cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
597
Views
4
Helpful
1
Replies

ACE LB SSL Session ID in onearm mode

robertsj2609
Level 1
Level 1

I am trying to set-up SSL stickyness using the session ID in a onearm configuration mode and can not access the website via the vip.  I can browse to both servers directly.

The ACE is connected to a Cat 6500, via a 4 gigabit ethernet port-channel and only the management and onearm context vlan is trunked down the port-channel.

From the OneArm Mode context i am able to ping the MSFC (VLAN980) default gateway and both rservers.  The rservers, Server Farm and Service Policy are all showing as in service.   I am also able to ping the vip from any device on the network.

The incoming connection is establish and nat appears to take place, although the return session is report as init.

I have posted the configuration below and was hoping someone could make a few suggestions.   One of the things i notice is on the MSFC the nat address isn't in the arp table, although, it's showing on the ACE.

logging enable
logging buffered 7

access-list everyoneline 1 extended permit ip any any

script file name SSL_PROBE_SCRIPT

probe scripted ssl443
  port 443
  interval 60
  passdetect interval 60
  script SSL_PROBE_SCRIPT

parameter-map type generic sslidparam
  set max-parse-length 70

rserver host host1
  ip address 192.168.20.129
  inservice
rserver host host2
  ip address 192.168.20.130
  inservice


serverfarm host ssl-443
  rserver host1
    weight 10
    probe ssl443
    inservice
  rserver host2
    weight 10
    probe ssl443
    inservice

sticky layer4-payload sticky-443
  timeout 720
  serverfarm ssl-443
  response sticky
  layer4-payload offset 43 length 32 begin-pattern "\x20"


class-map type management match-any MANAGEMENT
  2 match protocol icmp any
  3 match protocol http any
  4 match protocol https any
  5 match protocol ssh any
  6 match protocol telnet any

class-map match-any slb-vip
  3 match virtual-address 192.168.198.50 tcp eq https

policy-map type management first-match MANAGEMENT-POLICY
  class MANAGEMENT
    permit

policy-map type loadbalance generic first-match slb-vip
  class class-default
    sticky-serverfarm sticky-443

policy-map multi-match SSL-STICKY
  class slb-vip
    loadbalance vip inservice
    loadbalance policy slb-vip
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 980
    appl-parameter generic advanced-options sslidparam

interface vlan 980
  ip address 192.168.198.4 255.255.255.0
  peer ip address 192.168.198.5 255.255.255.0
  access-group input everyone
  nat-pool 1 192.168.198.6 192.168.198.6 netmask 255.255.255.255 pat
  service-policy input MANAGEMENT-POLICY
  service-policy input SSL-STICKY
  no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.198.1

sh conn

total current connections : 2

conn-id    np dir proto vlan source                destination           state

----------+--+---+-----+----+---------------------+---------------------+------+

19828      1  in  TCP   98   192.168.18.139:2411    192.168.198.50:443      ESTAB

19829      1  out TCP   98   192.168.20.129 :443    192.168.198.6:1059     INIT

1 Reply 1

robertsj2609
Level 1
Level 1

The problem was caused by an incorrect nat pool.   Correct Mask was 255.255.255.0.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: