02-14-2008 10:12 AM
Does the ACE allow HTTPS passthrough?
Here's what I've tried to do without success.
rserver host nuxi
description TEST SERVER
ip address 10.10.2.100
probe ping-probe
inservice
serverfarm host https-test
description TEST SERVER FARM
failaction purge
predictor leastconns
probe imap-probe
rserver nuxi 443
inservice
class-map match-all VIP-HTTPS
2 match virtual-address 10.10.1.1 tcp eq 443
policy-map type loadbalance first-match HTTPS-POLICY
class class-default
serverfarm https-test
policy-map multi-match CLIENT-VIPS
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy HTTPS-POLICY
loadbalance vip icmp-reply active
Solved! Go to Solution.
02-18-2008 08:38 AM
the problem is this line :
retcode 100 500 check count
Because of that, you need to use the serverfarm only for http as the ace module will interpret all traffic as http in order to detect the retcode.
Create another serverfarm and rule for https or remove the retcode line.
Gilles.
02-14-2008 12:34 PM
yes, ACE allows https to go be loadbalanced without being terminated.
Get a sniffer trace to see what is going on.
Does http work ?
Gilles.
02-14-2008 02:05 PM
Hi Gilles,
Yes, HTTP works. I had a trace but didn't save it. I thought perhaps it was a bug with the version we are running - 3.0(0)A1(5a).
We reverted everything back to an old LDA and are planning to try with the ACE again soon; this time with SSL termination though.
Since you say it should work, I'll schedule some time to try and make SSL pass through work on our next attempt. And save the trace.
Thanks,
Milo
02-15-2008 03:20 PM
02-17-2008 04:55 AM
the trace does not match the config you sent.
Can't find the same ip addresses.
In the trace, it is also clear the module is spoofing the HTTPS connection.
Not sure why.
So I would need a 'show tech' to confirm what is happening.
Also get 'show service-policy
Gilles.
02-18-2008 07:44 AM
Gilles,
Sorry about that. It's a production context and complex. Here is the revelent portion of the current config. The show tech is attached.
probe http sys-stat
description WEB SERVER PROBE
faildetect 2
passdetect count 1
receive 60
request method get url /manager/html
expect status 401 401
rserver host systemsStatus1-test
description TEST SYSTEMS STATUS WEB SERVER
ip address 134.114.6.149
probe ping-probe
inservice
rserver host systemsStatus2-test
description TEST SYSTEMS STATUS WEB SERVER
ip address 134.114.6.150
probe ping-probe
inservice
serverfarm host systemsStatus-test
description TEST SYSTEMS STATUS WEB SERVER FARM
failaction purge
predictor leastconns
probe sys-stat
retcode 100 500 check count
rserver systemsStatus1-test
inservice
rserver systemsStatus2-test
inservice
sticky ip-netmask 255.255.255.255 address source GROUP_2_TEST
timeout 480
replicate sticky
serverfarm systemsStatus-test
policy-map multi-match CLIENT-VIPS
class-map match-all VIP-SYSTAT-HTTP-TEST
description system status test web server
2 match virtual-address 134.114.6.148 any
!==========================
ace-its-a/PSOFT# sh service-policy CLIENT-VIPS detail | be VIP-SYSTAT-HTTP-TEST
class: VIP-SYSTAT-HTTP-TEST
VIP Address: Port:
134.114.6.148 any
loadbalance:
L7 loadbalance policy: SYSTAT-HTTP-POLICY-TEST
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 395
dropped conns : 379
client pkt count : 1325 , client byte count: 109445
server pkt count : 1357 , server byte count: 781489
L7 Loadbalance policy : SYSTAT-HTTP-POLICY-TEST
class/match : class-default
LB action :
-
hit count : 392
dropped conns : 376
02-18-2008 08:38 AM
the problem is this line :
retcode 100 500 check count
Because of that, you need to use the serverfarm only for http as the ace module will interpret all traffic as http in order to detect the retcode.
Create another serverfarm and rule for https or remove the retcode line.
Gilles.
02-18-2008 08:59 AM
Gilles,
No Sh--!! Yup, removing that line from the serverfarm fixed it. That's a nice way to start a Monday!!
Thank you,
Milo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: