×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Error: sticky resource not available

Answered Question
Oct 30th, 2013
User Badges:

Hi,


I get the following error when I try to add sticky config to a context.


Error: sticky resource not available



I have added the following to the admin context but no joy:


resource-class **********

  limit-resource all minimum 0.00 maximum unlimited

  limit-resource sticky minimum 10.00 maximum equal-to-min



One thing I noticed is it is only on the admin context of one ace module. It ain't on the admin module of the other ace context. Do I need to add it manly to both? Afraid of putting them out of sync.


Can anyone please advise?

Correct Answer by Fnu Kanwaljeet Singh about 3 years 9 months ago

Hi,


So you can create resource class and assign to the context you are having issues with. You can look through the user guide for better understanding of how resource allocation works.


Regards,

Kanwal

Correct Answer by Fnu Kanwaljeet Singh about 3 years 9 months ago

Hi Netter,


You can use ,


show running-config resource-class


show resource-allocation


The above two commands shall show the details.


Regards,

Kanwal

Correct Answer by Fnu Kanwaljeet Singh about 3 years 9 months ago

Hi Netter,


You should what is the current resoruce allocation for your context and see what is changing. There should be no problem as long as you are increasing the resource.


Regards,

Kanwal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
netternewbie Wed, 10/30/2013 - 10:28
User Badges:

I just added it on the other ACE admin context manually and still no joy.


resource-class **********

  limit-resource all minimum 0.00 maximum unlimited

  limit-resource sticky minimum 10.00 maximum equal-to-min


Can anyone tell me what I need to do to get stickiness working?

Fnu Kanwaljeet Singh Wed, 10/30/2013 - 11:08
User Badges:
  • Cisco Employee,

Hi Netter,


You have defined the resource class and defined the limits but did you associate with the respective "Contexts"? Without association with any context it is just a resource class!


Please associate if you haven't already and let me know if you still face the same problem.


Regards,

Kanwal

netternewbie Wed, 10/30/2013 - 11:22
User Badges:

Hi Kanwal,


Thanks for your response. I am new to this and taking over from someone else. Can you tell me how you associate it with a particular context? Is it in the context itself? Whats the command?


Many thanks

Fnu Kanwaljeet Singh Wed, 10/30/2013 - 11:25
User Badges:
  • Cisco Employee,

Hi Netter,


Here is the configuration that you need to do in "Admin" context. So i created a class (like you did above) named as "Test1". After that i go to context "Kan" and made it member of resource class Test1.


switch/Admin(config)# context Kan

switch/Admin(config-context)# member Test

Test   Test1

switch/Admin(config-context)# member Test1

switch/Admin(config-context)# exit


Let me know how it works and if this resolves your problem.


Regards,

Kanwal

netternewbie Wed, 10/30/2013 - 11:33
User Badges:

Thanks Kanwal,


I will give this a go. There are other services live already in this context. Will this cause any issues? Presume I just do it in active context?


Thanks.

Correct Answer
Fnu Kanwaljeet Singh Wed, 10/30/2013 - 11:35
User Badges:
  • Cisco Employee,

Hi Netter,


You should what is the current resoruce allocation for your context and see what is changing. There should be no problem as long as you are increasing the resource.


Regards,

Kanwal

netternewbie Wed, 10/30/2013 - 11:44
User Badges:

Thanks Kanwal,


Another stupid question but how do I check current resource allocation? There was nothing in admin or its context until I greated class above. So presume its default resources?


Thanks.

Correct Answer
Fnu Kanwaljeet Singh Wed, 10/30/2013 - 12:06
User Badges:
  • Cisco Employee,

Hi Netter,


You can use ,


show running-config resource-class


show resource-allocation


The above two commands shall show the details.


Regards,

Kanwal

netternewbie Wed, 10/30/2013 - 12:19
User Badges:

Thanks Kanwal,


I did this in the admin context and it has no resources assigned to it.

Correct Answer
Fnu Kanwaljeet Singh Wed, 10/30/2013 - 13:00
User Badges:
  • Cisco Employee,

Hi,


So you can create resource class and assign to the context you are having issues with. You can look through the user guide for better understanding of how resource allocation works.


Regards,

Kanwal

netternewbie Wed, 10/30/2013 - 15:10
User Badges:

Thanks, yes will do this and let you know how it goes tomorrow.

netternewbie Thu, 10/31/2013 - 04:37
User Badges:

Thanks Kanwal, this did the trick and I can apply stickness now. Unfortunately it didn't fix my main problem. Load balancing 2 web servers with redirest on port 80 to 443. But I get the following error:


This webpage has a redirect loop



Can open a separate discussion on this if you like. Config is fairly basic. Not sure what is wrong. If its me or the server guys. Any thoughts?

Fnu Kanwaljeet Singh Thu, 10/31/2013 - 06:05
User Badges:
  • Cisco Employee,

Hi Netter,


Send me the configuration and i will have a look. 80 t0 443 should be a simple redirection. Who is doing the redirection here, ace or webserver?


Regards,

Kanwal

netternewbie Thu, 10/31/2013 - 06:16
User Badges:

Hi Kanwal,


Should be ace but think server guys have a redirect as well. Will get them to turn off. Just heading to a meeting now. Will try and get a config onto you in the next hr. Thanks again.

Fnu Kanwaljeet Singh Thu, 10/31/2013 - 06:19
User Badges:
  • Cisco Employee,

Hi Netter,


My pleasure in assisting you. Get me the configuration and we will see what is going on here.


Regards,

Kanwal

netternewbie Thu, 10/31/2013 - 07:35
User Badges:

Thanks Kanwal. Here is the current config. I think I am on right track.



crypto chaingroup ****-CHAINGRP
  cert chain-ROOT

    cert ****CAcert


crypto csr-params CSR-PARAMS
  country
  state
  locality
  organization-name
  organization-unit
  common-name ****.co.uk
  serial-number 601
access-list BPDU ethertype permit bpdu





probe tcp ****-WEB-PROBE
  interval 3
  passdetect interval 5




parameter-map type ssl SSL-****-ADVANCED
  cipher RSA_WITH_RC4_128_MD5


rserver host ****TC1
  ip address *.*.*.*
  inservice
rserver host ****TC2
  ip address *.*.*.*
  inservice
rserver redirect HTTP-****
  webhost-redirection https://%h/%p 301
  inservice




ssl-proxy service SSL-****-PROXY
  key ****.pem
  cert ****CAcert
  chaingroup ****-CHAINGRP
  ssl advanced-options SSL-****-ADVANCED



serverfarm host ****-FARM
  predictor leastconns
  probe ****-WEB-PROBE
  rserver ****TC1 80
    inservice
  rserver ****TC2 80
    inservice
serverfarm redirect HTTP-****-FARM
  rserver HTTP-****
    inservice



sticky ip-netmask 255.255.255.255 address source STICKY-SSL-****-FARM
  timeout 720
  timeout activeconns
  replicate sticky
  serverfarm ****-FARM


class-map match-any ****-HTTPS-VIP
  2 match virtual-address *.*.*.* tcp eq https
class-map match-any REDIRECT-HTTP-****
  2 match virtual-address *.*.*.* tcp eq www


policy-map type loadbalance first-match ****-HTTPS-POLICY
  class class-default
    sticky-serverfarm STICKY-SSL-****-FARM
policy-map type loadbalance first-match ****-POLICY-REDIRECT
  class class-default
    serverfarm HTTP-****-FARM


policy-map multi-match ****-POLICY
  class ****-HTTPS-VIP
    loadbalance vip inservice
    loadbalance policy ****-HTTPS-POLICY
    loadbalance vip icmp-reply active
    ssl-proxy server SSL-****-PROXY
policy-map multi-match ****REDIRECTPOLICY
  class REDIRECT-HTTP-****
    loadbalance vip inservice
    loadbalance policy ****-POLICY-REDIRECT
    loadbalance vip icmp-reply active
    loadbalance vip advertise


service-policy input ****REDIRECTPOLICY
service-policy input ****-POLICY

Fnu Kanwaljeet Singh Thu, 10/31/2013 - 07:56
User Badges:
  • Cisco Employee,

Hi Netter,



The configuration looks absolutely fine to me.


So this configuratio didn't work? You said there was redirection loop which  i assume could happen because client didn't come with https url to which it was redirected otherwise it would have matched a different class and loadbalanced to different serverfarm.


Can you capture on client itself and see what URL client goes with after it has been redirected? That should tell us why the redirection is happening again and again.


You can also install iehttp for IE or Live utility in Mozilla to see the HTTP based communication between client and server(ACE).



And you don't need to define two policy mutli-match. You can simply call both class maps under the same policy mutli match. If it doesn't match the first class, it will look into second and so on. Once a match is done it stops.


Regards,

Kanwal

netternewbie Thu, 10/31/2013 - 08:20
User Badges:

Hi Kanwal,


Just got word from the server guys  server runs on 8443. Do I just change



serverfarm host ****-FARM

  predictor leastconns

  probe ****-WEB-PROBE

  rserver ****TC1 80

    inservice

  rserver ****TC2 80


to



serverfarm host ****-FARM

  predictor leastconns

  probe ****-WEB-PROBE

  rserver ****TC1 8443

    inservice

  rserver ****TC2 8443

Fnu Kanwaljeet Singh Thu, 10/31/2013 - 08:25
User Badges:
  • Cisco Employee,

Hi Netter,


If the server is listening on 8443 then backend connection would be SSL too which means you need to do end to end ssl loadbalancing or you can simply loadbalance based on TCP port and if you do so you need to remove SSL proxy configuration.


For end to end ssl you have to configure ACE both as ssl server and client and configuration will need a slight change. Please go through the below link for same.


http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/endtoend.html


Let me know if have any questions.


Regards,

Kanwal

netternewbie Thu, 10/31/2013 - 08:48
User Badges:

Thanks Kanwal,


To be honest I am knew to all this so haven't a clue which is best way to proceed. What way would you think is best? Would it be hard to change my current config to do end to end loadbalancing? Not sure where to start.

Fnu Kanwaljeet Singh Thu, 10/31/2013 - 09:01
User Badges:
  • Cisco Employee,

    Hi Netter,


    To configure end-to-end SSL you need to make couple of changes and they are not big. Please go through the link and it will give you an idea of what you are missing.


Regarding what you should is absolutely your decision. Normally SSL offloading is done on ACE to relieve servers of cpu intensive SSL handshake which may impact their performance and also take decisions on the basis of data which ACE otherwise cannot see if it is not doing SSL ofloading.


In end to end ssl even backend connection is encrypted which means that you don't care about performance impact but you may still need ACE to look into data for LB decisions. If you don't need that you can simply tell ACE to LB on the basis of TCP port and connection would be encrypted from client to server and ACE would just do LB.


Honestly, it is your decision based on your requirement. If you don't want ACE to do anything by looking into decrypted packet then i would suggest go for TCP port based load balancing.but still your decision.


You can also go through the link for more details regarding end to end ssl which explains in detail about it.


If you have any questions please let me know.


Regards,

Kanwal

netternewbie Thu, 10/31/2013 - 09:08
User Badges:

Thanks Kanwal,


The service has to run on 8443 if they disable redirects so guess I have to do end-to-end SSL. I will give it a go and let you know how I get on.


I don't think I can do it on tcp port as client may connect on 80 or 443 from a web browser.

Fnu Kanwaljeet Singh Thu, 10/31/2013 - 09:20
User Badges:
  • Cisco Employee,

Hi Netter,


You are welcome. It is your choice as i said. But you can use redirection for port 80 and normal LB for 443 or end to end ssl. For end to end ssl you just need to make a minor change which you can see in the link i pasted. You have to add ssl-proxy client statement under policy-map type first match.


Let me know if you have any questions.


Regards,

Kanwal

netternewbie Thu, 10/31/2013 - 09:43
User Badges:

Thanks Kanwal,


Doing that now. I am worried do I need to do this part.


interface vlan 210

ip address 10.10.2.1 255.255.255.0

  service-policy input L7_1

  access-group input ACL

  no shutdown


Do I need to add

service-policy input L7_1? There are servers already live in this context and I am afraid this will break them.




Fnu Kanwaljeet Singh Thu, 10/31/2013 - 09:47
User Badges:
  • Cisco Employee,

Hi Netter,


I am not sure what this policy is. If the connections  already working don't match what this service policy (class map conditions) has then there should be no problems.


You can do this without breaking any existing connections. If you are not sure you can try this in off time.


Regards,

Kanwal

netternewbie Thu, 10/31/2013 - 09:51
User Badges:

Sorry thats just from the config in link you sent me. I will send what I have done now. I think I am totally lost to be honest.

netternewbie Thu, 10/31/2013 - 10:22
User Badges:

Hi Kanwal,


Here is my current config. Is it totally wrong? Policy map L7_1 appears as offline.


crypto chaingroup ****-CHAINGRP

cert chain-ROOT

  cert ****CAcert




access-list BPDU ethertype permit bpdu

access-list ALL line 8 extended permit ip any any

access-list ALL line 16 extended permit icmp any any





probe tcp ****-WEB-PROBE

port 8443

interval 3

passdetect interval 5





parameter-map type ssl PM1

session-cache timeout 300

queue-delay timeout 1

parameter-map type ssl SSL-****-ADVANCED

cipher RSA_WITH_RC4_128_MD5


rserver host ****TC1

ip address *.*.*.*

inservice

rserver host ****TC2

ip address *.*.*.78

inservice


rserver redirect HTTP-****

webhost-redirection https://%h/%p 301

inservice


ssl-proxy service SSL-****-PROXY

key ****.pem

cert ****CAcert

chaingroup ****-CHAINGRP

ssl advanced-options SSL-****-ADVANCED


ssl-proxy service SSL_CLIENT

ssl advanced-options PM1

ssl-proxy service SSL_SERVER

key ****.pem

cert ****CAcert

ssl advanced-options PM1


serverfarm host ****-FARM

predictor leastconns

probe ****-WEB-PROBE

rserver ****TC1 8443

inservice

rserver ****TC2 8443

inservice

serverfarm redirect HTTP-****-FARM

rserver HTTP-****

inservice


sticky ip-netmask 255.255.255.255 address source STICKY-SSL-****-FARM

timeout 720

timeout activeconns

replicate sticky

serverfarm ****-FARM




class-map match-any ****-HTTPS-VIP

2 match virtual-address *.*.*.* tcp eq https

class-map match-any REDIRECT-HTTP-****

2 match virtual-address *.*.*.* tcp eq www

class-map type http loadbalance match-any SSL

2 match http url .*

class-map match-any SSL_C1

2 match virtual-address *.*.*.* tcp eq https

3 match virtual-address *.*.*.* tcp any


policy-map type loadbalance first-match ****-HTTPS-POLICY

class class-default

sticky-serverfarm STICKY-SSL-****-FARM


policy-map type loadbalance first-match ****-POLICY-REDIRECT

class class-default

serverfarm HTTP-****-FARM

policy-map type loadbalance first-match SSL_BACK

class SSL

serverfarm ****-FARM

ssl-proxy client SSL_CLIENT


policy-map multi-match ****-POLICY

class ****-HTTPS-VIP

loadbalance vip inservice

loadbalance policy ****-HTTPS-POLICY

loadbalance vip icmp-reply active

ssl-proxy server SSL-****-PROXY


policy-map multi-match ****REDIRECTPOLICY

class REDIRECT-HTTP-****

loadbalance vip inservice

loadbalance policy ****-POLICY-REDIRECT

loadbalance vip icmp-reply active

loadbalance vip advertise


policy-map multi-match L7_1

class SSL_C1

loadbalance vip inservice

loadbalance policy SSL_BACK

loadbalance vip icmp-reply

ssl-proxy server SSL_SERVER





service-policy input ****REDIRECTPOLICY

service-policy input ****-POLICY




interface vlan 303

bridge-group 303

no normalization

mac-sticky enable

access-group input BPDU

access-group input ALL

no shutdown




interface vlan 603

bridge-group 303

no normalization

mac-sticky enable

access-group input BPDU

access-group input ALL

no shutdown




interface bvi 303

ip address *.*.*.* 255.255.254.0

peer ip address *.*.*.* 255.255.254.0

no shutdown



ip route 0.0.0.0 0.0.0.0 *.*.*.1

Fnu Kanwaljeet Singh Thu, 10/31/2013 - 10:55
User Badges:
  • Cisco Employee,

Hi Netter,


As per your requirement which i have understood after our discussion, you don't need to do any major. Please see the bold lines that you need to add and you should have end to end ssl configuration.


crypto chaingroup ****-CHAINGRP
cert chain-ROOT

cert ****CAcert


crypto csr-params CSR-PARAMS
country
state
locality
organization-name
organization-unit
common-name ****.co.uk
serial-number 601
access-list BPDU ethertype permit bpdu





probe tcp ****-WEB-PROBE
interval 3
passdetect interval 5




parameter-map type ssl SSL-****-ADVANCED
cipher RSA_WITH_RC4_128_MD5


rserver host ****TC1
ip address *.*.*.*
inservice
rserver host ****TC2
ip address *.*.*.*
inservice
rserver redirect HTTP-****
webhost-redirection https://%h/%p 301
inservice




ssl-proxy service SSL-****-PROXY
key ****.pem
cert ****CAcert
chaingroup ****-CHAINGRP
ssl advanced-options SSL-****-ADVANCED



ssl-proxy service SSL_CLIENT

ssl advanced-options SSL-****-ADVANCED



serverfarm host ****-FARM
predictor leastconns
probe ****-WEB-PROBE
rserver ****TC1 8443
inservice
rserver ****TC2 8443
inservice
serverfarm redirect HTTP-****-FARM
rserver HTTP-****
inservice



sticky ip-netmask 255.255.255.255 address source STICKY-SSL-****-FARM
timeout 720
timeout activeconns
replicate sticky
serverfarm ****-FARM


class-map match-any ****-HTTPS-VIP
2 match virtual-address *.*.*.* tcp eq https
class-map match-any REDIRECT-HTTP-****
2 match virtual-address *.*.*.* tcp eq www


policy-map type loadbalance first-match ****-HTTPS-POLICY
class class-default
sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT


policy-map type loadbalance first-match ****-POLICY-REDIRECT
class class-default
serverfarm HTTP-****-FARM


policy-map multi-match ****-POLICY


class ****-HTTPS-VIP
loadbalance vip inservice
loadbalance policy ****-HTTPS-POLICY
loadbalance vip icmp-reply active
ssl-proxy server SSL-****-PROXY


class REDIRECT-HTTP-****
loadbalance vip inservice
loadbalance policy ****-POLICY-REDIRECT
loadbalance vip icmp-reply active
loadbalance vip advertise



service-policy input ****-POLICY


Let me know how it goes.


Regards,

Kanwal

netternewbie Thu, 10/31/2013 - 10:57
User Badges:

Thanks a million for all your help. I'll give this a go tomorrow and let you know how it goes.

netternewbie Thu, 10/31/2013 - 16:26
User Badges:

Thanks Kanwal,


Looks like it's getting closer but still not there. If I type service name it redirects to https:// but gives a no data received error on web page.


If I go directly to each server on https://*.*.*.*:8443 it works. Am I missing somthing simple. Here is a few show commands:


sh probe ****-WEB-PROBE



probe       : ****-WEB-PROBE

type        : TCP

state       : ACTIVE

----------------------------------------------

   port      : 8443    address     : 0.0.0.0         addr type  : -

   interval  : 3       pass intvl  : 5               pass count : 3

   fail count: 3       recv timeout: 10

                       --------------------- probe results --------------------

   probe association   probed-address  probes     failed     passed     health

   ------------------- ---------------+----------+----------+----------+-------

   serverfarm  : ****-FARM

     real      : ****TC1[8443]

                       *.*.*.*    7834       127        7707       SUCCESS

     real      : ****TC2[8443]

                       *.*.*.*    7836       128        7708       SUCCESS


sh serverfarm ****-FARM

serverfarm     : ****-FARM, type: HOST

total rservers : 2

---------------------------------

                                                ----------connections-----------

       real                  weight state        current    total      failures

   ---+---------------------+------+------------+----------+----------+---------

   rserver:****TC1

       *.*.*.*:8443     8      OPERATIONAL  0          0          44

   rserver: *TC2

       *.*.*.*:8443     8      OPERATIONAL  0          0          0


sh service-policy



Policy-map : ****-POLICY

Status     : ACTIVE

-----------------------------------------

Context Global Policy:

  service-policy: ****-POLICY

    class: ****-HTTPS-VIP

      ssl-proxy server: SSL-****-PROXY

      loadbalance:

        L7 loadbalance policy: ****-HTTPS-POLICY

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        curr conns       : 0         , hit count        : 363

        dropped conns    : 184

        client pkt count : 4051      , client byte count: 1056853

        server pkt count : 1765      , server byte count: 258936

        conn-rate-limit      : 0         , drop-count : 0

        bandwidth-rate-limit : 0         , drop-count : 0

    class: REDIRECT-HTTP-****

      loadbalance:

        L7 loadbalance policy: ****-POLICY-REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : ENABLED

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        curr conns       : 0         , hit count        : 2

        dropped conns    : 0

        client pkt count : 8         , client byte count: 344

        server pkt count : 0         , server byte count: 0

        conn-rate-limit      : 0         , drop-count : 0

        bandwidth-rate-limit : 0         , drop-count : 0

netternewbie Thu, 10/31/2013 - 16:36
User Badges:

Also here is the current config. Maybe I am missing something or extra still in config.


crypto chaingroup ****-CHAINGRP

  cert chain-ROOT

  cert ****CAcert


probe tcp ****-WEB-PROBE

  port 8443

  interval 3

  passdetect interval 5




parameter-map type ssl SSL-****-ADVANCED

  cipher RSA_WITH_RC4_128_MD5


rserver host ****TC1

  ip address *.*.*.*

  inservice

rserver host ****TC2

  ip address *.*.*.*

  inservice

rserver redirect HTTP-****

  webhost-redirection https://%h/%p 301

  inservice


ssl-proxy service SSL-****-PROXY

  key ****.pem

  cert ****CAcert

  chaingroup ****-CHAINGRP

  ssl advanced-options SSL-****-ADVANCED

ssl-proxy service SSL_CLIENT

  ssl advanced-options SSL-****-ADVANCED



serverfarm host ****-FARM

  predictor leastconns

  probe ****-WEB-PROBE

  rserver ****TC1 8443

    inservice

  rserver ****TC2 8443

    inservice

serverfarm redirect HTTP-****-FARM

  rserver HTTP-****

    inservice


sticky ip-netmask 255.255.255.255 address source STICKY-SSL-****-FARM

  timeout 720

  timeout activeconns

  replicate sticky

  serverfarm ****-FARM




class-map match-any ****-HTTPS-VIP

  2 match virtual-address *.*.*.* tcp eq https

class-map match-any REDIRECT-HTTP-****

  2 match virtual-address *.*.*.* tcp eq www



policy-map type loadbalance first-match ****-HTTPS-POLICY

  class class-default

    sticky-serverfarm STICKY-SSL-****-FARM

    ssl-proxy client SSL_CLIENT

policy-map type loadbalance first-match ****-POLICY-REDIRECT

  class class-default

    serverfarm HTTP-****-FARM



policy-map multi-match ****-POLICY

  class ****-HTTPS-VIP

    loadbalance vip inservice

    loadbalance policy ****-HTTPS-POLICY

    loadbalance vip icmp-reply active

    ssl-proxy server SSL-****-PROXY

  class REDIRECT-HTTP-****

    loadbalance vip inservice

    loadbalance policy ****-POLICY-REDIRECT

    loadbalance vip icmp-reply active

    loadbalance vip advertise


service-policy input ****-POLICY

Fnu Kanwaljeet Singh Thu, 10/31/2013 - 18:46
User Badges:
  • Cisco Employee,

Hi Netter,


My apologies but i was not entirely right. For end to end ssl it a requirment that you create a layer 7 class map. So you would need to make changes to the configuration. Let me paste one example for you:


class-map type http loadbalance match-all SSLCLASS

  2 match http url .*


Then you need to call this class under policy map.


policy-map type loadbalance first-match ****-HTTPS-POLICY

Class SSLCLASS

Stikcy serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT


class class-default

sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT


Other than that it is looking fine.


Please try and let me know how it goes.


I tested with 443 backend and it worked. Couldn't test with backend 8443. But i think it should work fine.


Regards,

Kanwal

netternewbie Fri, 11/01/2013 - 02:59
User Badges:

Hi Kanwal,


No joy unfortunately. This is what I have changed,


policy-map type loadbalance first-match ****-HTTPS-POLICY

  class SSLCLASS

    sticky-serverfarm STICKY-SSL-****-FARM

    ssl-proxy client SSL_CLIENT

  class class-default

    sticky-serverfarm STICKY-SSL-****-FARM

    ssl-proxy client SSL_CLIENT

policy-map type loadbalance first-match ****-POLICY-REDIRECT

  class class-default

    serverfarm HTTP-****-FARM



policy-map multi-match ****-POLICY

  class ****-HTTPS-VIP

    loadbalance vip inservice

    loadbalance policy ****-HTTPS-POLICY

    loadbalance vip icmp-reply active

    ssl-proxy server SSL-****-PROXY

  class REDIRECT-HTTP-****

    loadbalance vip inservice

    loadbalance policy ****-POLICY-REDIRECT

    loadbalance vip icmp-reply active

    loadbalance vip advertise


service-policy input ****-POLICY



sh serverfarm ****-FARM

serverfarm     : ****-FARM, type: HOST

total rservers : 2

---------------------------------

                                                ----------connections-----------

       real                  weight state        current    total      failures

   ---+---------------------+------+------------+----------+----------+---------

   rserver: ****TC1

       *.*.*.*:8443     8      OPERATIONAL  0          0          88

   rserver: ****TC2

       *.*.*.*:8443     8      OPERATIONAL  0          0          5

Fnu Kanwaljeet Singh Fri, 11/01/2013 - 05:50
User Badges:
  • Cisco Employee,

                   Hi Netter,


You didn't configure the L7 class map. Can you configure the L7 class map as shown in config i pasted in last post and see how it goes.


Regards,

Kanwal

netternewbie Fri, 11/01/2013 - 06:24
User Badges:

Sorry Kanwal, I had it in. Here are the classes I have:




class-map match-any ****-HTTPS-VIP

  2 match virtual-address *.*.*.* tcp eq https

class-map match-any REDIRECT-HTTP-****

  2 match virtual-address *.*.*.* tcp eq www

class-map type http loadbalance match-all SSLCLASS

  2 match http url .*



Thanks again for your thorough help on this.

netternewbie Fri, 11/01/2013 - 07:31
User Badges:

Hi Kanwal, This is actually the full config I have now. Does it look ok to you?



crypto chaingroup ****-CHAINGRP

cert chain-ROOT

cert ****CAcert



probe tcp ****-WEB-PROBE

port 8443

interval 3

passdetect interval 5


parameter-map type ssl SSL-****-ADVANCED

cipher RSA_WITH_RC4_128_MD5




rserver host ****TC1

ip address *.*.*.*

inservice

rserver host ****TC2

ip address *.*.*.*

inservice

rserver redirect HTTP-****

webhost-redirection https://%h/%p 301

inservice


ssl-proxy service SSL-****-PROXY

key ****.pem

cert ****CAcert

chaingroup ****-CHAINGRP

ssl advanced-options SSL-****-ADVANCED


ssl-proxy service SSL_CLIENT

ssl advanced-options SSL-****-ADVANCED



serverfarm host ****-FARM

predictor leastconns

probe ****-WEB-PROBE

rserver ****TC1 8443

inservice

rserver ****TC2 8443

inservice

serverfarm redirect HTTP-****-FARM

rserver HTTP-****

inservice




sticky ip-netmask 255.255.255.255 address source STICKY-SSL-****-FARM

timeout 720

timeout activeconns

replicate sticky

serverfarm ****-FARM



class-map match-any ****-HTTPS-VIP

2 match virtual-address *.*.*.* tcp eq https

class-map match-any REDIRECT-HTTP-****

2 match virtual-address  *.*.*.* tcp eq www

class-map type http loadbalance match-all SSLCLASS

2 match http url .*


policy-map type loadbalance first-match ****-HTTPS-POLICY

class SSLCLASS

sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

class class-default

sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

policy-map type loadbalance first-match ****-POLICY-REDIRECT

class class-default

serverfarm HTTP-****-FARM




policy-map multi-match ****-POLICY

class ****-HTTPS-VIP

loadbalance vip inservice

loadbalance policy ****-HTTPS-POLICY

loadbalance vip icmp-reply active

ssl-proxy server SSL-****-PROXY

class REDIRECT-HTTP-****

loadbalance vip inservice

loadbalance policy ****-POLICY-REDIRECT

loadbalance vip icmp-reply active

loadbalance vip advertise


service-policy input ****-POLICY

netternewbie Fri, 11/01/2013 - 07:52
User Badges:

Thanks Kanwal. I now get this error though:


The connection was reset


The connection to the server was reset while the page was loading.


   *   The site could be temporarily unavailable or too busy. Try again in a few

          moments.



    *   If you are unable to load any pages, check your computer's network

          connection.



    *   If your computer or network is protected by a firewall or proxy, make sure

          that Firefox is permitted to access the Web.



I there anything else I can do? Do you think there is something still wrong with my config? I am really stuck now.


Thanks Again,

Fnu Kanwaljeet Singh Fri, 11/01/2013 - 07:56
User Badges:
  • Cisco Employee,

Hi Netter,


The config looks fine.


Send me the below output:


show service-policy detail.


Ensure that you don't need NAT. What is your serve's default gateway?


Is routing proper?


Regards,

Kanwal

netternewbie Fri, 11/01/2013 - 08:04
User Badges:

Thanks Kanwal, here is the output. We use public addresses so I don't think I need NAT. We have another service running in this context and it is fine. The default gateway of servers with be gateway of Van: *.*.*.1.


sh service-policy ****-POLICY detail



Status     : ACTIVE

Description: -----------------------------------------

Context Global Policy:

  service-policy: ****-POLICY

    class: ****-HTTPS-VIP

      ssl-proxy server: SSL-****-PROXY

     VIP Address:    Protocol:  Port:

     193.1.174.104   tcp        eq    443 

      loadbalance:

        L7 loadbalance policy: ****-HTTPS-POLICY

        Regex dnld status    : SUCCESSFUL

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        curr conns       : 0         , hit count        : 467      

        dropped conns    : 282      

        client pkt count : 5054      , client byte count: 1206294            

        server pkt count : 2068      , server byte count: 272134             

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        L7 Loadbalance policy : ****-HTTPS-POLICY

          class/match : SSLCLASS

            ssl-proxy client : SSL_CLIENT

             LB action: :

               sticky group: STICKY-SSL-****-FARM

                  primary serverfarm: ****-FARM

                    state: UP

                  backup serverfarm : -

            hit count        : 82       

            dropped conns    : 0        

          class/match : class-default

            ssl-proxy client : SSL_CLIENT

             LB action: :

               sticky group: STICKY-SSL-****-FARM

                  primary serverfarm: ****-FARM

                    state: UP

                  backup serverfarm : -

            hit count        : 0        

            dropped conns    : 0        

    class: REDIRECT-HTTP-****

     VIP Address:    Protocol:  Port:

     *.*.*.*   tcp        eq    80  

      loadbalance:

        L7 loadbalance policy: ****-POLICY-REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : ENABLED

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        curr conns       : 0         , hit count        : 24       

        dropped conns    : 0        

        client pkt count : 99        , client byte count: 7933               

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        L7 Loadbalance policy : ****-POLICY-REDIRECT

          class/match : class-default

            LB action: :

               primary serverfarm: HTTP-****-FARM

                    state: UP

                  backup serverfarm : -

            hit count        : 6        

            dropped conns    : 0 

netternewbie Fri, 11/01/2013 - 08:08
User Badges:

Hi Kanwal, the VIP is actually a different subnet to servers so maybe this is the problem. I will change the IP of the VIP and change it in the context and see if it makes any difference.

Fnu Kanwaljeet Singh Fri, 11/01/2013 - 08:15
User Badges:
  • Cisco Employee,

                   Hi Netter,


We are getting hits on the policy as well as on sslclass but there are drops on L3 policy map.Can you also remove SSL parameter map from both ssl client proxy as well as server and give it a try.


VIP can be different as long as there is a route to it from uplink. Once traffic matches it will be loadbalanced to servers in serverfarm. Now servers should be able to send the traffic back (if ace is their GW or servers have a route towards ace or you do NAT so that traffic comes back  to ACE).


When you establish a connection what do you see in "show conn"? You can filter using your testing client IP address or VIP. So you can use show conn . Send me that output as well.


Also, ensure that policy is applied to the correct interface vlan. It should be applied to client facing VLAN.


Regards,

Kanwal

netternewbie Fri, 11/01/2013 - 08:26
User Badges:

Sorry Kanwal, how or what do I remove. Is it like line bolded below:


ssl-proxy service SSL-FILR-PROXY

  key filr.pem

  cert filrCAcert

  chaingroup FILR-CHAINGRP

NO  ssl advanced-options SSL-FILR-ADVANCED


ssl-proxy service SSL_CLIENT

NO ssl advanced-options SSL-FILR-ADVANCED

netternewbie Fri, 11/01/2013 - 08:38
User Badges:

Hi Kanwal,


Seem to have lost connection since makes those changes. See output below:


sh service-policy ****-POLICY DE



Status     : ACTIVE

Description: -----------------------------------------

Context Global Policy:

  service-policy: ****-POLICY

    class: ****-HTTPS-VIP

      ssl-proxy server: SSL-****-PROXY

     VIP Address:    Protocol:  Port:

     *.*.175.110   tcp        eq    443 

      loadbalance:

        L7 loadbalance policy: ****-HTTPS-POLICY

        Regex dnld status    : SUCCESSFUL

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        curr conns       : 0         , hit count        : 0        

        dropped conns    : 0        

        client pkt count : 0         , client byte count: 0                  

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        L7 Loadbalance policy : ****-HTTPS-POLICY

          class/match : SSLCLASS

            ssl-proxy client : SSL_CLIENT

             LB action: :

               sticky group: STICKY-SSL-****-FARM

                  primary serverfarm: ****-FARM

                    state: UP

                  backup serverfarm : -

            hit count        : 0        

            dropped conns    : 0        

          class/match : class-default

            ssl-proxy client : SSL_CLIENT

             LB action: :

               sticky group: STICKY-SSL-****-FARM

                  primary serverfarm: ****-FARM

                    state: UP

                  backup serverfarm : -

            hit count        : 0        

            dropped conns    : 0        

    class: REDIRECT-HTTP-****

     VIP Address:    Protocol:  Port:

     *.*.175.110   tcp        eq    80  

      loadbalance:

        L7 loadbalance policy: ****-POLICY-REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : ENABLED

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        curr conns       : 0         , hit count        : 0        

        dropped conns    : 0        

        client pkt count : 0         , client byte count: 0                  

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        L7 Loadbalance policy : ****-POLICY-REDIRECT

          class/match : class-default

            LB action: :

               primary serverfarm: HTTP-****-FARM

                    state: UP

                  backup serverfarm : -

            hit count        : 0        

            dropped conns    : 0        

netternewbie Fri, 11/01/2013 - 08:48
User Badges:

Actually I have changed VIP address so need to double check firewall now. Sorry.

netternewbie Fri, 11/01/2013 - 10:08
User Badges:

Sorry for delayed response Kanwal. We had some problems here with other things. I will try what you suggested Monday morning and get the server guys to check their things.


I will let you know how I get on. Thanks for all your help and patience. Hopefully we get it sorted Monday.

netternewbie Tue, 11/05/2013 - 08:53
User Badges:

Hi kanwal,



Unfortunately I am still having problems. Below is the current config. Do you see anything obvious that is wrong? At the moment the application is listening on 8443, there are certs on the two servers and there was a reverse proxy configured but this is turned off now.


crypto chaingroup ****-CHAINGRP

cert chain-ROOT

cert ****CAcert



probe tcp ****-WEB-PROBE

port 8443

interval 3

passdetect interval 5



parameter-map type ssl SSL-****-ADVANCED

cipher RSA_WITH_RC4_128_MD5


rserver host ****TC1

ip address *.*.*.*

inservice

rserver host ****TC2

ip address *.*.*.*

inservice

rserver redirect HTTP-****

webhost-redirection https://%h/%p 301

inservice


ssl-proxy service SSL-****-PROXY

key ****.pem

cert ****CAcert

chaingroup ****-CHAINGRP

ssl advanced-options SSL-****-ADVANCED


ssl-proxy service SSL_CLIENT

  ssl advanced-options SSL-****-ADVANCED





serverfarm host ****-FARM

predictor leastconns

probe ****-WEB-PROBE

rserver ****TC1 8443

inservice

rserver ****TC2 8443

inservice

serverfarm redirect HTTP-****-FARM

rserver HTTP-****

inservice


sticky ip-netmask 255.255.255.255 address source STICKY-SSL-****-FARM

timeout 720

timeout activeconns

replicate sticky

serverfarm ****-FARM

class-map match-any ****-HTTPS-VIP

3 match virtual-address *.*.*.* tcp eq https

class-map match-any REDIRECT-HTTP-****

3 match virtual-address *.*.*.* tcp eq www

class-map type http loadbalance match-all SSLCLASS

2 match http url .*


policy-map type loadbalance first-match ****-HTTPS-POLICY

class SSLCLASS

sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

class class-default

sticky-serverfarm STICKY-SSL-****-FARM

ssl-proxy client SSL_CLIENT

policy-map type loadbalance first-match ****-POLICY-REDIRECT

class class-default

serverfarm HTTP-****-FARM


policy-map multi-match ****-POLICY

class ****-HTTPS-VIP

loadbalance vip inservice

loadbalance policy ****-HTTPS-POLICY

loadbalance vip icmp-reply active

ssl-proxy server SSL-****-PROXY

class REDIRECT-HTTP-****

loadbalance vip inservice

loadbalance policy ****-POLICY-REDIRECT

loadbalance vip icmp-reply active

loadbalance vip advertise


service-policy input ****-POLICY

Fnu Kanwaljeet Singh Tue, 11/05/2013 - 08:57
User Badges:
  • Cisco Employee,

Hi Netter,


Hmm..Let us do this way. If you configure a simple tcp port 8443 loadbalancing(nothing to do with ssl offloading) does it work?


So you will configure a VIP listening on port 8443 and if client comes on that VIP with dst port as 8443 the request would be sent to your server listening on 8443. If that works then we are sure that routing is fine and it is ssl configuration which is problem.


Can you test that?


Regards,

Kanwal

Fnu Kanwaljeet Singh Tue, 11/05/2013 - 08:59
User Badges:
  • Cisco Employee,

Hi Netter,


And yes your config looks fine. Can you also get a pcap from client while testing the existing configuration?


Can you also send me output of show conn


Regards,

Kanwal

Actions

This Discussion