Kerberos authentication failing in ProxySG when connected with Cisco ACE load balancer


Article ID: 168997


Updated On:


ProxySG Software - SGOS


Customer is using Kerberos authentication in their setup. They have a Cisco ACE Load Balancer to distribute traffic to ProxySG/s. Client will get page cannot be displayed or Proxy resetting the connection for HTTP sites which are challenged by ProxySG for authentication. HTTPS sites is found to be working fine in this setup


The issue is identified to be due to the default maximum header size supported by Cisco ACE which is 4096 bytes. If the combined size of HTTP headers and the Kerberos ticket is going beyond 4096 bytes, ACE will RESET the packet. This packet will not be reaching the ProxySG.


Solution for this is to create an HTTP parameter map to support to a higher value and then assign it to the class in the service-policy. This information can be found at the discussion here

Typical configuration will have the below

parameter-map type http HTTP
  set header-maxparse-length 65535
  set content-maxparse-length 65535
  length-exceed continue

More details on this setting is available here