10-02-2013 08:38 AM
Hi All,
I have configured this command on the policy map (insert-http X-Forwarded-For header-value "%is"), however the server is stil not seeing the originators IP address. It still shows the natted IP that we have configured on the ACE(vlan). I need to know if I am missing something. Apart from that we have the SSL termination done on the ACE. Configs are as below:
policy-map type loadbalance first-match TEST_TEST_LB_PMAP
class class-default
sticky-serverfarm TEST_PORTAL_COOKIE
action TEST_URL_REWRITE
insert-http X-Forwarded-For header-value "%is"
class-map match-all TEST_PMAP_CLASS
2 match virtual-address X.X.X.X tcp eq https
sticky http-cookie JSESSIONID TEST_PORTAL_COOKIE
replicate sticky
serverfarm TEST_WEBFARM
It is still getting this IP when checked on the server:
nat-pool 1 172.16.X.X 172.16.X.X netmask 255.255.255.128 pat
Your assistance is most appreciated.
Thanks and Regards.
Solved! Go to Solution.
10-02-2013 04:57 PM
Hi Kaneswaran,
The source IP will still be seen as coming from your NAT IP otherwise you'll end up in a asymmetric routing situation. The X-Forwarded-For that you configured is just inserting a new header into the layer 5 portion of the packet that will hold the original client's IP address, if you set up a capture in your server you'll see it like this (http://goo.gl/yMjFFz).
If you need the original client IP address for reporting or metrics, most of the server vendors just need to have some sort of API enabled in order to catch the IP included in X-Forwarded-For header.
I hope this helps.
__ __
Pablo
10-02-2013 04:57 PM
Hi Kaneswaran,
The source IP will still be seen as coming from your NAT IP otherwise you'll end up in a asymmetric routing situation. The X-Forwarded-For that you configured is just inserting a new header into the layer 5 portion of the packet that will hold the original client's IP address, if you set up a capture in your server you'll see it like this (http://goo.gl/yMjFFz).
If you need the original client IP address for reporting or metrics, most of the server vendors just need to have some sort of API enabled in order to catch the IP included in X-Forwarded-For header.
I hope this helps.
__ __
Pablo
10-03-2013 08:26 AM
Hi Pablo,
Thanks for the assistance. I have managed to get the issue sorted now as it turned out to be a fault on the server site and not the ACE. So i am sure that this configuration definitely works.
Thanks again and appreciate your assistance.
Regards,
Kanes.R
05-04-2015 05:47 PM
Hello Pablo, what api can open and review the source IP?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: