Tecnically this should not be difficult and below is a sample of our configuration. We have similar configuration working on our non-secured web site (HTTP) However for the secure web site, the https request https://abc.com/ABC/xxx is continued being routed to serverfarm#2 instead of serverfarm#1 which is very frustrating.
We can easily get this working on my F5 LTM within 5 minutes but this Cisco ACE continue to frustrate me...Appreciate if any expert on Cisco ACE can help to advise on our configuration.. Thanks.
I see you are using ACE for SSL initiation i.e front end is clear text and back-end should be https. So if you are not using ACE for SSL offloading then ACE by no means can have a look at HTTP header at the front end and hence everything is being sent to default serverfarm. You are not coming on http but HTTPS. For ACE to take decision based on HTTP-HEADER VALUE, ACE should be able to look into it.
Please paste the complete configuration if that is not the case.
Yes, we are using ACE for SSL termination i.e. front end is https and back-end is also https.
We are doing end-to-end encryption as our IT security and audit wanted end-to-end encryption between the client and servers. ACE should be able to look at the HTTP header at the front end since the client SSL session is terminate on the ACE.
Below is an extract of the configuration, I've leave out the remaining configuration which is not required.
Normally when you add a new cert (in case your existing cert has expired) then in that case you need to bounce the SSL-proxy or loadbalance policy itself for the new changes to take place. In your case what exact changes did you make to existing configuration? I suppose you added ssl-proxy client to the LB policy map. I am not sure if that should require taking VIP out-of-service and bring it to in-service. May be need to test this out.
The only changes made to the existing virtual server is to add the http class map to route any https requests for /ABC/* to serverfarm#1. To take out the virtual server out of service is not a major issue except that i will need downtime to effect the change.It took me a while to realize this as i was certain that there was nothing wrong with my config.
Yes you are right. There was nothing wrong with the configuration although i did suspect that regex configured may not be matching with what client was coming with. If you configured a new class map, then you called this class-map under policy map and same policy map is associated with multi-match policy already. I think this needs to be tested but generally adding new certs to the ssl-proxy does require removing and readdind ssl-proxy service or take out vip out of service and put it back in "inservice". Because you already have old cert loaded in the memory. I will try and test this in a day or two to confirm.
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...