URL LOADBALANCING IN ACE 20

Similar Messages

• URL Filtering on ACE 4710 -Deny access

  Hi,
  I have a requirement to filter (deny access) to certain URL's. The URL's are listed below. Any guidance/assitance in achieving this would be greatly appreciated.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  https://<Domainname>/corp/BANKAWAY?Action.Admin.Init=Y&AppSignonBankID=NG
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  https://<Domainname>/corp/BANKAWAY?Action.RMUser.Init.001=Y&AppSignonBankId=NG&AppType=corporate&CorporateSignonLangId=001
  Also, to achieve this, would we need to do SSL off-loading. I believe so. Then would have to initiate back to server.
  Thanks in advance.
  Paul.

  Yes SSL offload is mandatory.
  You can achieve this in at least two ways :
  Use L7 inspection and a reset action : http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/security/guide/appinsp.html#wp1283413
  or use two L7 class-maps and direct the requests to a dummy / redirect server farm.
  The best way to achieve this would be to generate a 403 forbidden but the ACE seems to not be able to send such a code by itself.

• QoS Cisco SCE8000, Caching Cisco IronPort WSA, Loadbalancing Cisco ACE solution

  Hi all,
  Our customer is a mobile operator. They need a integrated solution for caching, QoS and Loadbalancing in a combination. From my understanding of their goals, they need to providing stable and speedy broadband access as well as good user experience by the differentiation service offering. They need to classify IP traffic and prioritize and control of content-based services for a given subscriber while transparently and dynamically redirect and load balance the application level classified of IP traffic to a proxy caching server regardless of protocols such as http, https, ssl, ftp, flv, mms and rstp, sip, p2p....
  Attached pls find the RFP and technical specification for Caching and QoS.
  I appreciate your expertise to consult me whether I can propose for them the Cisco ACE standalone appliance or ACE engine module for 7600/6500 for loadbalancing, Cisco IronPort WSA for caching and dual Cisco SCE8000 for QoS as an integrated solution. Is this solution feasible/workable and where could I find the same reference or solution design or technical guidance on this?
  Thanks a lot and would like to hear from you at the soonest!
  Best regards,

• L3 OOB NAC Server loadbalanced by ACE

  Hi is there any documentation or information on NAC server loadbalance by cisco ACE? I want to know typically how is the setup like and what is the traffic flow? is there a way to configure NAC clients to talk to the NAC directly after being loadbalanced by the ACE? meaning traffic flow going
  users>ACE>NAC Server Untrusted interface>user <---- during authentication
  instead of
  user>ACE>NAC Server Untrusted interface>ACE>user.

  Adrian,
  I've seem some internal documents on this. Please ping your account team and they can possibly help you out with the design for this.
  HTH,
  Faisal

• ACE filter by url

  Hi,
  I want to redirect some url on a specific server of mywebfarm. The loadbalancing work but the specific rules I create based on http url not. (The loadbalancing dont keep the same server during the same user session by the way)
  Here is my config :
  access-list ANY line 8 extended permit icmp any any
  access-list ANY line 16 extended permit ip any any
  probe tcp PROBE_TCP
  interval 30
  passdetect interval 60
  rserver host web1
  ip address 172.16.0.101
  conn-limit max 50000 min 40000
  inservice
  rserver host web2
  ip address 172.16.0.102
  conn-limit max 50000 min 40000
  inservice
  serverfarm host FARM_WEB
  predictor leastconns
  probe PROBE_TCP
  rserver web1
     inservice
  rserver web2
     inservice
  serverfarm host SINGLE_WEB1
  rserver web1
     inservice
  parameter-map type http HTTP_PARAMETER_MAP
  persistence-rebalance
  class-map match-all L4-WEB-IP
  2 match virtual-address x.x.x.x tcp eq www
  class-map match-all L4-WEBHTTPS-IP
  2 match virtual-address x.x.x.x tcp eq https
  class-map type http loadbalance match-all L7CLASSWEB1
  2 match http url http://www.mycompany*
  class-map type http loadbalance match-all L7CLASSWEB1-Mycompany.com
  2 match http url http://www.mycompany.com/*
  class-map type management match-all REMOTE_ACCESS
  2 match protocol ssh any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
     permit
  policy-map type loadbalance http first-match WEB_L7_POLICY
  class L7CLASSWEB1
     serverfarm SINGLE_WEB1
  class L7CLASSWEB1-Mycompany.com
     serverfarm SINGLE_WEB1
  class class-default
     serverfarm FARM_WEB
     insert-http x-forward header-value "%is"
     insert-http X-FORWARDED-FOR header-value "%is"
  policy-map multi-match WEB-to-vIPs
  class L4-WEB-IP
     loadbalance vip inservice
     loadbalance policy WEB_L7_POLICY
     loadbalance vip icmp-reply active
     nat dynamic 1 vlan 2129
     appl-parameter http advanced-options HTTP_PARAMETER_MAP
  class L4-WEBHTTPS-IP
     loadbalance vip inservice
     loadbalance policy WEB_L7_POLICY
     loadbalance vip icmp-reply active
     nat dynamic 1 vlan 2129
     appl-parameter http advanced-options HTTP_PARAMETER_MAP

  Hello Jean
  The first thing which comes to my mind when you say: "The loadbalancing dont keep the same server during the same user session by the way" is you  need to configure some stickiness configuration, here you have a link about it:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/sticky.html#wp1007300
  For the redirection question, what exactly do you want to acomplish?
  Here you have an example which might help you out: http://docwiki.cisco.com/wiki/URL_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
  ACE-1/onearm(config)# class-map slb-vip
  ACE-1/onearm(config-cmap)# match virtual-address 172.16.5.101 any
  ACE-1/onearm(config)# class-map type http loadbalance match-all images
  ACE-1/onearm(config-cmap-http-lb)# match http url /images/.*
  ACE-1/onearm(config)# policy-map type loadbalance http first-match slb-logic
  ACE-1/onearm(config-pmap-lb)# class images
  ACE-1/onearm(config-pmap-lb-c)# serverfarm imagefarm
  ACE-1/onearm(config-pmap-lb-c)# class class-default
  ACE-1/onearm(config-pmap-lb-c)# serverfarm webfarm
  As you can see above in this partial configuration, you have the VIP:172.16.5.101, that is
  our website: www.example.com, now we want to match www.example.com/images/, this is where we
  aree using the other class-map and based on that we finally execute the action of sending the
  request to the serverfarm imagefarm.
  Hope this helps!!!
  Jorge
  http://docwiki.cisco.com/wiki/URL_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example

• ACE url tampering and other security capabilities

  Hi,
  I was wondering if anyone knows weather it's possible with the ACE to secure administrative/backend urls from the internet? ie. https://x.company.com/IGGS/Admin I would like to block access to this url from the internet for example. I have read the documentation but it only mentions HTTP deep packet inspection and alot of RFC stuff
  Regards
  Tyrone

  I can answer myself because I finally found a link to another post.
  The following will restrict certain source addresses from accessing certain URL via the ACE, I have tried this in one armed-mode, but should work even with routed-mode.
  ### Also important to notice is that doing Layer-7 loadbalancing with ssl the ACE will need to terminate the tunnel otherwise all traffic passed the ACE encrypted###
  class-map type http loadbalance match-all ten
    2 match source-address 10.0.0.0 255.0.0.0
    4 match http url .*
  class-map type http loadbalance match-all seventeen
    2 match source-address 17.16.0.0 255.255.0.0
    4 match http url .*
  class-map type http loadbalance match-any restrict
    2 match http url /public.*
    4 match http url /downloads.*
  then use in load balance policy as follows:
  policy-map type loadbalance first-match WEBSERVER_L7 class ten sticky-serverfarm WEBSERVER_StickyGroup class seventeen sticky-serverfarm WEBSERVER_StickyGroup class restrict sticky-serverfarm WEBSERVER_StickyGroup
  if you want to send outside users with other urls to a sorry page you would have a server in a serverfarm taht would do that and use it in a class class-default on the bottom of the load balance policy. The matches on load balance policy are top down so order is important.

• Can ACE rewrite the URL sent back to the browser?

  Hi,
  I want to know that if there is a link on a webpage, for example: www.test.com/folder1/folder2/index.html
  Would be it be possible to rewrite this so that when the webserver provides you with that page, that the ACE rewrites the given URL so that the browser only says in the URL bar: www.test.com
  Or is this impossible and would the webserver itself need to do this rewrite?
  Thanks!

  Hi Robin,
  As per my understanding, when you click on that link the URL would say www.test.com/folder1/folder2/index.html in URL bar. ACE can rewrite URL and forward to server or can modify server response but i am not sure if there's anyway you can get the URL change in the bar after you click on hyperlink and webpage loads. May be you can have redirection but not rewrite here.
  Regards,
  Kanwal

• Cisco ACE 4710 - Health Monitoring for Real Servers

  Hi,
  I have setup the following health probe to check for the existence of a specific web page.  My intention is that when the web page is removed, the health check fails and the rserver status changes to 'out of service'.  Unfortunately, when I remove the web page, I see the health check fail, and the rserver state change to 'PROBE-FAILED', however the rserver does not go 'out of service' and continues to respond to requests.
  Can anyone see where I'am going wrong?
  Health check probe config
  probe http live_http_int
    interval 15
    passdetect interval 60
    request method get url /loadbalancer/internal.html
    expect status 199 201
    open 10
  RSERVER config
  rserver host Server1
    description Server1
    ip address 10.10.10.1
    conn-limit max 4000000 min 4000000
    probe live_http_int
    inservice
  rserver host Server2
    ip address 10.10.10.2
    conn-limit max 4000000 min 4000000
    probe live_http_int
    inservice

  Hi syannetwork,
  I think you have to "force" the failed server to close the connection when it has failed. Otherwise it will still serve the available HTML pages.
  Have a look at the "Configuring the ACE Action when a Server Fails" in the "Cisco Application Control Engine Module Server Load-Balancing Configuration Guide" and let me know if the following command helped:
  conf t
  serverfarm host ServerFarm
  failaction purge
  Have a good WE.
  Cheers
  LPL

• FTPS with ACE 4710

  Hi,
  I need to configure ACE for load-balancing FTPS. And simply deploying L4 policies are not helping either. Configured the FTPS servers and both of them are working fine when accessed via physical IP, but do not work when accessed via the VIP.
  if it is possible, a reference URL would really be a great help.

  Hi Rajiv,
  Do you want to loadbalance SFTP ?
  Or just have it pass through ??
  Loadbalancing SFTP is difficult because it starts as regular FTP and switches over to SSL which ACE can't do and fails to understand.
  you don't need anything to have it passthrough.
  As long as you don't ask ACE to inspect the traffic, and assuming this traffic is permitted in your access-group, then there is nothing to do to have it go through.
  I think your goal is to distribute inbound file deposits evenly across SFTP servers.
  High-level Overview
  Clients -> Internet -> Tier-1 Firewall -> ACE Load-balancer -> SFTP Servers
  I would like to tell you that SFTP is nothing but SSH. It uses a single connection. There are no issues loadbalancing it using traditional Layer 4 load balancing.
  So you are good.
  On the other hand FTP over SSL (FTPS) can neither offloaded nor loadbalanced using ACE.
  FTPS uses multiple channels and Since the control channel is encrypted, ACe is not able to get the port numbers for the data connections.
  Kindly find these examples for FTP load balance method in cisco ACE:
  1. FTP serverfarm on Cisco ACE
  http://snippets101.blogspot.com/2007/06/ftp-serverfarm-on-cisco-ace.html
  2. FTP Load Balancing on ACE in Routed Mode Configuration Example
  http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_Routed_Mode_Configuration_Example
  3. FTP Load Balancing on ACE in One-Arm Mode Configuration Example
  http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example
  Kindly refer the folowing URL for Layer4 policies:
  http://cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3048.shtml
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Module_Troubleshooting_Guide,_Release_A2(x)_--_Troubleshooting_Layer_4_Load_Balancing
  http://snippets101.blogspot.com/2008/08/cisco-ace-and-private-vlans-in-switch.html
  http://snippets101.blogspot.com/2008/08/asymmetric-server-normalization-on.html
  http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Configuring_Server_Load_Balancing
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/security/guide/tcpipnrm.html#wpmkr1116809
  Hope it will help you furhter in configuring the ACE load balancing L4 policies.
  Kindly rate
  Sachin Garg

• ACE http health probes - best practice for interval and passdetect interval?

  Hi,
  Is there a recommended standard for http health probes in terms of interval and passdetect interval timings, i.e. should the passdetect interval always be less than the interval or visa versa? Can a http probe be 'mis-configured', i.e. return a 'false positive' by configuring an interval timeout thats 'incompatible' with the device it's polling?
  I have a http probe for a serverfarm consisting of two Apache http servers and get intermittent 'server reply timeout' probe failures. I'm keen to ensure that the configuration of the probe isn't at fault so I can be confident that a failed probe indicates a problem with the server and not my configuration.
  The probe is currently configured as below:-
  probe http http-apache
    interval 30
    passdetect interval 15
    passdetect count 6
    request method get url /cs/images/ACE.html
    expect status 200 304
  Any advice on the subject woud be gratefully received.
  thanks
  Matthew

  Hi Gilles,
  Thanks for the advice. In another dicussion (found here https://supportforums.cisco.com/message/462397#462397) a poster has stated that:-
  "(The) "Probe interval" should always be less then (open+recieve) timeout  value. Default open & receive timeouts are 10 seconds."
  Are you able to advise on whether the above is correct and if so, why? I currently have an interval value of 30 that obviously goes against the advice above (which I've interpretted to mean that if you leave the open & receive timeouts at their default settings your probe interval should be less than 20 seconds?).
  thanks
  Matthew

• Ace Redirect and re-write

  Can anybody point me in the right direction for changing the URL when the ACE is performing the redirection?
  I have the standard ace redirection to HTTPS set up and it is working fine.
  I have a wildcard certificate *.abc.com but when the application was being tested the URL abc.com kicks up a certificate error in the browser.
  Not sure if I should have set the CN as *acb.com when ordering it but its done now.
  I am wanting to redirect when http://abc.com is put in the client browser to https://www.abc.com
  I have tried reading these forums and using header rewrite to change the location on response but it just doesn't seem to work.
  I have tried deleting/renaming/replacing the host header on request and rewrite/delete on response. Tried all sorts of regex nothing works.
  I can insert a header so I know the action is being hit, just can't seem to change the host on request or location on response.
  Any idea's?
  I am guessing the inner workings only allow for modification of these headers when the redirects are being done by the server and the headers are passing through the load balancer.
  on latest 5(2.1) version
  example of one I tried
  action-list type modify http ABC_MODIFY
    header rewrite response location header-value "https://abc(.*)" replace "https://www.abc%1"
  then applied to policy redirect map

  I tried another approach which seemed to work.
  rserver redirect RED2A
  webhost-redirection https://www.%h 302
  inservice
  rserver redirect RED2
  webhost-redirection https://%h 302
  inservice
  serverfarm redirect RED2-VIP-IN
  rserver RED2
  inservice
  serverfarm redirect RED2A-VIP-IN
  rserver RED2A
  inservice
  class-map type http loadbalance match-any RED2A-VIP-IN
  2 match http header Host header-value "abc.com"
  class-map match-any RED2-VIP-IN
  2 match virtual-address x.x.x.x tcp eq www
  ..etc
  policy-map type loadbalance first-match RED2-VIP-IN-LB-POLICY
  class RED2A-VIP-IN
    serverfarm RED2A-VIP-IN
  class class-default
    serverfarm RED2-VIP-IN
  this seemed to redirect the abc.com to https://www.abc.com and the other requests like other.abc.com to https://other.abc.com
  I tried regex for the header value match like [^\.]abc.com and ^abc.com but these didn't seem to match.

• Traceroute not happening to ACE from Oracle Server

  Hi,
  Our ACE is configured in One-ARM Mode. I have Oracle Serverfarm been loadbalanced by ACE from where traceroute to ACE is not happening.
  Oracle Server in VLAN 10 with Gateway configured at Core Switch: 10.10.10.21
  VLAN 60: 10.10.60.21 in Core switch & ACE ip: 10.10.60.1
  If from ACE i doa traceroute at one of the Oracle DB servers (10.10.10.5 & 10.10.10.6) it's going nicely. But sitting at Oracle DB servers if i do trace to ACE IP: 10.10.60.1 it gets dropped at Core switch: 10.10.10.21
  This probem is not happening from any other Windows machines....
  Can someone highlight....
  Attached the ACE config...

  some machine use icmp to do traceroute and others use udp.
  Your oracle machine might be using udp and your core switch as a security acl to block this udp traffic.
  G.

• Loadbalancing DHCP ?

  Hi all
  Has anyone ever sucessfully loadbalanced dhcp with an ACE module?
  We use an ACE20-MOD-K9 with version A2(3.5). After I configured a policy which loadbalances everything to one rserver and one standby rserver it seems that it does not work as expected.
  config:
  probe udp PROBE_7_101_DHCP
    port 67
    interval 10
    passdetect interval 60
    passdetect count 2
  rserver host REAL_SERVER_IDDHCP03
    ip address <ip1>
    inservice
  rserver host REAL_SERVER_IDDHCP04
    ip address <ip2>
    inservice
  serverfarm host SERVERFARM_7_101
    probe PROBE_7_101_DHCP
    rserver REAL_SERVER_IDDHCP03
      backup-rserver REAL_SERVER_IDDHCP04
      inservice
    rserver REAL_SERVER_IDDHCP04
      inservice standby
  class-map match-all CLASS_MAP_VIP_7_101
    2 match virtual-address <vip> any
  policy-map type loadbalance first-match POLICY_MAP_L7_7_101
    class class-default
      serverfarm SERVERFARM_7_101
  policy-map multi-match POLICY_MAP_L3L4_7_101
    class CLASS_MAP_VIP_7_101
      loadbalance vip inservice
      loadbalance policy POLICY_MAP_L7_7_101
      loadbalance vip icmp-reply active
  interface vlan 1207
    bridge-group 7
    no normalization
    mac-sticky enable
    no icmp-guard
    service-policy input POLICY_MAP_L3L4_7_101
    no shutdown
  interface vlan 1257
    bridge-group 7
    no normalization
    no icmp-guard
    no shutdown
  interface bvi 7
    ip address ...
    alias ...
    peer ip address ...
    no shutdown
  After some tcpdumping we saw that the dhcp requests gets it's way to the IDDHCP03 which correcty answers with an dhcp offer. But the offer never comes back to the client (which sends it's request over an ASA with a dhcp relay agent configured).
  Any ideas?
  Should dhcp loadbalancing work with the ACE module? (it just has to loadbalance udp/67 like it does it with every other protocol)
  Thanks
  Patrik

  HI Patrcik,
  This link should answer your question
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/rtg_brdg/guide/dhcp.html
  We dont support DHCP loadbalancing. ACE can act like a DHCP relay. The above link should answer your question.
  If not let me know
  Thanks
  VK

• "exception" code in ACE logs

  Hello,
  We are having an issue with http based application loadbalanced by ACE - sometimes one of the page in the browser is partialy blank (some of the code referenced in main html document seems to be missing). We've discovered the following syslog message from ACE in regard to such http session:
  Jul  8 2010 09:24:03 : %ACE-6-302023:  Teardown TCP connection 0xd7f1 for vlan10:10.1.1.1/1783 to  vlan20:10.1.2.1/443 duration 0:00:00 bytes 45497 Exception
  What can be told about this "exception" code? Documentation isn't especially helpful in this case...
  thanks
  WM

  The error code states connection setup error which could be a number of things.
  https://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/system/message/guide/messags.html#wp1147957
  Can you post the ACE config you are using first and any details of the webserver. Would be a good place to start.
  Dave

• Load-balancing inbound sftp connections with ACE

  Hi,
  Can anyone share experiences or any info relating to issues that might be encountered when load-balancing sftp protocol?
  The goal is to distribute inbound file deposits evenly across SFTP servers.
  High-level Overview
  Clients -> Internet -> Tier-1 Firewall -> ACE Load-balancer -> SFTP Servers
  Many Thanks

  SFTP is nothing but SSH. It uses a single connection. There are no issues loadbalancing it using traditional Layer 4 load balancing.
  So you are good.
  On the other hand FTP over SSL (FTPS) can neither offloaded nor loadbalanced using ACE.
  FTPS uses multiple channels and Since the control channel is encrypted, ACe is not able to get the port numbers for the data connections.
  HTH
  Syed Iftekhar Ahmed