×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACE 4710 - SSL issues 2 ViPS

Answered Question

Well I have struggled with our new ACE over the last few weeks but I think I am on my last issue


Currently have all inbound SSL termination working for *.english.ca

which uses a VIP of 192.168.10.10


but


I also need to terminate all inbound SSL connections for *.french.ca

which needs to use VIP 192.168.10.20


Right now all connections still appear to be going thru the 192.168.10.10 VIP when I look at service policy hitcounts.


Here is my config


class-map match-all english

   2 match virtual-address 192.168.10.10 255.255.255.224 tcp eq https


class-map match-all french

   2 match virtual-address 192.168.10.20 255.255.255.224 tcp eq https


policy-map multi-match vip

  class english

    loadbalance vip inservice

    loadbalance policy english

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 500

    ssl-proxy server english

  class french

    loadbalance vip inservice

    loadbalance policy french

    loadbalance vip icmp-reply active

    nat dynamic 2 vlan 500

    ssl-proxy server french


interface vlan 500

  description xxxxxxx

  ip address 192.168.10.2 255.255.255.224

  access-group input 101

  nat-pool 2 192.168.10.20 192.168.10.20 netmask 255.255.255.255 pat

  nat-pool 1 192.168.10.10 192.168.10.20 netmask 255.255.255.255 pat

  service-policy input vip

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  no shutdown


Sh service-policy summary shows that no matter what...all ssl connections are hitting against the english vip


service-policy: vip

Class                                  VIP                                      Prot  Port        VLAN          State    Curr Conns   Hit Count  Conns Drop

english                             204.101.28.164                            tcp   eq 443      1,500         IN-SRVC           0          11          0

french                              204.101.28.166                            tcp   eq 443      1,500         IN-SRVC           0           0          0


Surely I must be able to run multiple VIPS ?


Any help would be appreciated.


Cheers


Dave

Correct Answer by Cesar Roque about 5 years 1 month ago

Hello Dave,



Try changing the match statements, it should look like this:


class-map match-all english

   2 match virtual-address 192.168.10.10  tcp eq https


class-map match-all french

   2 match virtual-address 192.168.10.20  tcp eq https



-------------------------------

Cesar R

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Cesar Roque Tue, 06/26/2012 - 11:26
User Badges:
  • Bronze, 100 points or more

Hello Dave,



Try changing the match statements, it should look like this:


class-map match-all english

   2 match virtual-address 192.168.10.10  tcp eq https


class-map match-all french

   2 match virtual-address 192.168.10.20  tcp eq https



-------------------------------

Cesar R

ajayku2 Tue, 06/26/2012 - 11:43
User Badges:
  • Cisco Employee,

Hi,


when you use a mask you ideally end up taking the entire subnet in this case you used the range:


191.166.10.1 - 191.166.10.30  <<< 192.168.10.10 255.255.255.224 >>>>


Thats the reason for the trouble never use mask for the vip.


regards,

Ajay Kumar

Actions

This Discussion

Related Content