Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Load Balance HTTPS servers with redirection

Hello,

I have been tasked with ACE configuration at work as the prior go-to guy for load balancing is no longer available. Trouble is, I have little idea what I’m doing when it comes to the ACE. So, forgive me if the question I have is super basic. After doing some research I put together a LB config, but its not working.

I was trying to load balance 10 servers, split into groups of 2 using 5 VIPS (1 VIP for each group of 2 servers). The servers serve an ssl web app.

Below is my configuration. What am I doing wrong? Does the config have any glaring errors? I've been staring at this thing on and off for a week  and searching these forums trying to figure it out.

Any help provided will greatly appreciated.

probe tcp probe_443

  port 443

  interval 30

  passdetect interval 5

probe https probe_https_test

  interval 30

  passdetect interval 5

  ssl version all

  request method get url /test.html

  expect status 200 200

rserver host QA-1.1

ip address 10.200.162.126

inservice

rserver host QA-1.2

ip address 10.200.162.127

inservice

rserver redirect QA-group_1_redirect_rserver

webhost-redirection https://10.37.5.73/ 302

  inservice

rserver host QA-2.1

ip address 10.200.162.22

inservice

rserver host QA-2.2

ip address 10.200.162.240

inservice

rserver redirect QA-group_2_redirect_rserver

webhost-redirection https://10.37.5.74/ 302

  inservice

rserver host QA-3.1

ip address 10.200.162.181

inservice

rserver host QA-3.2

ip address 10.200.162.50

inservice

rserver redirect QA-group_3_redirect_rserver

webhost-redirection https://10.37.5.75/ 302

  inservice

rserver host QA-4.1

ip address 10.200.162.23

inservice

rserver host QA-4.2

ip address 10.200.162.241

inservice

rserver redirect QA-group_4_redirect_rserver

webhost-redirection https://10.37.5.76/ 302

  inservice

rserver host QA-5.1

ip address 10.200.162.182

inservice

rserver host QA-5.2

ip address 10.200.162.51

inservice

rserver redirect QA-group_5_redirect_rserver

webhost-redirection https://10.37.5.77/ 302

  inservice

serverfarm host SF_QA-group_1_HTTPS

failaction reassign

predictor leastconns

probe probe_443

probe probe_https_test

rserver QA-1.1 443

inservice

rserver QA-1. 2 443

inservice

serverfarm host SF_QA-group_2_HTTPS

failaction reassign

predictor leastconns

probe probe_443

probe probe_https_test

rserver QA-2.1 443

inservice

rserver QA-2. 2 443

inservice

serverfarm host SF_QA-group_3_HTTPS

failaction reassign

predictor leastconns

probe probe_443

probe probe_https_test

rserver QA-3.1 443

inservice

rserver QA-3. 2 443

inservice

serverfarm host SF_QA-group_4_HTTPS

failaction reassign

predictor leastconns

probe probe_443

probe probe_https_test

rserver QA-4.1 443

inservice

rserver QA-4. 2 443

inservice

serverfarm host SF_QA-group_5_HTTPS

failaction reassign

predictor leastconns

probe probe_443

probe probe_https_test

rserver QA-5.1 443

inservice

rserver QA-5. 2 443

inservice

serverfarm redirect SF_ QA-group_1_REDIRECT

rserver QA-group_1_redirect_rserver

inservice

serverfarm redirect SF_ QA-group_2_REDIRECT

rserver QA-group_2_redirect_rserver

inservice

serverfarm redirect SF_ QA-group_3_REDIRECT

rserver QA-group_3_redirect_rserver

inservice

serverfarm redirect SF_ QA-group_4_REDIRECT

rserver QA-group_4_redirect_rserver

inservice

serverfarm redirect SF_ QA-group_5_REDIRECT

rserver QA-group_5_redirect_rserver

inservice

sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_1_STICKY

serverfarm SF_ QA-group_1_HTTPS

timeout 30

replicate sticky

sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_2_STICKY

serverfarm SF_ QA-group_2_HTTPS

timeout 30

replicate sticky

sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_3_STICKY

serverfarm SF_ QA-group_3_HTTPS

timeout 30

replicate sticky

sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_4_STICKY

serverfarm SF_ QA-group_4_HTTPS

timeout 30

replicate sticky

sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_5_STICKY

serverfarm SF_ QA-group_5_HTTPS

timeout 30

replicate sticky

class-map match-all QA-group_1_HTTP

3 match virtual-address 10.37.5.73 tcp eq www

class-map match-all QA-group_1_HTTPS

3 match virtual-address 10.37.5.73 tcp eq https

class-map match-all QA-group_2_HTTP

3 match virtual-address 10.37.5.74 tcp eq www

class-map match-all QA-group_2_HTTPS

3 match virtual-address 10.37.5.74 tcp eq https

class-map match-all QA-group_3_HTTP

3 match virtual-address 10.37.5.75 tcp eq www

class-map match-all QA-group_3_HTTPS

3 match virtual-address 10.37.5.75 tcp eq https

class-map match-all QA-group_4_HTTP

3 match virtual-address 10.37.5.76 tcp eq www

class-map match-all QA-group_4_HTTPS

3 match virtual-address 10.37.5.76 tcp eq https

class-map match-all QA-group_5_HTTPS

3 match virtual-address 10.37.5.77 tcp eq www

class-map match-all QA-group_5_HTTPS

3 match virtual-address 10.37.5.77 tcp eq https

class-map type management match-any remote-management

2 match protocol http any

3 match protocol https any

4 match protocol icmp any

5 match protocol snmp any

6 match protocol ssh any

policy-map type management first-match remote-access

class remote-management

permit

policy-map type loadbalance first-match QA-group_1_REDIRECT

class class-default

serverfarm SF_ QA-group_1_REDIRECT

policy-map type loadbalance first-match QA-group_2_REDIRECT

class class-default

serverfarm SF_ QA-group_2_REDIRECT

policy-map type loadbalance first-match QA-group_3_REDIRECT

class class-default

serverfarm SF_ QA-group_3_REDIRECT

policy-map type loadbalance first-match QA-group_4_REDIRECT

class class-default

serverfarm SF_ QA-group_4_REDIRECT

policy-map type loadbalance first-match QA-group_5_REDIRECT

class class-default

serverfarm SF_ QA-group_5_REDIRECT

policy-map multi-match SERVICE_VIPS

class QA-group_1_HTTPS

    loadbalance vip inservice

    loadbalance policy HTTPS_ QA-group_1_HTTPS _L7_BALANCED

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 25

  class QA-group_1_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_1_REDIRECT

class QA-group_2_HTTPS

    loadbalance vip inservice

    loadbalance policy HTTPS_ QA-group_2_HTTPS _L7_BALANCED

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 25

  class QA-group_2_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_2_REDIRECT

class QA-group_3_HTTPS

    loadbalance vip inservice

    loadbalance policy HTTPS_ QA-group_3_HTTPS _L7_BALANCED

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 25

  class QA-group_3_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_3_REDIRECT

class QA-group_4_HTTPS

    loadbalance vip inservice

    loadbalance policy HTTPS_ QA-group_4_HTTPS _L7_BALANCED

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 25

  class QA-group_4_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_4_REDIRECT

class QA-group_5_HTTPS

    loadbalance vip inservice

    loadbalance policy HTTPS_ QA-group_4_HTTPS _L7_BALANCED

    loadbalance vip icmp-reply

    nat dynamic 1 vlan 25

  class QA-group_5_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_4_REDIRECT

interface vlan 25

  ip address 10.37.5.72 255.255.255.0

    access-group input everyone

  service-policy input remote-access

  service-policy input SERVICE_VIPS

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.37.5.1

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Load Balance HTTPS servers with redirection

Hi John,

Forget this configuration. I will give you the configuration please try that. I will give you for one rserver, one serverfarm, one class map. You please do that same for rest of them. Test one first and replicate to others.

rserver redirect QA-group_1_redirect_rserver

  webhost-redirection

https://10.37.5.93/  302

  inservice

This is the redirect server.

rserver host QA-1.1

  ip address 10.37.5.111

  inservice

rserver host QA-1.2

  ip address 10.37.5.88

  inservice

Normal servers to which the traffic would be loadbalanced.

serverfarm redirect SF_QA-group_1_REDIRECT

  rserver QA-group_1_redirect_rserver

    inservice

This is redirect serverfarm

serverfarm host SF_QA-group_1_HTTPS

  failaction reassign

  predictor leastconns

  rserver QA-1.1 443

    inservice

  rserver QA-1.2 443

    inservice

Normal serverfarm with two rservers in it to which we will loadbalance the traffic.

class-map match-all QA-group_1_HTTP

  3 match virtual-address 10.37.5.93 tcp eq www

The class-map is condition for redirection. If user comes on 10.37.5.93 on 80.

class-map match-all QA-group_1_HTTPS

  3 match virtual-address 10.37.5.93 tcp eq https

Condition for user coming on port 443

policy-map type loadbalance first-match QA-group_1_REDIRECT

  class class-default

    serverfarm SF_QA-group_1_REDIRECT

This is a policy or action which ACE will take after the condition matches which is to redirect.

policy-map type loadbalance first-match QA_GROUP1_HTPPS

  class class-default

    serverfarm SF_QA-group_1_HTTPS

This is for HTTPS

policy-map multi-match SERVICE_VIPS
  class QA-group_1_HTTP
    loadbalance vip inservice
    loadbalance policy QA-group_1_REDIRECT
    loadbalance vip icmp-reply
  class QA-group_1_HTTPS
    loadbalance vip inservice
    loadbalance policy QA_GROUP1_HTPPS
    loadbalance vip icmp-reply

Same action is applied to the policy. If it matches class QA-group_1_HTTP, redirect it, since redirect policy is applied and if it matches class QA-group_1_HTTPS, loadbalance the traffic since LB policy is applied.

Hope this clears everything. My bad for not being clear. Also, note that i have not used sticky here. Just for example i have done this. This is how your configuration should look like for all the groups.

Again let me know if you have any questions.

Regards,

Kanwal

Cisco Employee

Load Balance HTTPS servers with redirection

Hi John,

So that's a problem then. Return traffic from server should also pass through ACE. ACE is not seeing the return traffic. This is Asymmetric routing. You will either have to do src nat or change the default gateway of servers to ACE. Try changing for one serverfarm (two servers in a serverfarm) and test again. If that works you know this is the issue or you can add a route on the server as well.

Regards,

Kanwal

Cisco Employee

Load Balance HTTPS servers with redirection

Hi John,

Remove the class map from policy map and then remove it. That should do the trick.

Regards,

Kanwal

19 REPLIES
Cisco Employee

Load Balance HTTPS servers with redirection

Hi John,

If the idea is to redirect user requests from http to https and once user comes on https, just loadbalance the requests to servers who are also listening on 443, then the above configuration looks fine. What is not working, redirection or loadbalancing to real servers? What is the status of servers in serverfarm? They should be operational.

I don't see LB policies configuration  like  "HTTPS_ QA-group_1_HTTPS _L7_BALANCED" in  the configuration you have pasted. May be you have omitted it on purpose.

Regards,

Kanwal

New Member

Load Balance HTTPS servers with redirection

Fnu,


Thank you so much for your reply.

At this point I can get to the real server IP's via ping and https in a browser from my PC. I can also ping the gateway and all the real server IP's from the ACE context i'm working on. However, the VIPS are not working. When I attempt to use one of the VIPS in the browser, the request times out. When I issue the command ":show service-policy"  I see a hit count (which increments every time I try and reach the VIP via the browser) but the dropped counter is equal to the hit counter. I will paste the running config from the context I’m working in along with the output from the show service-policy command.

Any suggestions on how I can get this working would be greatly appreciated.

csc#  show run

Generating configuration....

access-list Servers line 3 extended permit tcp any any eq https

access-list Servers line 5 extended permit tcp any any eq www

access-list everyone line 1 extended permit ip any any

access-list everyone line 2 extended permit icmp any any

probe tcp probe_443

  port 443

  interval 30

  passdetect interval 5

rserver host QA-1.1

  ip address 10.37.5.111

  inservice

rserver host QA-1.2

  ip address 10.37.5.88

  inservice

rserver host QA-2.1

  ip address 10.37.5.84

  inservice

rserver host QA-2.2

  ip address 10.37.5.89

  inservice

rserver host QA-3.1

  ip address 10.37.5.85

  inservice

rserver host QA-3.2

  ip address 10.37.5.90

  inservice

rserver host QA-4.1

  ip address 10.37.5.86

  inservice

rserver host QA-4.2

  ip address 10.37.5.81

  inservice

rserver host QA-5.1

  ip address 10.37.5.87

  inservice

rserver host QA-5.2

  ip address 10.37.5.92

  inservice

rserver redirect QA-group_1_redirect_rserver

  webhost-redirection https://10.37.5.93/ 302

  inservice

rserver redirect QA-group_2_redirect_rserver

  webhost-redirection https://10.37.5.94/ 302

  inservice

rserver redirect QA-group_3_redirect_rserver

  webhost-redirection https://10.37.5.95/ 302

  inservice

rserver redirect QA-group_4_redirect_rserver

  webhost-redirection https://10.37.5.96/ 302

  inservice

rserver redirect QA-group_5_redirect_rserver

  webhost-redirection https://10.37.5.97/ 302

  inservice

serverfarm host SF_QA-group_1_HTTPS

  failaction reassign

  predictor leastconns

  probe probe_443

  rserver QA-1.1 443

    inservice

  rserver QA-1.2 443

    inservice

serverfarm redirect SF_QA-group_1_REDIRECT

  rserver QA-group_1_redirect_rserver

    inservice

serverfarm host SF_QA-group_2_HTTPS

  failaction reassign

  predictor leastconns

  probe probe_443

  rserver QA-2.1 443

    inservice

  rserver QA-2.2 443

    inservice

serverfarm redirect SF_QA-group_2_REDIRECT

  rserver QA-group_2_redirect_rserver

    inservice

serverfarm host SF_QA-group_3_HTTPS

  failaction reassign

  predictor leastconns

  probe probe_443

  rserver QA-3.1 443

    inservice

  rserver QA-3.2 443

    inservice

serverfarm redirect SF_QA-group_3_REDIRECT

  rserver QA-group_3_redirect_rserver

    inservice

serverfarm host SF_QA-group_4_HTTPS

  failaction reassign

  predictor leastconns

  probe probe_443

  rserver QA-4.1 443

    inservice

  rserver QA-4.2 443

    inservice

serverfarm redirect SF_QA-group_4_REDIRECT

  rserver QA-group_4_redirect_rserver

    inservice

serverfarm host SF_QA-group_5_HTTPS

  failaction reassign

  predictor leastconns

  probe probe_443

  rserver QA-5.1 443

    inservice

  rserver QA-5.2 443

    inservice

serverfarm redirect SF_QA-group_5_REDIRECT

  rserver QA-group_5_redirect_rserver

    inservice

serverfarm host SF_QA-group_HTTPS

serverfarm host SF_QA-group__HTTPS

sticky ip-netmask 255.255.255.255 address source SRC_QA-group_1_STICKY

  serverfarm SF_QA-group_1_HTTPS

  timeout 30

  replicate sticky

sticky ip-netmask 255.255.255.255 address source SRC_QA-group_2_STICKY

  serverfarm SF_QA-group_2_HTTPS

  timeout 30

  replicate sticky

sticky ip-netmask 255.255.255.255 address source SRC_QA-group_3_STICKY

  serverfarm SF_QA-group_3_HTTPS

  timeout 30

  replicate sticky

sticky ip-netmask 255.255.255.255 address source SRC_QA-group_4_STICKY

  serverfarm SF_QA-group_4_HTTPS

  timeout 30

  replicate sticky

sticky ip-netmask 255.255.255.255 address source SRC_QA-group_5_STICKY

  serverfarm SF_QA-group_5_HTTPS

  timeout 30

  replicate sticky

class-map match-all QA-group_1_HTTP

  3 match virtual-address 10.37.5.93 tcp eq www

class-map match-all QA-group_1_HTTPS

  3 match virtual-address 10.37.5.93 tcp eq https

class-map match-all QA-group_2_HTTP

  3 match virtual-address 10.37.5.94 tcp eq www

class-map match-all QA-group_2_HTTPS

  3 match virtual-address 10.37.5.94 tcp eq https

class-map match-all QA-group_3_HTTP

  3 match virtual-address 10.37.5.95 tcp eq www

class-map match-all QA-group_3_HTTPS

  3 match virtual-address 10.37.5.95 tcp eq https

class-map match-all QA-group_4_HTTP

  3 match virtual-address 10.37.5.96 tcp eq www

class-map match-all QA-group_4_HTTPS

  3 match virtual-address 10.37.5.76 tcp eq https

class-map match-all QA-group_5_HTTP

  3 match virtual-address 10.37.5.97 tcp eq www

class-map match-all QA-group_5_HTTPS

  3 match virtual-address 10.37.5.97 tcp eq https

class-map type management match-any remote-management

  2 match protocol http any

  3 match protocol https any

  4 match protocol icmp any

  5 match protocol snmp any

  6 match protocol ssh any

policy-map type management first-match remote-access

  class remote-management

    permit

policy-map type loadbalance first-match QA-group_1_REDIRECT

  class class-default

policy-map type loadbalance first-match QA-group_2_REDIRECT

  class class-default

    serverfarm SF_QA-group_2_REDIRECT

policy-map type loadbalance first-match QA-group_3_REDIRECT

  class class-default

    serverfarm SF_QA-group_3_REDIRECT

policy-map type loadbalance first-match QA-group_4_REDIRECT

  class class-default

    serverfarm SF_QA-group_4_REDIRECT

policy-map type loadbalance first-match QA-group_5_REDIRECT

  class class-default

    serverfarm SF_QA-group_5_REDIRECT

policy-map multi-match SERVICE_VIPS

  class QA-group_1_HTTPS

    loadbalance vip inservice

    loadbalance policy QA-group_1_REDIRECT

    loadbalance vip icmp-reply

  class QA-group_1_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_1_REDIRECT

  class QA-group_2_HTTPS

    loadbalance vip inservice

    loadbalance policy QA-group_2_REDIRECT

    loadbalance vip icmp-reply

  class QA-group_2_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_2_REDIRECT

  class QA-group_3_HTTPS

    loadbalance vip inservice

    loadbalance policy QA-group_3_REDIRECT

    loadbalance vip icmp-reply

  class QA-group_3_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_3_REDIRECT

  class QA-group_4_HTTPS

    loadbalance vip inservice

    loadbalance policy QA-group_4_REDIRECT

    loadbalance vip icmp-reply

  class QA-group_4_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_4_REDIRECT

  class QA-group_5_HTTPS

    loadbalance vip inservice

    loadbalance policy QA-group_5_REDIRECT

    loadbalance vip icmp-reply

  class QA-group_5_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_5_REDIRECT

interface vlan 25

  ip address 10.37.5.98 255.255.255.0

  access-group input everyone

  service-policy input remote-access

  service-policy input SERVICE_VIPS

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.37.5.1

csc# show service-policy SERVICE_VIPS

Status     : ACTIVE

-----------------------------------------

Interface: vlan 25

  service-policy: SERVICE_VIPS

    class: QA-group_1_HTTPS

      loadbalance:

        L7 loadbalance policy: QA-group_1_REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : ENABLED

        VIP state: OUTOFSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: DISABLED

        curr conns       : 0         , hit count        : 122      

        dropped conns    : 122      

        conns per second    : 0        

        client pkt count : 122       , client byte count: 6164               

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

      compression:

        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        

    class: QA-group_1_HTTP

      loadbalance:

        L7 loadbalance policy: QA-group_1_REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : DISABLED

        VIP state: OUTOFSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: DISABLED

        curr conns       : 0         , hit count        : 58       

        dropped conns    : 58       

        conns per second    : 0        

        client pkt count : 58        , client byte count: 3628               

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

      compression:

        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        

    class: QA-group_2_HTTPS

      loadbalance:

        L7 loadbalance policy: QA-group_2_REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : ENABLED

        VIP State: INSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: ENABLED

        curr conns       : 0         , hit count        : 13       

        dropped conns    : 0        

        conns per second    : 0        

        client pkt count : 74        , client byte count: 7648               

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

      compression:

        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        

    class: QA-group_2_HTTP

      loadbalance:

        L7 loadbalance policy: QA-group_2_REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : DISABLED

        VIP State: INSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: ENABLED

        curr conns       : 0         , hit count        : 3        

        dropped conns    : 0        

        conns per second    : 0        

        client pkt count : 12        , client byte count: 1398               

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

      compression:

        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        

    class: QA-group_3_HTTPS

      loadbalance:

        L7 loadbalance policy: QA-group_3_REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : ENABLED

        VIP State: INSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: ENABLED

        curr conns       : 0         , hit count        : 34       

        dropped conns    : 0        

        conns per second    : 0        

        client pkt count : 201       , client byte count: 23495              

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

      compression:

        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        

    class: QA-group_3_HTTP

      loadbalance:

        L7 loadbalance policy: QA-group_3_REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : DISABLED

        VIP State: INSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: ENABLED

        curr conns       : 0         , hit count        : 5        

        dropped conns    : 0        

        conns per second    : 0        

        client pkt count : 20        , client byte count: 1907               

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

      compression:

        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        

    class: QA-group_4_HTTPS

      loadbalance:

        L7 loadbalance policy: QA-group_4_REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : ENABLED

        VIP State: INSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: ENABLED

        curr conns       : 0         , hit count        : 0        

        dropped conns    : 0        

        conns per second    : 0        

        client pkt count : 0         , client byte count: 0                  

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

      compression:

        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        

    class: QA-group_4_HTTP

      loadbalance:

        L7 loadbalance policy: QA-group_4_REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : DISABLED

        VIP State: INSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: ENABLED

        curr conns       : 0         , hit count        : 2        

        dropped conns    : 0        

        conns per second    : 0        

        client pkt count : 8         , client byte count: 697                

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

      compression:

        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        

    class: QA-group_5_HTTPS

      loadbalance:

        L7 loadbalance policy: QA-group_5_REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : ENABLED

        VIP State: INSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: ENABLED

        curr conns       : 0         , hit count        : 0        

        dropped conns    : 0        

        conns per second    : 0        

        client pkt count : 0         , client byte count: 0                  

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

      compression:

        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        

    class: QA-group_5_HTTP

      loadbalance:

        L7 loadbalance policy: QA-group_5_REDIRECT

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : DISABLED

        VIP State: INSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: ENABLED

        curr conns       : 0         , hit count        : 0        

        dropped conns    : 0        

        conns per second    : 0        

        client pkt count : 0         , client byte count: 0                  

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

      compression:

        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        

Cisco Employee

Load Balance HTTPS servers with redirection

Hi John,

Let us take one 1 VIP and concentrate on that. Where are you testing from? Is client in same subnet as servers? If yes, you would NAT for return traffic to go through loadbalancer. Can you take a quick capture using wireshark on client and see where does the connection fail and why?

Also, you have not associated serverfarm in below:

policy-map type loadbalance first-match QA-group_1_REDIRECT

class class-default

Regards,

Kanwal

New Member

Load Balance HTTPS servers with redirection

The client is not on the same network. There were NAT statements in my first attempt, but I took them out. Wasn't sure if they should be there.

The ACE configuration is like a whole new language to me. I can configure a router, or switch no problem, but the ACE, I’m a kind of lost. The configuration I pasted here is one I made by editing a config file written by the previous engineer that was made to accomplish a similar task.

What is the minimum required to perform load balancing between 2 HTTPS web servers? I’ve read a lot of Cisco documentation regarding the ACE, but its not clicking for me. For instance when you say the policy map is not associated with a server farm -  I don’t know what the relationship is the two, nor am I clear on what a policy map’s function is.

I apologize profusely for my ignorance.

Cisco Employee

Load Balance HTTPS servers with redirection

Hi John,

Please see my latest reply. Make this change to every policy map you have configured. My bad, i overlooked it.

You are missing configuration here. It should be like this:

policy-map type loadbalance first-match QA-group_1_REDIRECT

Class QA-group_1_HTTP

serverfarm SF_ QA-group_1_REDIRECT

class class-default

serverfarm SF_QA-group_1_HTTPS

This is how it should look for all the policy maps. You have LB policy which only redirects. No action for loadbalancing and hence the problem. Please change and try again. Sorry i overlooked it.

Regards,

Kanwal

Cisco Employee

Load Balance HTTPS servers with redirection

Hi John,

You are missing configuration here. It should be like this:

policy-map type loadbalance first-match QA-group_1_REDIRECT

Class QA-group_1_HTTP

serverfarm  SF_ QA-group_1_REDIRECT

class class-default

serverfarm SF_QA-group_1_HTTPS

This is how it should look for all the policy maps. You have LB policy which only redirects. No action for loadbalancing and hence the problem. Please change and try again. Sorry i overlooked it.

Regards,

Kanwal

New Member

Load Balance HTTPS servers with redirection

Fnu,

Thanks again for your help. I really appreciate it.

When I tried to change the config as you suggested, I received the following error:

CSC#(config-pmap-lb)# policy-map type loadbalance first-match QA-group_2_REDIRECT

CSC#(config-pmap-lb)# class SF_QA-group_2_HTTPS

Error: class-map 'SF_QA-group_2_HTTPS' not configured

As before, the hit counters are incrementing, but the ACE is not forwarding the traffic it seems. I would be grateful for any suggestions you might have.

Below is the configuration as well as the output from the show service service-policy summery command.

CSC# show service-policy summary 

service-policy: SERVICE_VIPS

Class                            VIP                                      Prot  Port        VLAN          State    Curr Conns   Hit Count  Conns Drop

QA-group_1_HTTPS                 10.37.5.93                                tcp   eq 443      25            IN-SRVC           0          16         16

QA-group_1_HTTP                  10.37.5.93                                tcp   eq 80       25            IN-SRVC           0           2          2

QA-group_2_HTTPS                 10.37.5.94                                tcp   eq 443      25            IN-SRVC           0          20         20

QA-group_2_HTTP                  10.37.5.94                                tcp   eq 80       25            IN-SRVC           0           4          4

QA-group_3_HTTPS                 10.37.5.95                                tcp   eq 443      25            IN-SRVC           0          19         19

QA-group_3_HTTP                  10.37.5.95                                tcp   eq 80       25            IN-SRVC           0          12         12

QA-group_4_HTTPS                 10.37.5.76                                tcp   eq 443      25            IN-SRVC           0           0          0

QA-group_4_HTTP                  10.37.5.96                                tcp   eq 80       25            IN-SRVC           0          12         12

QA-group_5_HTTPS                 10.37.5.97                                tcp   eq 443      25            IN-SRVC           0           8          8

QA-group_5_HTTP                  10.37.5.97                                tcp   eq 80       25            IN-SRVC           0           6          6

CSC# term length 0

CSC# show run

Generating configuration....

access-list Servers line 3 extended permit tcp any any eq https

access-list Servers line 5 extended permit tcp any any eq www

access-list everyone line 1 extended permit ip any any

access-list everyone line 2 extended permit icmp any any

probe tcp probe_443

  port 443

  interval 30

  passdetect interval 5

rserver host QA-1.1

  ip address 10.37.5.111

  inservice

rserver host QA-1.2

  ip address 10.37.5.88

  inservice

rserver host QA-2.1

  ip address 10.37.5.84

  inservice

rserver host QA-2.2

  ip address 10.37.5.89

  inservice

rserver host QA-3.1

  ip address 10.37.5.85

  inservice

rserver host QA-3.2

  ip address 10.37.5.90

  inservice

rserver host QA-4.1

  ip address 10.37.5.86

  inservice

rserver host QA-4.2

  ip address 10.37.5.81

  inservice

rserver host QA-5.1

  ip address 10.37.5.87

  inservice

rserver host QA-5.2

  ip address 10.37.5.92

  inservice

rserver redirect QA-group_1_redirect_rserver

  webhost-redirection https://10.37.5.93/ 302

  inservice

rserver redirect QA-group_2_redirect_rserver

  webhost-redirection https://10.37.5.94/ 302

  inservice

rserver redirect QA-group_3_redirect_rserver

  webhost-redirection https://10.37.5.95/ 302

  inservice

rserver redirect QA-group_4_redirect_rserver

  webhost-redirection https://10.37.5.96/ 302

  inservice

rserver redirect QA-group_5_redirect_rserver

  webhost-redirection https://10.37.5.97/ 302

  inservice

serverfarm host SF_QA-group_1_HTTPS

  failaction reassign

  predictor leastconns

  probe probe_443

  rserver QA-1.1 443

    inservice

  rserver QA-1.2 443

    inservice

serverfarm redirect SF_QA-group_1_REDIRECT

  rserver QA-group_1_redirect_rserver

    inservice

serverfarm host SF_QA-group_2_HTTPS

  failaction reassign

  predictor leastconns

  probe probe_443

  rserver QA-2.1 443

    inservice

  rserver QA-2.2 443

    inservice

serverfarm redirect SF_QA-group_2_REDIRECT

  rserver QA-group_2_redirect_rserver

    inservice

serverfarm host SF_QA-group_3_HTTPS

  failaction reassign

  predictor leastconns

  probe probe_443

  rserver QA-3.1 443

    inservice

  rserver QA-3.2 443

    inservice

serverfarm redirect SF_QA-group_3_REDIRECT

  rserver QA-group_3_redirect_rserver

    inservice

serverfarm host SF_QA-group_4_HTTPS

  failaction reassign

  predictor leastconns

  probe probe_443

  rserver QA-4.1 443

    inservice

  rserver QA-4.2 443

    inservice

serverfarm redirect SF_QA-group_4_REDIRECT

  rserver QA-group_4_redirect_rserver

    inservice

serverfarm host SF_QA-group_5_HTTPS

  failaction reassign

  predictor leastconns

  probe probe_443

  rserver QA-5.1 443

    inservice

  rserver QA-5.2 443

    inservice

serverfarm redirect SF_QA-group_5_REDIRECT

  rserver QA-group_5_redirect_rserver

    inservice

serverfarm host SF_QA-group_HTTPS

serverfarm host SF_QA-group__HTTPS

sticky ip-netmask 255.255.255.255 address source SRC_QA-group_1_STICKY

  serverfarm SF_QA-group_1_HTTPS

  timeout 30

  replicate sticky

sticky ip-netmask 255.255.255.255 address source SRC_QA-group_2_STICKY

  serverfarm SF_QA-group_2_HTTPS

  timeout 30

  replicate sticky

sticky ip-netmask 255.255.255.255 address source SRC_QA-group_3_STICKY

  serverfarm SF_QA-group_3_HTTPS

  timeout 30

  replicate sticky

sticky ip-netmask 255.255.255.255 address source SRC_QA-group_4_STICKY

  serverfarm SF_QA-group_4_HTTPS

  timeout 30

  replicate sticky

sticky ip-netmask 255.255.255.255 address source SRC_QA-group_5_STICKY

  serverfarm SF_QA-group_5_HTTPS

  timeout 30

  replicate sticky

class-map match-all QA-group_1_HTTP

  3 match virtual-address 10.37.5.93 tcp eq www

class-map match-all QA-group_1_HTTPS

  3 match virtual-address 10.37.5.93 tcp eq https

class-map match-all QA-group_2_HTTP

  3 match virtual-address 10.37.5.94 tcp eq www

class-map match-all QA-group_2_HTTPS

  3 match virtual-address 10.37.5.94 tcp eq https

class-map match-all QA-group_3_HTTP

  3 match virtual-address 10.37.5.95 tcp eq www

class-map match-all QA-group_3_HTTPS

  3 match virtual-address 10.37.5.95 tcp eq https

class-map match-all QA-group_4_HTTP

  3 match virtual-address 10.37.5.96 tcp eq www

class-map match-all QA-group_4_HTTPS

  3 match virtual-address 10.37.5.76 tcp eq https

class-map match-all QA-group_5_HTTP

  3 match virtual-address 10.37.5.97 tcp eq www

class-map match-all QA-group_5_HTTPS

  3 match virtual-address 10.37.5.97 tcp eq https

class-map type management match-any remote-management

  2 match protocol http any

  3 match protocol https any

  4 match protocol icmp any

  5 match protocol snmp any

  6 match protocol ssh any

policy-map type management first-match remote-access

  class remote-management

    permit

policy-map type loadbalance first-match QA-group_1_REDIRECT

  class class-default

    serverfarm SF_QA-group_1_HTTPS

policy-map type loadbalance first-match QA-group_2_REDIRECT

  class class-default

    serverfarm SF_QA-group_2_HTTPS

policy-map type loadbalance first-match QA-group_3_REDIRECT

  class class-default

    serverfarm SF_QA-group_3_HTTPS

policy-map type loadbalance first-match QA-group_4_REDIRECT

  class class-default

    serverfarm SF_QA-group_4_HTTPS

policy-map type loadbalance first-match QA-group_5_REDIRECT

  class class-default

    serverfarm SF_QA-group_5_HTTPS

policy-map multi-match SERVICE_VIPS

  class QA-group_1_HTTPS

    loadbalance vip inservice

    loadbalance policy QA-group_1_REDIRECT

    loadbalance vip icmp-reply

  class QA-group_1_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_1_REDIRECT

  class QA-group_2_HTTPS

    loadbalance vip inservice

    loadbalance policy QA-group_2_REDIRECT

    loadbalance vip icmp-reply

  class QA-group_2_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_2_REDIRECT

  class QA-group_3_HTTPS

    loadbalance vip inservice

    loadbalance policy QA-group_3_REDIRECT

    loadbalance vip icmp-reply

  class QA-group_3_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_3_REDIRECT

  class QA-group_4_HTTPS

    loadbalance vip inservice

    loadbalance policy QA-group_4_REDIRECT

    loadbalance vip icmp-reply

  class QA-group_4_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_4_REDIRECT

  class QA-group_5_HTTPS

    loadbalance vip inservice

    loadbalance policy QA-group_5_REDIRECT

    loadbalance vip icmp-reply

  class QA-group_5_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_5_REDIRECT

interface vlan 25

  ip address 10.37.5.98 255.255.255.0

  access-group input everyone

  service-policy input remote-access

  service-policy input SERVICE_VIPS

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.37.5.1

CSC#

Cisco Employee

Load Balance HTTPS servers with redirection

Hi John,

The configuration is still missing. You will have an issue without the correct configuration. You are putting in the wrong class-map name. Please look at my example i have given.

Regards,

Kanwal

New Member

Load Balance HTTPS servers with redirection

hello,

When I attempt to use the configuration you provided I get the error "Error: class-map 'SF_QA-group_2_HTTPS' not configured"

Do i need to create a new class?

Cisco Employee

Load Balance HTTPS servers with redirection

Hi John,

Have a careful look below. If you see there is no class  'SF_QA-group_2_HTTPS', that is the serverfarm. Class map will be QA-group_1_HTTP or class class -default.

policy-map type loadbalance first-match QA-group_1_REDIRECT

Class QA-group_1_HTTP

serverfarm SF_ QA-group_1_REDIRECT

class class-default

serverfarm SF_QA-group_1_HTTPS

Look at bold portion. Those are class-map names that you need to associate with corresponding policy-map type loadbalance first-match x x x x x x

class-map match-all QA-group_1_HTTP

3 match virtual-address 10.37.5.93 tcp eq www

class-map match-all QA-group_1_HTTPS

3 match virtual-address 10.37.5.93 tcp eq https

class-map match-all QA-group_2_HTTP

3 match virtual-address 10.37.5.94 tcp eq www

class-map match-all QA-group_2_HTTPS

3 match virtual-address 10.37.5.94 tcp eq https

class-map match-all QA-group_3_HTTP

3 match virtual-address 10.37.5.95 tcp eq www

class-map match-all QA-group_3_HTTPS

3 match virtual-address 10.37.5.95 tcp eq https

class-map match-all QA-group_4_HTTP

3 match virtual-address 10.37.5.96 tcp eq www

class-map match-all QA-group_4_HTTPS

3 match virtual-address 10.37.5.76 tcp eq https

class-map match-all QA-group_5_HTTP

3 match virtual-address 10.37.5.97 tcp eq www

class-map match-all QA-group_5_HTTPS

3 match virtual-address 10.37.5.97 tcp eq https

The HTTPS class-maps would come under policy-map multi match which are already there.

Let me know if that helps or you have any questions.

First time is tricky:)

Regards,

Kanwal

New Member

Load Balance HTTPS servers with redirection

Fnu,

I must have pasted the wrong error in my last reply. Below is the correct error generated when I attemp to add the class.

CSC(config)# policy-map type loadbalance first-match QA-group_1_REDIRECT

CSC(config-pmap-lb)# class QA-group_1_HTTP

Error: Specified class-map is not consistent with the policy-map type

CSC(config-pmap-lb)# class QA-group_1_HTTPS

Error: Specified class-map is not consistent with the policy-map type

CSC5(config-pmap-lb)#

Cisco Employee

Load Balance HTTPS servers with redirection

Hi John,

Forget this configuration. I will give you the configuration please try that. I will give you for one rserver, one serverfarm, one class map. You please do that same for rest of them. Test one first and replicate to others.

rserver redirect QA-group_1_redirect_rserver

  webhost-redirection

https://10.37.5.93/  302

  inservice

This is the redirect server.

rserver host QA-1.1

  ip address 10.37.5.111

  inservice

rserver host QA-1.2

  ip address 10.37.5.88

  inservice

Normal servers to which the traffic would be loadbalanced.

serverfarm redirect SF_QA-group_1_REDIRECT

  rserver QA-group_1_redirect_rserver

    inservice

This is redirect serverfarm

serverfarm host SF_QA-group_1_HTTPS

  failaction reassign

  predictor leastconns

  rserver QA-1.1 443

    inservice

  rserver QA-1.2 443

    inservice

Normal serverfarm with two rservers in it to which we will loadbalance the traffic.

class-map match-all QA-group_1_HTTP

  3 match virtual-address 10.37.5.93 tcp eq www

The class-map is condition for redirection. If user comes on 10.37.5.93 on 80.

class-map match-all QA-group_1_HTTPS

  3 match virtual-address 10.37.5.93 tcp eq https

Condition for user coming on port 443

policy-map type loadbalance first-match QA-group_1_REDIRECT

  class class-default

    serverfarm SF_QA-group_1_REDIRECT

This is a policy or action which ACE will take after the condition matches which is to redirect.

policy-map type loadbalance first-match QA_GROUP1_HTPPS

  class class-default

    serverfarm SF_QA-group_1_HTTPS

This is for HTTPS

policy-map multi-match SERVICE_VIPS
  class QA-group_1_HTTP
    loadbalance vip inservice
    loadbalance policy QA-group_1_REDIRECT
    loadbalance vip icmp-reply
  class QA-group_1_HTTPS
    loadbalance vip inservice
    loadbalance policy QA_GROUP1_HTPPS
    loadbalance vip icmp-reply

Same action is applied to the policy. If it matches class QA-group_1_HTTP, redirect it, since redirect policy is applied and if it matches class QA-group_1_HTTPS, loadbalance the traffic since LB policy is applied.

Hope this clears everything. My bad for not being clear. Also, note that i have not used sticky here. Just for example i have done this. This is how your configuration should look like for all the groups.

Again let me know if you have any questions.

Regards,

Kanwal

New Member

Load Balance HTTPS servers with redirection

Fnu,

Thanks for getting me started in the right direction. I used the configuration you provided and added the access lists and interface info.

I can see that is redirecting traffic from http to https, however the page fails after redirection to https. I have verified that both real server addresses are accessible directly.

In Wireshark (II don't see an option to attach a file here) I can see the 3 way handshake for http, but when it redirects to https the connection is reset.

It appears something is missing that would forward the traffic after redirection.

Below is the current config.

CSC# show run

Generating configuration....

access-list everyone line 1 extended permit ip any any

access-list everyone line 2 extended permit icmp any any

rserver host QA-1.1

  ip address 10.37.5.111

  inservice

rserver host QA-1.2

  ip address 10.37.5.88

  inservice

rserver redirect QA-group_1_redirect_rserver

  webhost-redirection https://10.37.5.93/ 302

  inservice

serverfarm host SF_QA-group_1_HTTPS

  failaction reassign

  predictor leastconns

  rserver QA-1.1 443

    inservice

  rserver QA-1.2 443

    inservice

serverfarm redirect SF_QA-group_1_REDIRECT

  rserver QA-group_1_redirect_rserver

    inservice

class-map match-all QA-group_1_HTTP

  3 match virtual-address 10.37.5.93 tcp eq www

class-map match-all QA-group_1_HTTPS

  3 match virtual-address 10.37.5.93 tcp eq https

policy-map type loadbalance first-match QA-group_1_REDIRECT

  class class-default

    serverfarm SF_QA-group_1_REDIRECT

policy-map type loadbalance first-match QA_GROUP1_HTPPS

  class class-default

    serverfarm SF_QA-group_1_HTTPS

policy-map multi-match SERVICE_VIPS

  class QA-group_1_HTTP

    loadbalance vip inservice

    loadbalance policy QA-group_1_REDIRECT

    loadbalance vip icmp-reply

  class QA-group_1_HTTPS

    loadbalance vip inservice

    loadbalance policy QA_GROUP1_HTPPS

    loadbalance vip icmp-reply

interface vlan 25

  ip address 10.37.5.72 255.255.255.0

  access-group input everyone

  service-policy input SERVICE_VIPS

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.37.5.1

CSC#

Cisco Employee

Load Balance HTTPS servers with redirection

Hi John,

This configuration looks fine. What is the default gateway of servers here? If the default GW of servers is not ACE then you might need NAT or route. Do you see any traffic coming from ACE to the server? If you take client capture do you see SSL handshake happening?

What do you see in show conn address .

Filter with client IP to see what happens.

Regards,

Kanwal

New Member

Load Balance HTTPS servers with redirection

Fnu,

The default gatway of the servers is not the ACE. The ace shares the same defautl gateway as the servers.

Below is the ouput from show conn address:

conn-id    np dir proto vlan source                destination           state

----------+--+---+-----+----+---------------------+---------------------+------+

623415     2  in  TCP   25   172.20.45.194:62665   10.37.5.93:443        SYNSEEN

1526026    2  out TCP   25   10.37.5.111:443       172.20.45.194:62665   INIT

1899590    3  in  TCP   25   172.20.45.194:62664   10.37.5.93:443        SYNSEEN

1117936    3  out TCP   25   10.37.5.111:443       172.20.45.194:62664   INIT

340226     4  in  TCP   25   172.20.45.194:62666   10.37.5.93:443        SYNSEEN

1785542    4  out TCP   25   10.37.5.111:443       172.20.45.194:62666   INIT

Cisco Employee

Load Balance HTTPS servers with redirection

Hi John,

So that's a problem then. Return traffic from server should also pass through ACE. ACE is not seeing the return traffic. This is Asymmetric routing. You will either have to do src nat or change the default gateway of servers to ACE. Try changing for one serverfarm (two servers in a serverfarm) and test again. If that works you know this is the issue or you can add a route on the server as well.

Regards,

Kanwal

New Member

Load Balance HTTPS servers with redirection

I added source nat and the redirection is working now. However, I have made an error in the configuration which is preventing one of the server farms from being used. I tried to delete the config line in questions, but the ACE said it was in use. Is there way to free it, so I can delete it and re enter with correct info?

I tried  "no class-map match-all QA-group_4_HTTPS"

Error: class-map 'QA-group_4_HTTPS' is in use. Deletion not allowed

class-map match-all QA-group_4_HTTP

3 match virtual-address 10.37.5.96 tcp eq www

class-map match-all QA-group_4_HTTPS

3 match virtual-address 10.37.5.76 tcp eq https

Cisco Employee

Load Balance HTTPS servers with redirection

Hi John,

Remove the class map from policy map and then remove it. That should do the trick.

Regards,

Kanwal

New Member

Load Balance HTTPS servers with redirection

Hi Fnu,

I've been following this post to figure out the problem with my configuration.   I have a VIP redirecting to 2 real servers 172.x.x.114 and 115 respectively.   The url to be accessed is http://ofrv.a.b/portal/page.    This has to be redirected to the 2 servers on ofr1.a.b and ofr2.a.b on port 8090.     This is where I have a problem.    I'm a newbie to ACE, so I'm lost with the configuration.    The current configuration was configured by someone else and since the guy is on a vacation I'm having to fix this port redirection.  Oracle support said it needs NAT bounce back rule on the cisco LBR.  Is this the same as the one in this post.  I'm not exactly sure how this is to be done.   Kindly help me figure out the problem with the configuration.  


Generating configuration....


resource-class COM
  limit-resource all minimum 10.00 maximum unlimited

boot system image:c4710ace-mz.A3_2_0.bin

hostname ACE
interface gigabitEthernet 1/1
  no shutdown
interface gigabitEthernet 1/2
  description Server-Side
  switchport access vlan 2
  no shutdown
interface gigabitEthernet 1/3
  qos trust cos
  no shutdown
interface gigabitEthernet 1/4
  shutdown

context Admin
  member COM

access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any

probe icmp ICMP_PROBE1
  description *** Probe for icmp health monitoring ***
  interval 5
  faildetect 2
  passdetect interval 10
  passdetect count 2


probe http OFR-HTTP3
  interval 15
  passdetect interval 60
  request method get url http://ofr1.a.b:8090
  expect status 200 201
  open 1
probe http OFR-HTTP4
  interval 15
  passdetect interval 60
  request method get url http://ofr2.a.b:8090
  expect status 200 201
  open 1

optimize
  appscope-log
  debug-level 5

rserver redirect OFR-Server-redirect
  webhost-redirection http://ofrv.a.b/portal/page 302
  inservice
rserver host OFR1-Server
  description Form& Reports Server
  ip address 172.x.x.114
  inservice
rserver host OFR2-Server
  description Form& Reports Server
  ip address 172.x.x.115
  inservice


serverfarm redirect OFR-Server_REDIRECT
  rserver OFR-Server-redirect
    inservice

serverfarm host Reports-SF2
  description Forms&Reports Services Farm
  rserver OFR1-Server 7001
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 7001
    probe ICMP_PROBE1
    inservice
serverfarm host Reports-SF2-3
  rserver OFR1-Server 9002
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 9002
    probe ICMP_PROBE1
    inservice
serverfarm host Reports-SF2-4
  rserver OFR1-Server 9003
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 9003
    probe ICMP_PROBE1
    inservice
serverfarm host Reports-SF2-5
  probe OFR-HTTP3
  probe OFR-HTTP4
  rserver OFR1-Server 8090
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 8090
    probe ICMP_PROBE1
    inservice
serverfarm host Reports-SF2-two
  rserver OFR1-Server 7002
    probe ICMP_PROBE1
    inservice
  rserver OFR2-Server 7002
    probe ICMP_PROBE1
    inservice

sticky http-cookie Reports HTTP-Cookie-Sticky
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm Reports-SF2
sticky http-cookie Reports HTTP-Cookie-Foram-two
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm Reports-SF2-two
sticky http-cookie Portal HTTP-Cookie-Portal
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm Portal-SF1
sticky http-cookie Portal HTTP-Cookie-Portal-two
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm Portal-SF1-two
sticky http-cookie Reports HTTP-Cookie-SF2-3
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm Reports-SF2-3
sticky http-cookie Reports HTTP-Cookie-SF2-4
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm Reports-SF2-4
sticky http-cookie INFR HTTP-Cooki-SF1
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm INFR-SF1
sticky http-cookie INFR HTTP-Cooki-SF2
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm INFR-SF2
sticky http-cookie INFR HTTP-Cooki-SF3
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm INFR-SF3
sticky http-cookie INFR HTTP-Cooki-SF4
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm INFR-SF4
sticky http-cookie Reports HTTP-Cookie-SF2-5
  cookie insert browser-expire
  timeout 720
  timeout activeconns
  serverfarm Reports-SF2-5

class-map match-any OFR-VIP
  4 match virtual-address 172.x.x.140 any
class-map match-any OFR-VIP-3
  2 match virtual-address 172.x.x.140 tcp eq 9002
class-map match-any OFR-VIP-4
  2 match virtual-address 172.x.x.140 tcp eq 9003
class-map match-any OFR-VIP-5
  2 match virtual-address 172.x.x.140 tcp eq 8090
  3 match virtual-address 172.x.x.140 tcp eq www
  4 match virtual-address 172.x.x.140 tcp eq https

class-map match-any OFR-VIP-two
  2 match virtual-address 172.x.x.140 tcp eq 7002
class-map type management match-any remote_access
  201 match protocol xml-https any
  202 match protocol icmp any
  203 match protocol telnet any
  204 match protocol ssh any
  205 match protocol http any
  206 match protocol https any
  207 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit


policy-map type loadbalance first-match OFR-Server_REDIRECT
  class class-default
    serverfarm OFR-Server_REDIRECT
policy-map type loadbalance first-match OFR-VIP-l7
  class class-default
    sticky-serverfarm HTTP-Cookie-SF2-3
policy-map type loadbalance first-match OFR-VIP-l7slb
  class class-default
    sticky-serverfarm HTTP-Cookie-Sticky
policy-map type loadbalance first-match OFR-VIP-l7slb-3
  class class-default
    sticky-serverfarm HTTP-Cookie-SF2-3
policy-map type loadbalance first-match OFR-VIP-l7slb-4
  class class-default
    sticky-serverfarm HTTP-Cookie-SF2-4
policy-map type loadbalance first-match OFR-VIP-l7slb-5
  class class-default
    sticky-serverfarm HTTP-Cookie-SF2-5
policy-map type loadbalance first-match OFR-VIP-l7slb-two
  class class-default
    sticky-serverfarm HTTP-Cookie-Foram-two

policy-map multi-match int2
  class OFR-VIP
    loadbalance vip inservice
    loadbalance policy OFR-VIP-l7slb
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
  class OFR-VIP-two
    loadbalance vip inservice
    loadbalance policy OFR-VIP-l7slb-two
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
  class OFR-VIP-3
    loadbalance vip inservice
    loadbalance policy OFR-VIP-l7slb-3
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
  class OFR-VIP-4
    loadbalance vip inservice
    loadbalance policy OFR-VIP-l7slb-4
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2
 
  class OFR-VIP-5
    loadbalance vip inservice
    loadbalance policy OFR-Server_REDIRECT
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 2

interface vlan 2
  description MGT-Interface
  ip address 172.x.x.142 255.255.0.0
  access-group input ALL
  nat-pool 1 172.x.x.143 172.x.x.143 netmask 255.255.255.255 pat
  service-policy input remote_mgmt_allow_policy
  service-policy input int2
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.x.x.1

Any help would be greatly appreciated.

Thanks and regards

Sbegum

713
Views
5
Helpful
19
Replies
CreatePlease login to create content