Cisco Support Community
Community Member

ACE 4710 with Kerberos

ACE model:ACE-4710-K9

In ACE load balance we are facing kerberos authentication issue.
When we are accessing a server directly ( its working fine, But when we are accessing with LB vip address ( its asking authentication.

How we can resolve this issue.

The configuration as below:

access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any

probe http HTTP_PROBE
  port 80
  interval 10
  faildetect 5
  expect status 200 200

rserver host iis1
  ip address
rserver host iis1a
  ip address

serverfarm host web
  rserver iis1
  rserver iis1a

parameter-map type http Kerberos
  server-conn reuse
  set header-maxparse-length 65535
  length-exceed continue

sticky ip-netmask address both stickyRule
  serverfarm web

class-map type management match-any IIS-mgmt
  201 match protocol snmp any
  202 match protocol http any
  203 match protocol https any
  204 match protocol icmp any
  205 match protocol ssh any
  206 match protocol kalap-udp any
  207 match protocol telnet any
  208 match protocol xml-https any

class-map match-all slb-vip
  2 match virtual-address any

policy-map type management first-match IIS-mgmt
  class IIS-mgmt

policy-map type management first-match remote-access
  class class-default

policy-map type loadbalance http first-match slb
  class class-default
    sticky-serverfarm stickyRule

policy-map multi-match client-vips
  class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    nat dynamic 5 vlan 4
    appl-parameter http advanced-options Kerberos

interface vlan 4
  description "Client-Server VLAN"
  ip address
  peer ip address
  access-group input everyone
  nat-pool 5 netmask pat
  service-policy input client-vips
  service-policy input remote-access

  no shutdown
interface vlan 5
  no shutdown

ip route

Everyone's tags (1)
Cisco Employee

ACE 4710 with Kerberos

Hi Ketan,

The configuration looks fine. I search for this problem and see that lot of people have faced a similar issue. Now on the basis of configuration i canot say what exactly is the problem.

From other cases:

The kerberos ticket is too big to fit in the HTTP header. Thats, it's to big for ACE, which caps the header size at 4K by default.

Try adding the  two more options in http pmap and see if that resolves the issue.

set content-maxparse-length 65535

http parsing non-strict

If not then clear statistics and take couple of outputs of "show stats http". A capture showing client<--->ace<--->server communication would be very helpful as well.



Community Member

ACE 4710 with Kerberos

Hi Kanwaljeet,

I already added the  below two command but its same.

set content-maxparse-length 65535

http parsing non-strict

After that I run the show stats http but in that output its shows nothing. check the below output.

switch/IIS#  [12D [J
switch/IIS# show stats http

+-------------- HTTP statistics -----------+
LB parse result msgs sent : 0          , TCP data msgs sent       : 0        
Inspect parse result msgs : 0          , SSL data msgs sent       : 0        
TCP fin msgs sent         : 0          , TCP rst msgs sent:       : 0        
Bounced fin msgs sent     : 0          , Bounced rst msgs sent:   : 0        
SSL fin msgs sent         : 0          , SSL rst msgs sent:       : 0        
Drain msgs sent           : 0          , Particles read           : 0        
Reuse msgs sent           : 0          , HTTP requests            : 0        
Reproxied requests        : 0          , Headers removed          : 0        
Headers inserted          : 0          , HTTP redirects           : 0        
HTTP chunks               : 0          , Pipelined requests       : 0        
HTTP unproxy conns        : 0          , Pipeline flushes         : 0        
Whitespace appends        : 0          , Second pass parsing      : 0        
Response entries recycled : 0          , Analysis errors          : 0        
Header insert errors      : 0          , Max parselen errors      : 0        
Static parse errors       : 0          , Resource errors          : 0        
Invalid path errors       : 0          , Bad HTTP version errors  : 0        
Headers rewritten         : 0          , Header rewrite errors    : 0        
SSL headers inserted      : 0          , SSL header insert errors : 0        
SSL spoof headers deleted : 0         , Unproxy msgs sent         : 0        
HTTP passthrough stat     : 0        
URLs rewritten            : 0          ,URL rewrite errors       : 0        

Cisco Employee

ACE 4710 with Kerberos

Hi Ketan,

I looked at your configuration again and realized that ACE is not learning or doing anything at the HTTP level and hence no statistics. You have sticky based on the L3.

You have mentioned it works directly but through ACE it doesn't. The only difference i see is that client is getting natted here. If you test with only one server in serverfarm, does it work fine? Can you do capture on  ACE itself so that we can see the communication between client and ace and server to see what is going on here?

Do you see anything when you do "show conn"? You can filter it with source/vip address. Is there any specific requirement from these servers which needs to be configured on ACE?



CreatePlease to create content