In ACE load balance we are facing kerberos authentication issue. When we are accessing a server directly (10.1.8.62) its working fine, But when we are accessing with LB vip address (10.1.4.33) its asking authentication.
How we can resolve this issue.
The configuration as below:
access-list everyone line 8 extended permit ip any any access-list everyone line 16 extended permit icmp any any
probe http HTTP_PROBE port 80 interval 10 faildetect 5 expect status 200 200
rserver host iis1 ip address 10.1.8.61 inservice rserver host iis1a ip address 10.1.8.62 inservice
serverfarm host web rserver iis1 inservice rserver iis1a inservice
parameter-map type http Kerberos server-conn reuse case-insensitive persistence-rebalance set header-maxparse-length 65535 length-exceed continue
sticky ip-netmask 255.255.255.255 address both stickyRule serverfarm web
class-map type management match-any IIS-mgmt 201 match protocol snmp any 202 match protocol http any 203 match protocol https any 204 match protocol icmp any 205 match protocol ssh any 206 match protocol kalap-udp any 207 match protocol telnet any 208 match protocol xml-https any
class-map match-all slb-vip 2 match virtual-address 10.1.4.33 any
policy-map type management first-match IIS-mgmt class IIS-mgmt permit
policy-map type management first-match remote-access class class-default permit
policy-map type loadbalance http first-match slb class class-default sticky-serverfarm stickyRule
I looked at your configuration again and realized that ACE is not learning or doing anything at the HTTP level and hence no statistics. You have sticky based on the L3.
You have mentioned it works directly but through ACE it doesn't. The only difference i see is that client is getting natted here. If you test with only one server in serverfarm, does it work fine? Can you do capture on ACE itself so that we can see the communication between client and ace and server to see what is going on here?
Do you see anything when you do "show conn"? You can filter it with source/vip address. Is there any specific requirement from these servers which needs to be configured on ACE?
Topology & Design:
Two ACI fabrics
Stretching VLANs using OTV
Both fabrics are advertising BD subnets into same routing domain
Some BDs(or say VLANs) are stretched, but some are not.
Endpoints can move betwee...
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
Topology &Design:Traffic flow within same fabric:Endpoint moves to Fabric-2Bounce Entry Times OutTraffic Black-holedSummarySolutionAppendix:
In the Previous articles of ACI Automation, we are using Postman/Newman a...