Hi Kanwaljeet

Thanks for your config. I will implement it and let you know.

Regards

Chirag

Hi Kanwaljeet,

I have already applied SSL proxy in policy multimatch. Which is worrking fine but issue is after 2 or 3 try i am able to get in application but with session error (Invalid session)

policy-map multi-match VIPS

  class real_servers_vlan273

    nat dynamic 1 vlan 273

  class VIP_rem_app_tcp

    loadbalance vip inservice

    loadbalance policy rem_app_tcp

    loadbalance vip icmp-reply

  class VIP_rem_itsm_https

    loadbalance vip inservice

    loadbalance policy rem_itsm_https

    loadbalance vip icmp-reply

   ssl-proxy server Remedy-SSL-PROXY

Regards

Chirag

Hi Chirag,

if you need HTTPS TO HTTPS redirection you will need to apply ssl proxy on redirect class map under policy multi-match. If session persistence is a problem then you can use sticky source IP based or cookie based(if server is setting the cookie) to ensure that sessions from client stick to the same server.

If you have any questions regarding that let me know.

Regards,

Kanwal

Hi Kanwaljeet,

I have applied below config for HTTPS URL redirection. Seems it dint work for me. Redirect serverfarm and policy map was not hitted.

access-list ANY line 8 extended permit ip any any

probe tcp rem_app_tcp

  port 2100

  interval 5

  passdetect interval 10

  passdetect count 2

  open 1

probe http rem_itsm_https

  port 80

  interval 5

  passdetect interval 10

  passdetect count 2

  request method get url /keepalive/https.html

  expect status 200 200

  open 1

ip domain-name nls.jlrint.com

ip name-server 10.226.0.10

ip name-server 10.226.128.10

rserver redirect REDIRECT-TO-HTTPS

  webhost-redirection https://%h/arsys 301

  inservice

rserver host serv1

  ip address 10.232.94.74

  inservice

rserver host serv2

  ip address 10.232.94.75

  inservice

rserver host serv3

  ip address 10.232.94.76

  inservice

rserver host serv4

  ip address 10.232.94.77

  inservice

serverfarm redirect REDIRECT-SERVERFARM

  predictor leastconns

  rserver REDIRECT-TO-HTTPS

    inservice

serverfarm host rem_app_tcp

  predictor leastconns

  probe rem_app_tcp

  rserver serv1 2100

    inservice

  rserver serv2 2100

    inservice

serverfarm host rem_itsm_https

  predictor leastconns

  probe rem_itsm_https

  rserver serv3 80

    inservice

  rserver serv4 80

    inservice

ssl-proxy service Remedy-SSL-PROXY

  key Remkey.pem

  cert Remcert.pem

class-map type management match-any MANAGEMENT_CLASS

  3 match protocol ssh any

  4 match protocol snmp any

  5 match protocol icmp any

  6 match protocol http any

  7 match protocol https any

class-map match-all VIP_rem_app_tcp

  2 match virtual-address 10.232.92.8 any

class-map match-all VIP_rem_itsm_http

  2 match virtual-address 10.232.92.9 tcp eq www

class-map match-all VIP_rem_itsm_https

  2 match virtual-address 10.232.92.9 tcp eq https

class-map match-all real_servers_vlan273

  2 match source-address 10.232.94.0 255.255.255.0

policy-map type management first-match MANAGEMENT_POLICY

  class MANAGEMENT_CLASS

    permit

policy-map type loadbalance first-match REDIRECT-PM

  class class-default

    serverfarm REDIRECT-SERVERFARM

policy-map type loadbalance first-match rem_app_tcp

  class class-default

    serverfarm rem_app_tcp

policy-map type loadbalance first-match rem_itsm_https

  class class-default

    serverfarm rem_itsm_https

policy-map multi-match VIPS

  class real_servers_vlan273

    nat dynamic 1 vlan 273

  class VIP_rem_itsm_http

    loadbalance vip inservice

    loadbalance policy REDIRECT-PM

  class VIP_rem_itsm_https

    loadbalance vip inservice

    loadbalance policy rem_itsm_https

    loadbalance vip icmp-reply

    ssl-proxy server Remedy-SSL-PROXY

  class VIP_rem_app_tcp

    loadbalance vip inservice

    loadbalance policy rem_app_tcp

    loadbalance vip icmp-reply

interface vlan 270

  description VIP

  ip address 10.232.92.4 255.255.255.0

  alias 10.232.92.6 255.255.255.0

  peer ip address 10.232.92.5 255.255.255.0

  access-group input ANY

  service-policy input MANAGEMENT_POLICY

  service-policy input VIPS

  no shutdown

interface vlan 273

  description Real server

  ip address 10.232.94.66 255.255.255.192

  alias 10.232.94.65 255.255.255.192

  peer ip address 10.232.94.67 255.255.255.192

  access-group input ANY

  nat-pool 1 10.232.92.253 10.232.92.253 netmask 255.255.255.0 pat

  service-policy input MANAGEMENT_POLICY

  service-policy input VIPS

  no shutdown

Hi Kanwaljeet,

As suggested, after applying sticky configuration, Session error is solved.

Still https redirection to specific path is not working.

Regards

Chirag

Hi Chirag,

Hope the below example helps.

rserver redirect kanwal

webhost-redirection https://test.com

  inservice

serverfarm redirect kanwal

  rserver kanwal

   inservice

ssl-proxy service kanwal

  key cisco-sample-key

  cert cisco-sample-cert

class-map match-all kanwal

  2 match virtual-address 10.86.212.36 tcp eq https

policy-map type loadbalance first-match kumar

class class-default

serverfarm kanwal

policy-map multi-match POLICY

class kanwal

loadbalance vip inservice

  loadbalance policy kumar

loadbalance vip icmp-reply

nat dynamic 1 vlan 5

ssl-proxy server kanwal

interface vlan 5

  ip address 10.86.212.35 255.255.255.0

  no normalization

  access-group input allow_all

  nat-pool 1 10.86.212.37 10.86.212.37 netmask 255.255.255.255 pat

  nat-pool 1 10.86.212.22 10.86.212.24 netmask 255.255.255.255 pat

  service-policy input Management

  service-policy input POLICY

Regards,

Kanwal

Hi Kanwal,

Not sure you missed the real server farm in your provided configuration intensionally. If not a case then how client request will point to the real web server?

My Client connection flow to application is as below.

client https connection ---> Web server VIP ----> Real Web server ---> App server VIP -----> Real App server.

Hope i have given required information. Let me know if you need more info to sort out redirection issue.

Regards

Chirag

Hi,

After configuring sticky cookie setting communication started working. Now we are facing below issue.

HTTP Status 404 -

type Status report

message

description The requested resource () is not available.

Below is the configuration.

sticky http-cookie remcookie sticky-cookie

  cookie insert browser-expire

  serverfarm rem_itsm_https

# sh sticky cookie-insert group sticky-cookie

     Cookie   |        HashKey       |           rserver-instance  

  ------------+----------------------+----------------------------------------+

  R873262639 | 16960298075973544399 | rem_itsm_https/gal72780:80

  R873298576 | 17566878952707561616 | rem_itsm_https/gal72781:80

are you suspecting anything on loadbalancer for above issue?. Access directly to webserver is working fine which makes me thinking out of blue.

Regards

Chirag

Hi Chriag,

Sticky Cookie is method used for persistence and based on above i cannot say if there is a problem with LB. I see that you are using cookie insert and if the client comes back with same cookie it should be sent to the same server or else it would be loadbalanced and hence may be an issue. If you test with just one server in serverfarm, does everything work fine? Do you see that client is coming with the same cookie which was inserted by ACE in server reply? What is the status of servers in serverfarm, are they showing operational or out of service or failed etc? I assume everything was working fine and this started happening suddenly, if that is the case what has changed?  We would need more information here to actually see what is going on.

Regards,

Kanwal

Hi,

As per the application team they have applied new patch on OS which was the only changes they made it on server end.

I have tried to clear the sticky database but its again giving the same cookie id after clearing it. i have tried to remove one server but dint work with other server.

One doubt is that why its taking the same cookie id after clearing sticky database?

Any other checks do you want me to test again?

Regards

Chirag

Hi Chirag,

The cookie insert is inserted by ACE and depends upon server parameters which are same so you see the same cookie. This should be normal. If it is not working with one server then it is not a cookie issue. Something else is going on here.

What do you see in "show conn" table? Filter  the output with VIP or client IP. Clear statistics and use "show service-policy detail and see if you are getting hits. Can you capture on the client itself and see why the connection closes? Can you take pcap on ACE itself or server?

What is the status of servers in serverfarm? Did you check if probes are passing and server state is operational? show serverfarm detail would be helpful.

Regards,

Kanwal