Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACE: insert-http X-Forwarded-For header-value "%is"

Hi All,

I have configured this command on the policy map (insert-http X-Forwarded-For header-value "%is"), however the server is stil not seeing the originators IP address. It still shows the natted IP that we have configured on the ACE(vlan). I need to know if I am missing something. Apart from that we have the SSL termination done on the ACE. Configs are as below:

policy-map type loadbalance first-match TEST_TEST_LB_PMAP

  class class-default

    sticky-serverfarm TEST_PORTAL_COOKIE

    action TEST_URL_REWRITE

    insert-http X-Forwarded-For header-value "%is"

class-map match-all TEST_PMAP_CLASS

  2 match virtual-address X.X.X.X tcp eq https

sticky http-cookie JSESSIONID TEST_PORTAL_COOKIE

  replicate sticky

  serverfarm TEST_WEBFARM

It is still getting this IP when checked on the server:

nat-pool 1 172.16.X.X 172.16.X.X netmask 255.255.255.128 pat

Your assistance is most appreciated.

Thanks and Regards.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: ACE: insert-http X-Forwarded-For header-value "%is"

Hi Kaneswaran,

The source IP will still be seen as coming from your NAT IP otherwise you'll end up in a asymmetric routing situation. The X-Forwarded-For that you configured is just inserting a new header into the layer 5 portion of the packet that will hold the original client's IP address, if you set up a capture in your server you'll see it like this (http://goo.gl/yMjFFz).

If you need the original client IP address for reporting or metrics, most of the server vendors just need to have some sort of API enabled in order to catch the IP included in X-Forwarded-For header.

I hope this helps.

__ __

Pablo

3 REPLIES
Bronze

Re: ACE: insert-http X-Forwarded-For header-value "%is"

Hi Kaneswaran,

The source IP will still be seen as coming from your NAT IP otherwise you'll end up in a asymmetric routing situation. The X-Forwarded-For that you configured is just inserting a new header into the layer 5 portion of the packet that will hold the original client's IP address, if you set up a capture in your server you'll see it like this (http://goo.gl/yMjFFz).

If you need the original client IP address for reporting or metrics, most of the server vendors just need to have some sort of API enabled in order to catch the IP included in X-Forwarded-For header.

I hope this helps.

__ __

Pablo

New Member

Re: ACE: insert-http X-Forwarded-For header-value "%is"

Hi Pablo,

Thanks for the assistance. I have managed to get the issue sorted now as it turned out to be a fault on the server site and not the ACE. So i am sure that this configuration definitely works.

Thanks again and appreciate your assistance.


Regards,

Kanes.R

New Member

Hello Pablo, what api can

Hello Pablo, what api can open and review the source IP?

8906
Views
9
Helpful
3
Replies
CreatePlease to create content