ACE module and nb of visits to a Web site

sboukef · ‎10-08-2009

Hello,

We have two redundant ACE modules (inside 6500 switches), deployed in routed mode in front of a portal solution. They load balance traffic between two web servers. The customer needs statistics about the portal (nb of visitors) but the web servers only see two IP addresses (that of the two ACE modules), not giving the right number of visitors. I could not retrieve that information from ACE statistics.

Any idea about this issue ?

Many thanks in advance.

huangedmc · ‎10-09-2009

Are the ACE modules the only layer between the web servers and the clients?

Are you NAT'ing client IP's?

Servers should be able to see source IP's unless you have a proxy of some sort in between, such as an AXG, or are NAT'ing clients' source IP's.

Our web servers are seeing client IP's just fine.

The only time when they'd see ACE module's IP's is when ACE probes the servers.

sboukef · ‎10-09-2009

Thank you for your feedback.

No NAT for client IPs.

ACE configuration is very classical and they are load-balancing at layer 4.

In the architecture, there is a first layer of ACE XML Gateway (Web Application Firewall).

Do you mean I should be able to see the client source IPs ?

huangedmc · ‎10-09-2009

W/o any proxy or NAT, you should be able to see client source IPs.

The AXG WAF is a reverse proxy, and therefore you're probably seeing the WAF's source IP on the web servers.

If this is the case, you'll need to do two things:

1.Configure the AXG WAF to pass the client source IP's in the X-Forwarded-For (XFF) http header

2.Configure the web servers so that they'll pipe the source IP's in XFF header to the logs.