11-27-2013 01:11 AM
Hi All,
I have configured application in cisco ACE module for which i got more requirement for URL redirection.
Application setup is as below.
VIP : 10.232.92.x/24 which is pointing to 2 Web server 10.232.94.x/24 range. In addition to that app team want APP server also need to be loadbalanced hence new VIP is configured for 10.232.92.x/24 which is pointing to 2 different app server 10.232.94.x/24.
Both Web and App servers are having different IP but in same broadcastdomain. SSL termination is done on ACE.
Issue : 1) After initiating connection i am getting login page but after login its again giveing login page. After 2 to 3 trial its giving me application page but with invalid session error.
2) How to do https connection redirecting to different path.
Ex. https://apps.xyz.com to https://apps.xyz.com/abc
configuration :
probe tcp rem_app_tcp
port 2100
interval 5
passdetect interval 10
passdetect count 2
open 1
probe http rem_itsm_https
port 80
interval 5
passdetect interval 10
passdetect count 2
request method get url /keepalive/https.html
expect status 200 200
open 1
serverfarm host app_tcp
predictor leastconns
probe rem_app_tcp
rserver server1 2100
inservice
rserver server2 2100
inservice
serverfarm host rem_https
predictor leastconns
probe rem_itsm_https
rserver server3 80
inservice
rserver server4 80
inservice
action-list type modify http remurlrewrite
ssl url rewrite location "apps\.xyz\.com"
policy-map type loadbalance first-match app_tcp
class class-default
serverfarm app_tcp
policy-map type loadbalance first-match app_https
class class-default
serverfarm rem_https
action remurlrewrite
class-map match-all VIP_rem_app_tcp
2 match virtual-address 10.232.92.8 any
class-map match-all VIP_rem_itsm_https
2 match virtual-address 10.232.92.9 tcp eq https
class-map match-all real_servers_vlan273
2 match source-address 10.232.94.0 255.255.255.0
policy-map multi-match VIPS
class real_servers_vlan273
nat dynamic 1 vlan 273
class VIP_rem_app_tcp
loadbalance vip inservice
loadbalance policy rem_app_tcp
loadbalance vip icmp-reply
class VIP_rem_itsm_https
loadbalance vip inservice
loadbalance policy rem_itsm_https
loadbalance vip icmp-reply
ssl-proxy server Remedy-SSL-PROXY
Solved! Go to Solution.
11-27-2013 05:10 AM
Hi Chirag,
Also, for HTTPS to HTTPS URL redirection , you will need to define SSL proxy in policy mult-match. Basically just replace the HTTP with HTTPS in class map, bind SSL proxy with class (http in above example) and class map should match on HTTPS as well. You can define the string in redirect rserver instead of %h and %p.
Let me know if you have any questions.
Regards,
Kanwal
11-28-2013 06:08 AM
Hi Chirag,
Not sure what do you mean by i left the real server configuration.
When you are using ACE for redirection there are no actual real servers to which the traffic gets loadbalanced. The traffic would go to redirect rserver which will redirect the client to URL specified in webhost redirection and when client comes with NEW URL it would be loadbalanced to actual real servers after they match the condition.
Now if your real servers are redirecting the traffic and you want that ACE to intercept the traffic and rewrite HTTP TO HTTPS then there you need to use "rewrite" functionality.
Depends what you want.
Regards,
Kanwal
11-27-2013 05:07 AM
Hi Chirag,
Here's an example of SSL Termination and URL redirection. Please look at BOLD below. Any user coming with HTTP would be redirected to HTTPS an users coming on HTTS would be normally loadbalanced to the serverfarm.
Let me know if you have any questions.
Example Config
access-list ANYONE line 10 extended permit ip any any
probe http HTTP-KEEPALIVE
interval 5
faildetect 3
passdetect interval 5
passdetect count 2
request method get url /keepalive.html
expect status 200 200
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h%p 301
inservice
rserver host SERVER_01
ip address 10.10.10.20
inservice
rserver host SERVER_02
ip address 10.10.10.21
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-HTTPS
inservice
serverfarm host REAL_SERVERS
probe HTTP-KEEPALIVE
rserver SERVER_01 80
inservice
rserver SERVER_02 80
inservice
ssl-proxy service SSL_SERVICE
key mykey.pem
cert mycert.pem
class-map match-all HTTP-VIP
2 match virtual-address 172.21.162.178 tcp eq http
class-map match-all HTTPS-VIP
2 match virtual-address 172.21.162.178 tcp eq https
class-map type management match-any MANAGEMENT
2 match protocol icmp any
3 match protocol telnet any
policy-map type management first-match REMOTE_MGT
class MANAGEMENT
permit
policy-map type loadbalance first-match REDIRECT-PM
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match LOAD-BALANCE-PM
class class-default
serverfarm REAL-SERVERS
policy-map multi-match WEB-TRAFFIC
class HTTP-VIP
loadbalance vip inservice
loadbalance policy REDIRECT-PM
class HTTPS-VIP
loadbalance vip inservice
loadbalance policy LOAD-BALANCE-PM
loadbalance vip icmp-reply active
ssl-proxy server SSL_SERVICE
interface vlan 200
ip address 172.21.162.10 255.255.255.0
access-group input ANYONE
service-policy input REMOTE_MGT
service-policy input WEB-TRAFFIC
no shutdown
interface vlan 201
ip address 10.10.10.1 255.255.0.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.21/162.1
Regards,
Kanwal
11-27-2013 05:36 AM
Hi Kanwaljeet
Thanks for your config. I will implement it and let you know.
Regards
Chirag
11-27-2013 05:10 AM
Hi Chirag,
Also, for HTTPS to HTTPS URL redirection , you will need to define SSL proxy in policy mult-match. Basically just replace the HTTP with HTTPS in class map, bind SSL proxy with class (http in above example) and class map should match on HTTPS as well. You can define the string in redirect rserver instead of %h and %p.
Let me know if you have any questions.
Regards,
Kanwal
11-27-2013 05:41 AM
Hi Kanwaljeet,
I have already applied SSL proxy in policy multimatch. Which is worrking fine but issue is after 2 or 3 try i am able to get in application but with session error (Invalid session)
policy-map multi-match VIPS
class real_servers_vlan273
nat dynamic 1 vlan 273
class VIP_rem_app_tcp
loadbalance vip inservice
loadbalance policy rem_app_tcp
loadbalance vip icmp-reply
class VIP_rem_itsm_https
loadbalance vip inservice
loadbalance policy rem_itsm_https
loadbalance vip icmp-reply
ssl-proxy server Remedy-SSL-PROXY
Regards
Chirag
11-27-2013 06:53 AM
Hi Chirag,
if you need HTTPS TO HTTPS redirection you will need to apply ssl proxy on redirect class map under policy multi-match. If session persistence is a problem then you can use sticky source IP based or cookie based(if server is setting the cookie) to ensure that sessions from client stick to the same server.
If you have any questions regarding that let me know.
Regards,
Kanwal
11-27-2013 08:47 PM
Hi Kanwaljeet,
I have applied below config for HTTPS URL redirection. Seems it dint work for me. Redirect serverfarm and policy map was not hitted.
access-list ANY line 8 extended permit ip any any
probe tcp rem_app_tcp
port 2100
interval 5
passdetect interval 10
passdetect count 2
open 1
probe http rem_itsm_https
port 80
interval 5
passdetect interval 10
passdetect count 2
request method get url /keepalive/https.html
expect status 200 200
open 1
ip domain-name nls.jlrint.com
ip name-server 10.226.0.10
ip name-server 10.226.128.10
rserver redirect REDIRECT-TO-HTTPS
webhost-redirection https://%h/arsys 301
inservice
rserver host serv1
ip address 10.232.94.74
inservice
rserver host serv2
ip address 10.232.94.75
inservice
rserver host serv3
ip address 10.232.94.76
inservice
rserver host serv4
ip address 10.232.94.77
inservice
serverfarm redirect REDIRECT-SERVERFARM
predictor leastconns
rserver REDIRECT-TO-HTTPS
inservice
serverfarm host rem_app_tcp
predictor leastconns
probe rem_app_tcp
rserver serv1 2100
inservice
rserver serv2 2100
inservice
serverfarm host rem_itsm_https
predictor leastconns
probe rem_itsm_https
rserver serv3 80
inservice
rserver serv4 80
inservice
ssl-proxy service Remedy-SSL-PROXY
key Remkey.pem
cert Remcert.pem
class-map type management match-any MANAGEMENT_CLASS
3 match protocol ssh any
4 match protocol snmp any
5 match protocol icmp any
6 match protocol http any
7 match protocol https any
class-map match-all VIP_rem_app_tcp
2 match virtual-address 10.232.92.8 any
class-map match-all VIP_rem_itsm_http
2 match virtual-address 10.232.92.9 tcp eq www
class-map match-all VIP_rem_itsm_https
2 match virtual-address 10.232.92.9 tcp eq https
class-map match-all real_servers_vlan273
2 match source-address 10.232.94.0 255.255.255.0
policy-map type management first-match MANAGEMENT_POLICY
class MANAGEMENT_CLASS
permit
policy-map type loadbalance first-match REDIRECT-PM
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match rem_app_tcp
class class-default
serverfarm rem_app_tcp
policy-map type loadbalance first-match rem_itsm_https
class class-default
serverfarm rem_itsm_https
policy-map multi-match VIPS
class real_servers_vlan273
nat dynamic 1 vlan 273
class VIP_rem_itsm_http
loadbalance vip inservice
loadbalance policy REDIRECT-PM
class VIP_rem_itsm_https
loadbalance vip inservice
loadbalance policy rem_itsm_https
loadbalance vip icmp-reply
ssl-proxy server Remedy-SSL-PROXY
class VIP_rem_app_tcp
loadbalance vip inservice
loadbalance policy rem_app_tcp
loadbalance vip icmp-reply
interface vlan 270
description VIP
ip address 10.232.92.4 255.255.255.0
alias 10.232.92.6 255.255.255.0
peer ip address 10.232.92.5 255.255.255.0
access-group input ANY
service-policy input MANAGEMENT_POLICY
service-policy input VIPS
no shutdown
interface vlan 273
description Real server
ip address 10.232.94.66 255.255.255.192
alias 10.232.94.65 255.255.255.192
peer ip address 10.232.94.67 255.255.255.192
access-group input ANY
nat-pool 1 10.232.92.253 10.232.92.253 netmask 255.255.255.0 pat
service-policy input MANAGEMENT_POLICY
service-policy input VIPS
no shutdown
11-27-2013 09:24 PM
Hi Kanwaljeet,
As suggested, after applying sticky configuration, Session error is solved.
Still https redirection to specific path is not working.
Regards
Chirag
11-28-2013 05:31 AM
Hi Chirag,
Hope the below example helps.
rserver redirect kanwal
webhost-redirection https://test.com
inservice
serverfarm redirect kanwal
rserver kanwal
inservice
ssl-proxy service kanwal
key cisco-sample-key
cert cisco-sample-cert
class-map match-all kanwal
2 match virtual-address 10.86.212.36 tcp eq https
policy-map type loadbalance first-match kumar
class class-default
serverfarm kanwal
policy-map multi-match POLICY
class kanwal
loadbalance vip inservice
loadbalance policy kumar
loadbalance vip icmp-reply
nat dynamic 1 vlan 5
ssl-proxy server kanwal
interface vlan 5
ip address 10.86.212.35 255.255.255.0
no normalization
access-group input allow_all
nat-pool 1 10.86.212.37 10.86.212.37 netmask 255.255.255.255 pat
nat-pool 1 10.86.212.22 10.86.212.24 netmask 255.255.255.255 pat
service-policy input Management
service-policy input POLICY
Regards,
Kanwal
11-28-2013 05:45 AM
Hi Kanwal,
Not sure you missed the real server farm in your provided configuration intensionally. If not a case then how client request will point to the real web server?
My Client connection flow to application is as below.
client https connection ---> Web server VIP ----> Real Web server ---> App server VIP -----> Real App server.
Hope i have given required information. Let me know if you need more info to sort out redirection issue.
Regards
Chirag
11-28-2013 06:08 AM
Hi Chirag,
Not sure what do you mean by i left the real server configuration.
When you are using ACE for redirection there are no actual real servers to which the traffic gets loadbalanced. The traffic would go to redirect rserver which will redirect the client to URL specified in webhost redirection and when client comes with NEW URL it would be loadbalanced to actual real servers after they match the condition.
Now if your real servers are redirecting the traffic and you want that ACE to intercept the traffic and rewrite HTTP TO HTTPS then there you need to use "rewrite" functionality.
Depends what you want.
Regards,
Kanwal
12-26-2013 06:31 PM
Hi,
After configuring sticky cookie setting communication started working. Now we are facing below issue.
type Status report
message
description The requested resource () is not available.
Below is the configuration.
sticky http-cookie remcookie sticky-cookie
cookie insert browser-expire
serverfarm rem_itsm_https
# sh sticky cookie-insert group sticky-cookie
Cookie | HashKey | rserver-instance
------------+----------------------+----------------------------------------+
R873262639 | 16960298075973544399 | rem_itsm_https/gal72780:80
R873298576 | 17566878952707561616 | rem_itsm_https/gal72781:80
are you suspecting anything on loadbalancer for above issue?. Access directly to webserver is working fine which makes me thinking out of blue.
Regards
Chirag
12-27-2013 07:15 AM
Hi Chriag,
Sticky Cookie is method used for persistence and based on above i cannot say if there is a problem with LB. I see that you are using cookie insert and if the client comes back with same cookie it should be sent to the same server or else it would be loadbalanced and hence may be an issue. If you test with just one server in serverfarm, does everything work fine? Do you see that client is coming with the same cookie which was inserted by ACE in server reply? What is the status of servers in serverfarm, are they showing operational or out of service or failed etc? I assume everything was working fine and this started happening suddenly, if that is the case what has changed? We would need more information here to actually see what is going on.
Regards,
Kanwal
12-30-2013 07:17 AM
Hi,
As per the application team they have applied new patch on OS which was the only changes they made it on server end.
I have tried to clear the sticky database but its again giving the same cookie id after clearing it. i have tried to remove one server but dint work with other server.
One doubt is that why its taking the same cookie id after clearing sticky database?
Any other checks do you want me to test again?
Regards
Chirag
12-30-2013 07:26 AM
Hi Chirag,
The cookie insert is inserted by ACE and depends upon server parameters which are same so you see the same cookie. This should be normal. If it is not working with one server then it is not a cookie issue. Something else is going on here.
What do you see in "show conn" table? Filter the output with VIP or client IP. Clear statistics and use "show service-policy
What is the status of servers in serverfarm? Did you check if probes are passing and server state is operational? show serverfarm
Regards,
Kanwal
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: