Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE LB SSL Session ID in onearm mode

I am trying to set-up SSL stickyness using the session ID in a onearm configuration mode and can not access the website via the vip.  I can browse to both servers directly.

The ACE is connected to a Cat 6500, via a 4 gigabit ethernet port-channel and only the management and onearm context vlan is trunked down the port-channel.

From the OneArm Mode context i am able to ping the MSFC (VLAN980) default gateway and both rservers.  The rservers, Server Farm and Service Policy are all showing as in service.   I am also able to ping the vip from any device on the network.

The incoming connection is establish and nat appears to take place, although the return session is report as init.

I have posted the configuration below and was hoping someone could make a few suggestions.   One of the things i notice is on the MSFC the nat address isn't in the arp table, although, it's showing on the ACE.

logging enable
logging buffered 7

access-list everyoneline 1 extended permit ip any any

script file name SSL_PROBE_SCRIPT

probe scripted ssl443
  port 443
  interval 60
  passdetect interval 60

parameter-map type generic sslidparam
  set max-parse-length 70

rserver host host1
  ip address
rserver host host2
  ip address

serverfarm host ssl-443
  rserver host1
    weight 10
    probe ssl443
  rserver host2
    weight 10
    probe ssl443

sticky layer4-payload sticky-443
  timeout 720
  serverfarm ssl-443
  response sticky
  layer4-payload offset 43 length 32 begin-pattern "\x20"

class-map type management match-any MANAGEMENT
  2 match protocol icmp any
  3 match protocol http any
  4 match protocol https any
  5 match protocol ssh any
  6 match protocol telnet any

class-map match-any slb-vip
  3 match virtual-address tcp eq https

policy-map type management first-match MANAGEMENT-POLICY

policy-map type loadbalance generic first-match slb-vip
  class class-default
    sticky-serverfarm sticky-443

policy-map multi-match SSL-STICKY
  class slb-vip
    loadbalance vip inservice
    loadbalance policy slb-vip
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 980
    appl-parameter generic advanced-options sslidparam

interface vlan 980
  ip address
  peer ip address
  access-group input everyone
  nat-pool 1 netmask pat
  service-policy input MANAGEMENT-POLICY
  service-policy input SSL-STICKY
  no shutdown

ip route

sh conn

total current connections : 2

conn-id    np dir proto vlan source                destination           state


19828      1  in  TCP   98      ESTAB

19829      1  out TCP   98 :443     INIT

New Member

Re: ACE LB SSL Session ID in onearm mode

The problem was caused by an incorrect nat pool.   Correct Mask was