Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11284
Views
9
Helpful
3
Replies

ACE: insert-http X-Forwarded-For header-value "%is"

Go to solution
Kanes Ramasamy
Level 1
Level 1

‎10-02-2013 08:38 AM

Hi All,

I have configured this command on the policy map (insert-http X-Forwarded-For header-value "%is"), however the server is stil not seeing the originators IP address. It still shows the natted IP that we have configured on the ACE(vlan). I need to know if I am missing something. Apart from that we have the SSL termination done on the ACE. Configs are as below:

policy-map type loadbalance first-match TEST_TEST_LB_PMAP

  class class-default

    sticky-serverfarm TEST_PORTAL_COOKIE

    action TEST_URL_REWRITE

    insert-http X-Forwarded-For header-value "%is"

class-map match-all TEST_PMAP_CLASS

  2 match virtual-address X.X.X.X tcp eq https

sticky http-cookie JSESSIONID TEST_PORTAL_COOKIE

  replicate sticky

  serverfarm TEST_WEBFARM

It is still getting this IP when checked on the server:

nat-pool 1 172.16.X.X 172.16.X.X netmask 255.255.255.128 pat

Your assistance is most appreciated.

Thanks and Regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pablo.nxh
Level 3
Level 3

‎10-02-2013 04:57 PM

Hi Kaneswaran,

The source IP will still be seen as coming from your NAT IP otherwise you'll end up in a asymmetric routing situation. The X-Forwarded-For that you configured is just inserting a new header into the layer 5 portion of the packet that will hold the original client's IP address, if you set up a capture in your server you'll see it like this (http://goo.gl/yMjFFz).

If you need the original client IP address for reporting or metrics, most of the server vendors just need to have some sort of API enabled in order to catch the IP included in X-Forwarded-For header.

I hope this helps.

__ __

Pablo

View solution in original post

3 Replies 3

Go to solution
pablo.nxh
Level 3
Level 3

‎10-02-2013 04:57 PM

Hi Kaneswaran,

The source IP will still be seen as coming from your NAT IP otherwise you'll end up in a asymmetric routing situation. The X-Forwarded-For that you configured is just inserting a new header into the layer 5 portion of the packet that will hold the original client's IP address, if you set up a capture in your server you'll see it like this (http://goo.gl/yMjFFz).

If you need the original client IP address for reporting or metrics, most of the server vendors just need to have some sort of API enabled in order to catch the IP included in X-Forwarded-For header.

I hope this helps.

__ __

Pablo

Go to solution
Kanes Ramasamy
Level 1
Level 1
In response to pablo.nxh

‎10-03-2013 08:26 AM

Hi Pablo,

Thanks for the assistance. I have managed to get the issue sorted now as it turned out to be a fault on the server site and not the ACE. So i am sure that this configuration definitely works.

Thanks again and appreciate your assistance.


Regards,

Kanes.R

Go to solution
aquirogam
Level 1
Level 1
In response to pablo.nxh

‎05-04-2015 05:47 PM

Hello Pablo, what api can open and review the source IP?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents