUIT **************************
  circuit VLAN1
  ip address 9.9.9.2 255.255.255.0
  circuit VLAN2
  ip address 8.8.8.2 255.255.255.0
  circuit VLAN3
  ip address 11.11.11.1 255.255.255.0
  circuit VLAN4
  ip address 10.147.153.1 255.255.255.0
  !************************** SERVICE **************************
  service ING_SVC_12
  protocol tcp
  ip address 10.147.153.12
  active
  service ING_SVC_15
  protocol tcp
  ip address 10.147.153.15
  active
  service ING_SVC_SCA
  port 443
  protocol tcp
  ip address 11.11.11.100
  type transparent-cache
  no cache-bypass
  active
  service upstream
  ip address 8.8.8.3
  type transparent-cache
  active
  !*************************** OWNER ***************************
  owner ING_OWNER
  content cnt_443
  add service ING_SVC_SCA
  protocol tcp
  port 443
  vip address 9.9.9.1
  active
  content cnt_80
  add service ING_SVC_12
  add service ING_SVC_15
  protocol tcp
  port 80
  url "/*"
  vip address 9.9.9.1
  active
  content cnt_81
  add service ING_SVC_12
  add service ING_SVC_15
  vip address 9.9.9.1
  protocol tcp
  port 81
  url "/*" <-- If I configure url "/secure/*", not working "http://9.9.9.1:81" from client.
  active
  !**************************** ACL ****************************
  acl 1
  clause 10 permit any any destination any
  apply circuit-(VLAN1)
  acl 2
  clause 10 permit any any destination any
  apply circuit-(VLAN2)
  acl 3
  clause 10 permit any any destination any
  apply circuit-(VLAN3)
  acl 4
  clause 10 permit any any destination any
  apply circuit-(VLAN4)
  ING_SCA# sh run
  # Cisco SCA Device Configuration File
  # Written: Sun Feb 6 01:12:54 2106 MST
  # Inxcfg: version 4.1 build 200211151311
  # Device Type: CSS-SCA
  # Device Id: S/N 11aca8
  # Device OS: MaxOS version 4.1.0 build 200211151311 by reading
  ### Mode ###
  mode one-port
  ### Interfaces ###
  interface network
  auto
  end
  interface server
  auto
  end
  ### Device ###
  ip address 11.11.11.100 netmask 255.255.255.0
  hostname ING_SCA
  timezone "MST7MDT"
  ### Password ###
  password idle-timeout 15
  ### SNTP ###
  sntp interval 86400
  ### Static Routes ###
  ip route 0.0.0.0 0.0.0.0 11.11.11.1 metric 1
  ### RIP ###
  no rip
  ### DNS ###
  no ip name-server
  no ip domain-name
  ### Telnet ###
  telnet enable
  ### Web Management ###
  web-mgmt port 80
  no web-mgmt enable
  ### SNMP Subsystem ###
  no snmp
  ### SSL Subsystem ###
  ssl
  server ING create
  ip address 9.9.9.1
  localport 443
  remoteport 81
  key default
  cert default
  secpolicy default
  sslv2 enable
  sslv3 enable
  tlsv1 enable
  session-cache size 20480
  session-cache timeout 300
  session-cache enable
  no clientauth enable
  clientauth verifydepth 1
  clientauth error cert-other-error fail
  clientauth error cert-not-provided fail
  clientauth error cert-has-expired fail
  clientauth error cert-not-yet-valid fail
  clientauth error cert-has-invalid-ca fail
  clientauth error cert-has-signature-failure fail
  clientauth error cert-revoked fail
  sharedcipher error failhtml
  ephemeral error failhtml
  no httpheader client-cert
  no httpheader server-cert
  no httpheader session
  no httpheader pre-filter
  httpheader prefix "SSL"
  ephrsa
  keepalive frequency 5
  keepalive maxfailure 3
  no keepalive enable
  end
  end

  the problem is the routing.
  You need a route for the client pointing to the SCA like this
  ip route 7.7.7.100 255.255.255.255 11.11.11.100 1
  This is so the reply from the server to the client goes back to the SCA first
  for encryption.
  Gilles.

• CSS 11503 One armed config

  All,
  I got a question on the one armed config.
  Cisco says use "destination service" under the source group to change the default NAT behaviour of the CSS, because the servers' default gateways are set to the router IP address and the source IP address of the load balanced request is not on the local subnet. I understand this way you avoid the packets reaching the router directly when they head back to the client, bypassing the CSS.
  Now the question I got here is that, what if I set the Servers' default gateway to the CSS rather than the Router. This way you are actually forcing the packets destined for remote networks to go through the CSS DG.. Should I need the source group anyway here. I think I don?t. Someone please clarify. Much appreciated?
  thanks

  if you set the default gateway to be the CSS, then there is no need for the source group.
  However, if you have traffic going directly to the servers, they will go client-->router-->server-->CSS [breaks - because asymetric flow].
  If you never access the server directly, you're ok. OR you can set a route on the router forcing the traffic through the CSS.
  Gilles.

• CSS one arm config

  CSS 11506
  Is it possible to pass Client's IP address
  to the Backend servers in One arm config.
  It is so that we can get stats on Web Server
  Thanks in advance

  Unfortunately CSS does not support HTTP header insertion.
  You can either perforn PBR at the Real Server's Default gateway or use CSS as default gateway of Real Servers.
  Thanks
  Syed Iftekhar Ahmed

• One Arm config Domain Name Content rule

  Hi Guys
  How does domain name content rule works in one arm config.
  What do we put in source groups as VIP address.
  Does it need host headers in WebServer as a requirement.
  How does the client request gets completed.
  Any help much appriciated..

  Thanks for your reply Jim,
  This is what I am trying to do in a One arm config topology
  ( As the CSS guide ( cntntgd.pdf ) says under Configuring a Domain Name content rule)
  The CSS allows you to use a domain name in place of, or in conjunction with, a
  VIP address in a content rule. Using a domain name in a content rule enables you
  to:
  Enable service provisioning to be independent of IP-to-domain namemappings
  Provision cache bandwidth as needed based on domain names
  So I am trying to create a content rule with a domain name instead of VIP address. For ex.
  content domainRule3
  protocol tcp
  port 80
  url "//domain.com/*"
  add service Serv1
  active
  group servers
  add destination service Serv1
  VIP address  ???????? ( what shd we put in here )
  In this case what do we put as VIP address in source groups and how does the traffic flows from Client to actual Server in One arm topology. I am trying this topology where we have multiple sites configured with the same IP address with host headers
  My assumption is that I shd configure DNS servers with VIP address for domain.com and use that as VIP address in source group. But how does the actual traffic flows from client to servers
  Many thanks.

• One-armed config

  We've done a one-armed setup in our production env using CSS11506(s) and have no issues. We're bring up a smaller setup using CSS 11150(s) and was wondering if they work just as well, performance wise, with a one-armed config?
  Thanks
  chad

  I think it should work just fine. The same configuration would work for CSS 11000 series switches.
  Check the config document:
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml

• CSS one-armed-config and SMTP reverse lookup problems?

  I was wondering if there would be potential reverse lookup problems from other company's when we try to send mail to their mail Domains.
  If I configure failover for our mail server, I am thinking if we are sending mail, there could be a reverse-lookup issue, because our mail server would be configured with public IP Addresses other than what the MX record points to in DNS.
  If we originate mail from our inside users, it will originate from the service IP address and not the VIP address.
  Is this a valid concern?

  The main advantage of this configuration is that the web servers will receive the IP address of the client that made the request. This is often required by web servers' administrators for accounting purposes.
  In a one-armed configuration only, the network port ( Enet0) is used on the SCA. Only this specific port can be used for this setup. Encrypted and decrypted traffic will go through the same link
  http://www.cisco.com/en/US/products/hw/contnetw/ps2083/products_configuration_example09186a00801bbf4e.shtml

• How can I run two instances of Firefox: one in Safe Mode and another in Normal Mode?

  I think my question says it all.

  You can't simultaneously run a normal instance and a Safe Mode instance using the same profile. So step one is to create a new profile.
  * [[Use the Profile Manager to create and remove Firefox profiles]]
  Right-click the desktop and choose New, then Shortcut. As the location of the item, use the following, substituting the placeholder profile name with the actual profile name you chose earlier.
  "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -no-remote -p NameOfTheProfile
  * https://developer.mozilla.org/docs/Mozilla/Command_Line_Options

• "VLAN Database Mode" to "Config Mode" conversion

  How can we convert an existing VLANs created in "VLAN Database Mode" to "Config mode? what is the right procedure?

  Hello,
  I would just add the VLAN's using the config mode.
  As with regard to your FWSM, keep in mind that, prior to IOS 12.2(14)SY, only one SVI is supported on the FWSM. If you have a later version, use the command 'firewall multiple-vlan-interfaces' to enable support for multiple VLAN's.
  Not sure if you already know this link, but you might want to check the FWSM FAQ:
  Firewall Services Module Frequently Asked Questions
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item09186a00801e9e26.shtml
  Regards,
  GP

• CSM-S mode -One-Arm-vs- routed

  We currently have an environment with CSS running in routed mode. We are building a new data center with 6509s and CSM-S. My question is what is the best mode to run the CSM-S in routed or one-arm and why?

  Gilles,
  What do you recommend when the traffic flows from the load balanced server are significant?
  ie: you are using Oracle application and database servers, load balancing http and https to the app servers. There is significant traffic flow from the app server to the database servers, such that the load balancer in a 2-armed configuration(particularly a CSS11501 w/ 8 10/100 interfaces and a single 1000Base-T interface) would be a significant bandwidth bottleneck.
  Also, if Cisco usually does not recommend one-armed config.... why does the latest Server Farm Security Solution Reference Network Design v2.0 (http://www.cisco.com/warp/public/732/systems/docs/dcsrndbk.pdf) recommend a one-armed configuration for the CSS?

• ACE 4700 one-arm design with SSL termination

  Hi,
  We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
  1. Are there any limitations in the one-arm design and the SSL offloading
  2. Can the ACE be configured with an IN and an OUT vlan to the router
  CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
  so that the SSL and the clear text traffic is in a separate Vlan?
  3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
  I would appreciate if you can share some sample configs
  Regards,
  George Georgiou

  There are two ways to implement One Arm topology.
  1. One Arm with PBR & 2.One Arm with SRC NAT
  PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
  1. Are there any limitations in the one-arm design and the SSL offloading
  The limitations/config issues I can think of are following
  One ARM with PBR:
  Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
  One ARM with SRC NAT:
  You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
  2. Can the ACE be configured with an IN and an OUT vlan to the router
  CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
  so that the SSL and the clear text traffic is in a separate Vlan?
  Yes you can do that but wouldnt it make it routed mode topology?
  3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
  As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
  Details at
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
  HTH
  Syed Iftekhar Ahmed

• ACE inline VS one-armed based

  Hello Forum, ;-)
  I have 2 basic questions I am having doubts about it and would love to have some clarifications:
  1) I configure in one ACE4710 (running 4.2.2) context a bridged interface and in another context the same interface, like here below :
  ---- Context Microsoft ----
  ACE1/Microsoft# sh run
  interface vlan 503
     bridge-group 3
     access-group input NONIP
     access-group input ALL
     access-group output ALL
     service-policy input POLICY
     no shutdown
  interface vlan 1503
     bridge-group 3
     access-group input ALL
     access-group output ALL
     no shutdown
  interface bvi 3
     ip address 120.223.22.30 255.255.255.0
     no shutdown
  Then I move to the Juniper context and I try to create an interface (either L-2 or L-3) but it doesn’t work:
  ---- Context Juniper----
  ACE1/Juniper(config)# int vlan 503
  Error: VLAN creation is not allowed, shared bridged VLAN exists in another context
  ACE1/Juniper(config)#
  It gives  ERROR!!
  So if I configure an interface as bridged in one Context, I cannot configure it in another context??
  2) If I want to migrate in context Microsoft from One-armed to inline (L-2 bridged), can I migrate one service at the time ( I.e. the config i showed above for context Microsoft, would it work also for one-armed based???)
  Thanks so much for your explanations!!
  Giulio.

  Hello Giulio-
  You can only share vlans in one-armed or routed modes.  Think of it this way:
    Interface vlan 10 and 11 are bridged on context C1. (bridged mode)
    Interface vlan 12 and 13 are configured on context C2. (routed mode)
    When you have routed mode, your server's gateway is configured to point to the ACE interface IP (or alias if you are have FT.) If a packet comes into the physical interface on the ACE, the processor has to decide which context it belongs to.  Since the mac address is the interface on context X, it knows instantly where it goes. It will either hit a VIP, or be routed via the routing table.
    If a packet arrived on vlan 12 or 13 and the MAC address did not belong to the ACE, it would drop the packet by basic routing rules. (think a client connected to a hub sees a packet destine to a MAC that is not its own, it drops/ignores the packet.) 
    In bridged mode, the gateway for your server is the router on the other side of the bridged vlan.  I.e., you server is on vlan 10, the gateway is on vlan 11 and ace is bridging them together.  When packets arrive to the physical interface, ACE knows the traffic arrived on vlan 10 or 11 which belongs to context C2. If the MAC address is not a VIP, ACE simply hucks the packet out of the other vlan.  If you send traffic to the interface MAC that does not belong to a VIP, ACE drops it because it would not make sense to send a packet out the other vlan that has a MAC address that belongs to the interface of the ACE itself.
    One-armed mode is simply routed mode with a single vlan and source NAT. Nothing special applies to how ACE handles the traffic versus routed mode with only a single vlan.
  Now imagine this:
    Interface vlan 10 and 11 are bridged on context C1.
    Interface vlan 11 and 12 are configured on context C2.
  Remember 3 things:
  a.) ACE conserves MAC addresses - so the VIPs share MAC addresses with the interface.
  b.) ACE will never communicate between 2 contexts directly.
  c.) If you are in a routed mode and share vlans between 2 contexts, ACE will make each vlan have a unique MAC address. If you create unique vlans on each context, ACE uses the same single MAC across all vlans for all contexts.
  With traffic that is destine to ACE's MAC address and the IP is a VIP,  its not a problem - ACE could figure out which context the traffic  belongs to (especially since vlan 11 would have unique mac addresses on each context.  However, what if ACE recieved a packet to the interface 10 and 12 MAC  address? How would it know if it belonged to the bridged or routed context if it was not a VIP IP? What about traffic that arrives that doesn't have the MAC of any of the interfaces?  2 different entirely behaviors would occur, ACE should drop the packet on the bridged context, and route the packet on the routed context.
    So the bottom line is - you can't determine which context a packet would need to apply to in all circumstances if you tried to share vlans in a bridge mode across multiple contexts.
  Regards,
  Chris Higgins

• One armed bandit and one port to another

  I was trying to setup a CSS in one-armed bandit mode for the first time per the URL below. But I want to be able to have arbitrary ports on the "real" servers. E.g. use https://hooty.com as the VIP but on the backend take you to hoot1.hooty.com port 8443 say while http://hooty.com would direct you to hoot1.hoot.com port 8080. Must the port number on the VIP equal the port number on the real server in one-armed-bandit mode?
  http://www.cisco.com/warp/public/117/one_armed_bandit.html
  group Servers1
  vip address 26.19.98.45
  add destination service oldwww:80
  active
  group Servers2
  vip address 26.19.98.45
  add destination service oldwww:443
  css-n1-1(config)# group Servers2
  css-n1-1(config-group[Servers2])# active
  %% An active source group with that address already exists

  The port number of the vip does not have to to be the same as the real server.
  You can set the port you want for the real server with the 'port' command under the service definition.
  This is true for one-armed or any other type of setup.
  The problem in your config is that you can't create 2 groups using the same vip ip address.
  So, simply configure all your servers under one group.
  ie:
  group Servers1
  vip address 26.19.98.45
  add destination service oldwww:80
  add destination service oldwww:443
  active
  Gilles.

• Is't Single-VLAN One-Armed Mode let the pop-ups error?

  Dear all
    In my network I deployed Single-VLAN One-Armed Mode In this mode,the real server’s default gateway is the upstream router. To ensure the return
  flow traverses back through the load balancer, the IP address of the client isrewritten to that of the load balancer.
    Direct access web was fine ,however when open Pop-ups website will appear error Example, the figure-1 ：
    figure-1
    When I used real Server IP address not through ACE anything will be fine. Example, the figure-2 :
  figure-2
  The Web's Code
  <%@ page language="java" pageEncoding="UTF-8"%>
  <%@ taglib uri="/WEB-INF/hnisi.tld" prefix="hnisi"%>
  <%@ include file="/jsp/framework/head.jsp"%>
  <%@ page import="cn.sinobest.framework.util.DTOUtil,cn.sinobest.framework.util.Util,cn.sinobest.framework.util.ConfUtil" %>
  <%
      //当前登录用户 所属系统机构
      String orgCode = DTOUtil.getUserInfo().getBAE001();
      //操作员ID
      String operId = DTOUtil.getValue("OPERID");
      //角色类型
      String roleType = DTOUtil.getValue("ROLETYPE");
          String fromFuncDesc = DTOUtil.getValue("fromFuncDesc");
      //所选操作员的姓名
      String sOperatorName = DTOUtil.getValue("SOPERATORNAME");
      //权限树 where 条件
      String whereClsTree = " rightid in (  select distinct B.RIGHTID "+
                  " from FW_RIGHT B"+
                  " left join FW_OPERATOR2RIGHT A on LOCATE(B.RIGHTID,A.RIGHTID) = 1"+
                   " where A.AAE100 ='1'"+
                   " and B.AAE100 ='1' and A.operid = '"+operId+"' ";
      //条件：有效角色，当前登录用户只能操作用户所属系统机构及下级机构的角色，以及上级机构的共享角色
      String whereCls =" AAE100 ='1' and (BAE001 like '"+orgCode+"%' or ( IFSHARED = '1' and LOCATE(BAE001,'"+orgCode+"') = 1))";
      if(!Util.isEmpty(roleType)){//角色类型
               whereClsTree +=" and AUTHTYPE='"+roleType+"' ";
               String roleType_zdfpzj = ConfUtil.getDict("ROLETYPE", "13");//最大分配角色
          if("2".equals(roleType)){//分配角色包括：分配角色、最大分配角色
                   whereCls += " and ROLETYPE in('"+roleType+"','"+roleType_zdfpzj+"') ";             
          }else{
                         whereCls += " and ROLETYPE='"+roleType+"' ";
      whereClsTree +=" )";
  %>
  <%-- 导航栏标签 --%>
  <hnisi:gNavStr />
      <legend style="cursor:hand;" >
          <span>
              <img id="img_fw_authmngr_geneauth_list_grid" src="${ctx}/themes/default/images/query_icon_right.gif">
          </span>
          <span title="单击展开或收缩">
              <b><%=sOperatorName%></b>已拥有的权限树
              <hnisi:tree id="menus" type="1" whereCls="<%=whereClsTree %>"/>
          </span>
      </legend>
      <form name="roleListForm" method="post">
          <%-- 角色列表--%>
          <hnisi:glt id="fw_authmngr_geneauth_role" whereCls="<%=whereCls %>" />
          <p align="center">
              <%-- 确定按钮 --%>
              <hnisi:btn name="btnQuery" onclick="roleAutoOk()" value="保存" href="javascript:void(0)"/>
              <%-- 清除按钮 --%>
              <hnisi:btn name="btnCls" onclick="cls()" value="清除" href="javascript:void(0)"/>
              <%-- 关闭按钮 --%>
              <hnisi:btn name="btnClose" onclick="winClose()" value="关闭" href="javascript:void(0)"/>
          </p>
      </form>
      <form name="roleForm">
          <input type="hidden" name="OPERID" value="<%=operId %>"/>
          <input type="hidden" name="ROLEIDS">
      </form>
      <script type="text/javascript">
      <!--
      var orgCode ="<%=orgCode%>";
      var operId ="<%=operId%>";
      var roleType ="<%=roleType%>";
       * 权限列表窗口
       * @param roleId:角色ID
      function winRight(roleId){
          var eventId="1";//授权事件(1 查询、2 授权)
               //弹出模态对话框，并加上时间戳以防止缓存
               window.showModalDialog("right!left.do?EVENTID=" + eventId+"&ROLETYPE="+roleType+"&ROLEID=" + roleId+"&_t="+new Date().getTime());
       * 确定-保存授权信息
           function roleAutoOk(){
                     $(function(){
                         var roleIds = "";
                         $.each($("input[name='checkbox']:checked"),function(i,o){
                             roleIds += (i==0 ? "" : ",")+o.value;                 
                         if (roleIds == ""){
                                  FWalert("请选择要操作的角色!");                          
                                  return;
                         roleForm.ROLEIDS.value  = roleIds;
                         var params = FWGetForm(roleForm);
                         if(params.ROLEIDS ==""){
                             FWalert("请选择要操作的角色!");
                         }else {
                                  var fromFuncDesc = "<%=fromFuncDesc%>";
                                  //先进入本次权限变更列表页面，确认后再保存
                                  var title = encodeURIComponent('授权确认');//对话框的标题
                             var url = "right!list.do?OPERID="+operId+"&fromFuncDesc="+fromFuncDesc+"&ROLETYPE="+roleType+"&ROLEIDS="+roleIds+"&title="+title+"&_t="+new Date().getTime();
                                  var position="resizable:1;status:0;help:0;scroll:1;center:1;dialogWidth:800px;dialogHeight:500px";
                                  window.showModalDialog(url,window,position);
       * 直接授权:弹出权限树窗口
      function directAuto(){
          var eventId="2";//授权事件(1 查询、2 授权)
                     //弹出模态对话框，并加上时间戳以防止缓存
               window.showModalDialog("right!left.do?EVENTID=" + eventId+"&ROLETYPE="+roleType+"&OPERID=" + operId+"&_t="+new Date().getTime());
       * 清除：清除已选择的角色 checkbox
      function cls(){
          var c_checkbox=document.getElementsByName('checkbox');
                     for (i=0;i<c_checkbox.length;i++){
              c_checkbox[i].checked=false;
       * 关闭窗口
      function winClose(){
               window.close();
      //-->
      </script>
  </body>
  </html>
  The ACE's config
  `show running-config`
  Generating configuration....
  boot system image:c4710ace-mz.A4_2_0.bin
  interface gigabitEthernet 1/1
    switchport access vlan 100
    no shutdown
  interface gigabitEthernet 1/2
    shutdown
  interface gigabitEthernet 1/3
    shutdown
  interface gigabitEthernet 1/4
    switchport access vlan 3
    no shutdown
  access-list ALL line 8 extended permit ip any any
  access-list allowany line 8 extended permit ip any any
  access-list allowany line 16 extended permit icmp any any
  probe icmp Ping
    interval 2
    faildetect 2
    passdetect interval 2
    passdetect count 1
    receive 2
  probe tcp TCP6666
    description RPC Client Access
    port 6666
    interval 30
    passdetect interval 60
    connection term forced
    open 10
  probe tcp TCP8888
    description RPC Client Access
    port 8888
    interval 30
    passdetect interval 60
    connection term forced
    open 1
  rserver host YB1
    ip address 110.43.102.241
    inservice
  rserver host YB2
    ip address 110.43.102.245
    inservice
  rserver host YB3
    ip address 110.43.102.246
    inservice
  rserver host YB4
    ip address 110.43.102.247
    inservice
  rserver host YB5
    ip address 110.43.102.248
    inservice
  rserver host YB6
    ip address 110.43.102.242
    inservice
  serverfarm host YB01farm
    predictor leastconns
    probe TCP6666
    rserver YB2
      inservice
    rserver YB3
      inservice
    rserver YB4
      inservice
    rserver YB5
      inservice
  serverfarm host YB02farm
    predictor leastconns
    probe TCP8888
    rserver YB2
      inservice
    rserver YB3
      inservice
    rserver YB4
      inservice
    rserver YB5
      inservice
  parameter-map type http PRESIST-REBALANCE
    persistence-rebalance
  sticky ip-netmask 255.255.255.255 address source YB01-GRP
    timeout 60
    replicate sticky
    serverfarm YB01farm
  sticky ip-netmask 255.255.255.255 address source YB02-GRP
    timeout 60
    replicate sticky
    serverfarm YB02farm
  sticky http-cookie COOKIE1 STICKYYB01
    cookie insert browser-expire
    timeout 3600
    replicate sticky
    serverfarm YB01farm
  action-list type modify http IP-header
    header insert request X-Forwarded-For header-value "%is"
  class-map match-all YB01-slb-vip
    2 match virtual-address 110.43.102.251 any
  class-map match-all YB02-slb-vip
    2 match virtual-address 110.43.102.252 any
  class-map type management match-any remote_access
    description remote-access-traffic-match
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance http first-match YB01-slb
    class class-default
      sticky-serverfarm STICKYYB01
      action IP-header
  policy-map type loadbalance http first-match YB02-slb
    class class-default
      sticky-serverfarm YB02-GRP
      action IP-header
  policy-map type loadbalance first-match YB6666
    class class-default
      sticky-serverfarm STICKYYB01
      action IP-header
      insert-http https header-value "on"
  policy-map multi-match client-vips
    class YB01-slb-vip
      loadbalance vip inservice
      loadbalance policy YB6666
      loadbalance vip icmp-reply active
      nat dynamic 100 vlan 100
      appl-parameter http advanced-options PRESIST-REBALANCE
    class YB02-slb-vip
      loadbalance vip inservice
      loadbalance policy YB02-slb
      loadbalance vip icmp-reply active
      nat dynamic 100 vlan 100
  interface vlan 3
    ip address 192.168.50.2 255.255.255.240
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    no shutdown
  interface vlan 100
    ip address 110.43.102.238 255.255.255.0
    access-group input allowany
    nat-pool 100 110.43.102.239 110.43.102.239 netmask 255.255.255.255 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input client-vips
    no shutdown
  ip route 0.0.0.0 0.0.0.0 110.43.102.112

  Hi,
  The error comes when accessing the website through LB. The error is thrown by the server. Do  we know what does that error indicate and will be thrown by server under what circumstances?
  Can you just try with one server in the serverfarm and check if it works fine?
  Does it load initial page at all or throws error right away.
  What do you see in show conn output? Which VIP is in question here?
  Regards,
  Kanwal