08-02-2010 11:29 AM
I am trying to set-up SSL stickyness using the session ID in a onearm configuration mode and can not access the website via the vip. I can browse to both servers directly.
The ACE is connected to a Cat 6500, via a 4 gigabit ethernet port-channel and only the management and onearm context vlan is trunked down the port-channel.
From the OneArm Mode context i am able to ping the MSFC (VLAN980) default gateway and both rservers. The rservers, Server Farm and Service Policy are all showing as in service. I am also able to ping the vip from any device on the network.
The incoming connection is establish and nat appears to take place, although the return session is report as init.
I have posted the configuration below and was hoping someone could make a few suggestions. One of the things i notice is on the MSFC the nat address isn't in the arp table, although, it's showing on the ACE.
logging enable
logging buffered 7
access-list everyoneline 1 extended permit ip any any
script file name SSL_PROBE_SCRIPT
probe scripted ssl443
port 443
interval 60
passdetect interval 60
script SSL_PROBE_SCRIPT
parameter-map type generic sslidparam
set max-parse-length 70
rserver host host1
ip address 192.168.20.129
inservice
rserver host host2
ip address 192.168.20.130
inservice
serverfarm host ssl-443
rserver host1
weight 10
probe ssl443
inservice
rserver host2
weight 10
probe ssl443
inservice
sticky layer4-payload sticky-443
timeout 720
serverfarm ssl-443
response sticky
layer4-payload offset 43 length 32 begin-pattern "\x20"
class-map type management match-any MANAGEMENT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol ssh any
6 match protocol telnet any
class-map match-any slb-vip
3 match virtual-address 192.168.198.50 tcp eq https
policy-map type management first-match MANAGEMENT-POLICY
class MANAGEMENT
permit
policy-map type loadbalance generic first-match slb-vip
class class-default
sticky-serverfarm sticky-443
policy-map multi-match SSL-STICKY
class slb-vip
loadbalance vip inservice
loadbalance policy slb-vip
loadbalance vip icmp-reply
nat dynamic 1 vlan 980
appl-parameter generic advanced-options sslidparam
interface vlan 980
ip address 192.168.198.4 255.255.255.0
peer ip address 192.168.198.5 255.255.255.0
access-group input everyone
nat-pool 1 192.168.198.6 192.168.198.6 netmask 255.255.255.255 pat
service-policy input MANAGEMENT-POLICY
service-policy input SSL-STICKY
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.198.1
sh conn
total current connections : 2
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
19828 1 in TCP 98 192.168.18.139:2411 192.168.198.50:443 ESTAB
19829 1 out TCP 98 192.168.20.129 :443 192.168.198.6:1059 INIT
08-03-2010 11:22 AM
The problem was caused by an incorrect nat pool. Correct Mask was 255.255.255.0.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide