cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2793
Views
0
Helpful
3
Replies

ACE 4710 with Kerberos

ketanpatani
Level 1
Level 1

ACE model:ACE-4710-K9

In ACE load balance we are facing kerberos authentication issue.
When we are accessing a server directly (10.1.8.62) its working fine, But when we are accessing with LB vip address (10.1.4.33) its asking authentication.

How we can resolve this issue.

The configuration as below:

access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any


probe http HTTP_PROBE
  port 80
  interval 10
  faildetect 5
  expect status 200 200

rserver host iis1
  ip address 10.1.8.61
  inservice
rserver host iis1a
  ip address 10.1.8.62
  inservice

serverfarm host web
  rserver iis1
    inservice
  rserver iis1a
    inservice

parameter-map type http Kerberos
  server-conn reuse
  case-insensitive
  persistence-rebalance
  set header-maxparse-length 65535
  length-exceed continue

sticky ip-netmask 255.255.255.255 address both stickyRule
  serverfarm web


class-map type management match-any IIS-mgmt
  201 match protocol snmp any
  202 match protocol http any
  203 match protocol https any
  204 match protocol icmp any
  205 match protocol ssh any
  206 match protocol kalap-udp any
  207 match protocol telnet any
  208 match protocol xml-https any

class-map match-all slb-vip
  2 match virtual-address 10.1.4.33 any

policy-map type management first-match IIS-mgmt
  class IIS-mgmt
    permit

policy-map type management first-match remote-access
  class class-default
    permit

policy-map type loadbalance http first-match slb
  class class-default
    sticky-serverfarm stickyRule


policy-map multi-match client-vips
  class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    nat dynamic 5 vlan 4
    appl-parameter http advanced-options Kerberos


interface vlan 4
  description "Client-Server VLAN"
  ip address 10.1.4.63 255.255.255.0
  peer ip address 10.1.4.64 255.255.255.0
  access-group input everyone
  nat-pool 5 10.1.4.232 10.1.4.232 netmask 255.255.255.0 pat
  service-policy input client-vips
  service-policy input remote-access

  no shutdown
interface vlan 5
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.1.4.1

3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Ketan,

The configuration looks fine. I search for this problem and see that lot of people have faced a similar issue. Now on the basis of configuration i canot say what exactly is the problem.

From other cases:

The kerberos ticket is too big to fit in the HTTP header. Thats, it's to big for ACE, which caps the header size at 4K by default.

Try adding the  two more options in http pmap and see if that resolves the issue.

set content-maxparse-length 65535

http parsing non-strict

If not then clear statistics and take couple of outputs of "show stats http". A capture showing client<--->ace<--->server communication would be very helpful as well.

Regards,

Kanwal

Hi Kanwaljeet,

I already added the  below two command but its same.

set content-maxparse-length 65535

http parsing non-strict

After that I run the show stats http but in that output its shows nothing. check the below output.


switch/IIS#  [12D [J
switch/IIS# show stats http


+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 0          , TCP data msgs sent       : 0        
Inspect parse result msgs : 0          , SSL data msgs sent       : 0        
                      sent
TCP fin msgs sent         : 0          , TCP rst msgs sent:       : 0        
Bounced fin msgs sent     : 0          , Bounced rst msgs sent:   : 0        
SSL fin msgs sent         : 0          , SSL rst msgs sent:       : 0        
Drain msgs sent           : 0          , Particles read           : 0        
Reuse msgs sent           : 0          , HTTP requests            : 0        
Reproxied requests        : 0          , Headers removed          : 0        
Headers inserted          : 0          , HTTP redirects           : 0        
HTTP chunks               : 0          , Pipelined requests       : 0        
HTTP unproxy conns        : 0          , Pipeline flushes         : 0        
Whitespace appends        : 0          , Second pass parsing      : 0        
Response entries recycled : 0          , Analysis errors          : 0        
Header insert errors      : 0          , Max parselen errors      : 0        
Static parse errors       : 0          , Resource errors          : 0        
Invalid path errors       : 0          , Bad HTTP version errors  : 0        
Headers rewritten         : 0          , Header rewrite errors    : 0        
SSL headers inserted      : 0          , SSL header insert errors : 0        
SSL spoof headers deleted : 0         , Unproxy msgs sent         : 0        
HTTP passthrough stat     : 0        
URLs rewritten            : 0          ,URL rewrite errors       : 0        

Hi Ketan,

I looked at your configuration again and realized that ACE is not learning or doing anything at the HTTP level and hence no statistics. You have sticky based on the L3.

You have mentioned it works directly but through ACE it doesn't. The only difference i see is that client is getting natted here. If you test with only one server in serverfarm, does it work fine? Can you do capture on  ACE itself so that we can see the communication between client and ace and server to see what is going on here?

Do you see anything when you do "show conn"? You can filter it with source/vip address. Is there any specific requirement from these servers which needs to be configured on ACE?

Regards,

Kanwal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: