Kerberos authentication failing in ProxySG when connected with Cisco ACE load balancer

book

Article ID: 168997

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Customer is using Kerberos authentication in their setup. They have a Cisco ACE Load Balancer to distribute traffic to ProxySG/s. Client will get page cannot be displayed or Proxy resetting the connection for HTTP sites which are challenged by ProxySG for authentication. HTTPS sites is found to be working fine in this setup

Cause

The issue is identified to be due to the default maximum header size supported by Cisco ACE which is 4096 bytes. If the combined size of HTTP headers and the Kerberos ticket is going beyond 4096 bytes, ACE will RESET the packet. This packet will not be reaching the ProxySG.

Resolution

Solution for this is to create an HTTP parameter map to support to a higher value and then assign it to the class in the service-policy. This information can be found at the discussion here

Typical configuration will have the below

parameter-map type http HTTP
  set header-maxparse-length 65535
  set content-maxparse-length 65535
  length-exceed continue

More details on this setting is available here