12-15-2013 01:09 AM
ACE model:ACE-4710-K9
In ACE load balance we are facing kerberos authentication issue.
When we are accessing a server directly (10.1.8.62) its working fine, But when we are accessing with LB vip address (10.1.4.33) its asking authentication.
How we can resolve this issue.
The configuration as below:
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe http HTTP_PROBE
port 80
interval 10
faildetect 5
expect status 200 200
rserver host iis1
ip address 10.1.8.61
inservice
rserver host iis1a
ip address 10.1.8.62
inservice
serverfarm host web
rserver iis1
inservice
rserver iis1a
inservice
parameter-map type http Kerberos
server-conn reuse
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
length-exceed continue
sticky ip-netmask 255.255.255.255 address both stickyRule
serverfarm web
class-map type management match-any IIS-mgmt
201 match protocol snmp any
202 match protocol http any
203 match protocol https any
204 match protocol icmp any
205 match protocol ssh any
206 match protocol kalap-udp any
207 match protocol telnet any
208 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 10.1.4.33 any
policy-map type management first-match IIS-mgmt
class IIS-mgmt
permit
policy-map type management first-match remote-access
class class-default
permit
policy-map type loadbalance http first-match slb
class class-default
sticky-serverfarm stickyRule
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
nat dynamic 5 vlan 4
appl-parameter http advanced-options Kerberos
interface vlan 4
description "Client-Server VLAN"
ip address 10.1.4.63 255.255.255.0
peer ip address 10.1.4.64 255.255.255.0
access-group input everyone
nat-pool 5 10.1.4.232 10.1.4.232 netmask 255.255.255.0 pat
service-policy input client-vips
service-policy input remote-access
no shutdown
interface vlan 5
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.4.1
12-15-2013 05:20 AM
Hi Ketan,
The configuration looks fine. I search for this problem and see that lot of people have faced a similar issue. Now on the basis of configuration i canot say what exactly is the problem.
From other cases:
The kerberos ticket is too big to fit in the HTTP header. Thats, it's to big for ACE, which caps the header size at 4K by default.
Try adding the two more options in http pmap and see if that resolves the issue.
set content-maxparse-length 65535
http parsing non-strict
If not then clear statistics and take couple of outputs of "show stats http". A capture showing client<--->ace<--->server communication would be very helpful as well.
Regards,
Kanwal
12-15-2013 10:29 PM
Hi Kanwaljeet,
I already added the below two command but its same.
set content-maxparse-length 65535
http parsing non-strict
After that I run the show stats http but in that output its shows nothing. check the below output.
switch/IIS# [12D [J
switch/IIS# show stats http
+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 0 , TCP data msgs sent : 0
Inspect parse result msgs : 0 , SSL data msgs sent : 0
sent
TCP fin msgs sent : 0 , TCP rst msgs sent: : 0
Bounced fin msgs sent : 0 , Bounced rst msgs sent: : 0
SSL fin msgs sent : 0 , SSL rst msgs sent: : 0
Drain msgs sent : 0 , Particles read : 0
Reuse msgs sent : 0 , HTTP requests : 0
Reproxied requests : 0 , Headers removed : 0
Headers inserted : 0 , HTTP redirects : 0
HTTP chunks : 0 , Pipelined requests : 0
HTTP unproxy conns : 0 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 0 , Analysis errors : 0
Header insert errors : 0 , Max parselen errors : 0
Static parse errors : 0 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Headers rewritten : 0 , Header rewrite errors : 0
SSL headers inserted : 0 , SSL header insert errors : 0
SSL spoof headers deleted : 0 , Unproxy msgs sent : 0
HTTP passthrough stat : 0
URLs rewritten : 0 ,URL rewrite errors : 0
12-16-2013 03:32 AM
Hi Ketan,
I looked at your configuration again and realized that ACE is not learning or doing anything at the HTTP level and hence no statistics. You have sticky based on the L3.
You have mentioned it works directly but through ACE it doesn't. The only difference i see is that client is getting natted here. If you test with only one server in serverfarm, does it work fine? Can you do capture on ACE itself so that we can see the communication between client and ace and server to see what is going on here?
Do you see anything when you do "show conn"? You can filter it with source/vip address. Is there any specific requirement from these servers which needs to be configured on ACE?
Regards,
Kanwal
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: