Need help to Configure Cisco ACE 4710 Cluster Deployment

Similar Messages

• Need help in configuring Cisco AP to support EAP authentication

  Hello all,
  in desperation after trying for more than 3 weeks, I am trying in this way to get a solution to my following problem.
  I am trying to build up as 802.1x scenario using 802.11b infrastructure (RADIUS server, Cisco 1100 Aironet AP, Cisco PCMCIA WLAN card with Xsupplicant software, the complete OS is Linux). I am trying to use EAP-MD5 authentication. It seems that the things are funtioning in standalone mode.
  The client wants to authenticate to access WLAN. It sends EAPoL start packet and gets a request from AP for user identity. Good. Then the user sends his identity with EAP packet. The Cisco AP is forwarding the request to RDAIUS server as specified in many documents. It is also Good. RADIUS server is sending a request for challenge (Password). Upto this point things are gooing fine.
  Now the Cisco AP is not sending this challenge to the
  Xsupplicant, it is just ignoring it. Can any one help me in this point. If needed I can also send the configuration file of the AP.
  I would be very thankful, if I could solve this Problem with your support.
  Thanking you in advance,
  Felix

  As per the RFC for RADIUS, a RADIUS Server receiving an Access-Request with a Message- Authenticator Attribute present MUST calculate the correct value of the Message-Authenticator and silently discard the packet if it does not match the value sent. A RADIUS Client receiving an Access-Accept, Access-Reject or Access-Challenge with a Message-Authenticator Attribute present MUST calculate the correct value of the Message-Authenticator and silently discard the packet if it does not match the value sent.

• Need Help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect

  Hi All,
  I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
  2811 having C2800NM-ADVIPSERVICESK9-M
  2811 router connects to the Internet SW then connects to the Internet router.
  Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
  Below is router config for VPN & NAT
  crypto keyring ISR_Keyring
    pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp keepalive 10
  crypto isakmp profile isa-profile
     keyring ISR_Keyring
     self-identity user-fqdn [email protected]
     match identity user vpn-proxy.websense.net
  crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
  crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
  set peer vpn.websense.net dynamic
  set transform-set ESP-NULL-SHA
  set isakmp-profile isa-profile
  match address 101
  interface FastEthernet0/1
  description connected to Internet
  ip address 216.222.208.101 255.255.255.128
  ip access-group HVAC_Public in
  ip nat outside
  ip virtual-reassembly
  duplex full
  speed 100
  no cdp enable
  crypto map GUEST_WEB_FILTER
  access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
  access-list 103 permit ip 192.168.8.0 0.0.3.255 any
  ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
  ip nat inside source list 103 interface FastEthernet0/1 overload
  ip nat inside source route-map nonat pool mypool overload

  How does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
  Check
  show crypto isakmp sa
  show crypto ipsec sa
  show crypto session
  You'd better remove the preshared key from your post.

• TCP SYNSEEN with load balancing Cisco ACE 4710

  I have a Cisco ACE 4710 load balancing the traffic to two proxy servers, the configuration is the same since December 2012,  but yesterday it stated to show SYNSEEN in the show conn command, and the hosts cannot browse. I think that means that the three-way-handshake is not complete.
  If I bypass the ACE the hosts can browse without problems. 
  I have tested with another ACE appliance and the same configuration but the behaviour is the same.
  I need help as soon as possible,
  thanks,
  I've attached the Show conn, show conn detail and show run.

  Hi Cesar,
  Thank you for your answer,
  The issue was solved,
  We were running an A3 software version, it seems to have a Bug so it doesn't show the NAT commands in the "show run", so when we made the configuration backup we didn't noticed it.
  The ACE reloaded because an electrical failure so it losted the NAT config.
  We just upgraded to an A4 version and also added a NAT/PAT to enable the communication between the Clients and the Proxy.
  Regards,

• I have a PC and a need help to configure my external hard disk on my network. Thanks

  I have a PC and a need help to configure my external hard disk on my network. Thanks

  If you mean you wish to plug a USB drive into the Airport Extreme router (or TC not express) that is easy..
  The disk must be formatted FAT32.. as if.. stay away from FAT .. or HFS+ ie Mac OS extended Journaled.
  Format the disk on a Mac is best.. and even use GUID partition scheme not MBR.
  The PC has no issue writing and reading files because this is a network drive.. The PC does not write to the drive.. it writes files to the Airport OS which writes and reads the disk and passes the info using standard windows SMB.. To the windows computer it will be a Windows NT server.. FAT32 setup.
  If your setup is different.. to my hugely guessed assumptions.. give details.. always helps to have.. make and model.
  Make and model of disk.. make and model of router.. how the setup will be done.. what windows OS you run.. etc etc.
  As it stands your question could have nothing to do with apple at all.. other than you posted in a forum so I guess there is something apple in there somewhere.

• Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)

  Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
  The following is the Layout:
  There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
  I have been able to configure  Client to Site IPSec VPN
  1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
  2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
  But I have not been able to make tradiotional Hairpinng model work in this scenario.
  I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
  Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
  LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
  running-conf  --- Working  normal Client to Site VPN without internet access/split tunnel
  ASA Version 8.2(1)
  hostname ciscoasa
  domain-name cisco.campus.com
  enable password xxxxxxxxxxxxxx encrypted
  passwd xxxxxxxxxxxxxx encrypted
  names
  interface GigabitEthernet0/0
  nameif internet1-outside
  security-level 0
  ip address 1.1.1.1 255.255.255.240
  interface GigabitEthernet0/1
  nameif internet2-outside
  security-level 0
  ip address 2.2.2.2 255.255.255.224
  interface GigabitEthernet0/2
  nameif dmz-interface
  security-level 0
  ip address 10.0.1.1 255.255.255.0
  interface GigabitEthernet0/3
  nameif campus-lan
  security-level 0
  ip address 172.16.0.1 255.255.0.0
  interface Management0/0
  nameif CSC-MGMT
  security-level 100
  ip address 10.0.0.4 255.255.255.0
  boot system disk0:/asa821-k8.bin
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name cisco.campus.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network cmps-lan
  object-group network csc-ip
  object-group network www-inside
  object-group network www-outside
  object-group service tcp-80
  object-group service udp-53
  object-group service https
  object-group service pop3
  object-group service smtp
  object-group service tcp80
  object-group service http-s
  object-group service pop3-110
  object-group service smtp25
  object-group service udp53
  object-group service ssh
  object-group service tcp-port
  object-group service udp-port
  object-group service ftp
  object-group service ftp-data
  object-group network csc1-ip
  object-group service all-tcp-udp
  access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
  access-list CSC-OUT extended permit ip host 10.0.0.5 any
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
  access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
  access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
  access-list CAMPUS-LAN extended permit ip any any
  access-list csc-acl remark scan web and mail traffic
  access-list csc-acl extended permit tcp any any eq smtp
  access-list csc-acl extended permit tcp any any eq pop3
  access-list csc-acl remark scan web and mail traffic
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
  access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
  access-list INTERNET2-IN extended permit ip any host 1.1.1.2
  access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
  access-list DNS-inspect extended permit tcp any any eq domain
  access-list DNS-inspect extended permit udp any any eq domain
  access-list capin extended permit ip host 172.16.1.234 any
  access-list capin extended permit ip host 172.16.1.52 any
  access-list capin extended permit ip any host 172.16.1.52
  access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
  access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
  access-list capout extended permit ip host 2.2.2.2 any
  access-list capout extended permit ip any host 2.2.2.2
  access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  mtu internet1-outside 1500
  mtu internet2-outside 1500
  mtu dmz-interface 1500
  mtu campus-lan 1500
  mtu CSC-MGMT 1500
  ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
  ip verify reverse-path interface internet2-outside
  ip verify reverse-path interface dmz-interface
  ip verify reverse-path interface campus-lan
  ip verify reverse-path interface CSC-MGMT
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-621.bin
  no asdm history enable
  arp timeout 14400
  global (internet1-outside) 1 interface
  global (internet2-outside) 1 interface
  nat (campus-lan) 0 access-list campus-lan_nat0_outbound
  nat (campus-lan) 1 0.0.0.0 0.0.0.0
  nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
  static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
  access-group INTERNET2-IN in interface internet1-outside
  access-group INTERNET1-IN in interface internet2-outside
  access-group CAMPUS-LAN in interface campus-lan
  access-group CSC-OUT in interface CSC-MGMT
  route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
  route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  http server enable
  http 10.0.0.2 255.255.255.255 CSC-MGMT
  http 10.0.0.8 255.255.255.255 CSC-MGMT
  http 1.2.2.2 255.255.255.255 internet2-outside
  http 1.2.2.2 255.255.255.255 internet1-outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map internet2-outside_map interface internet2-outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
          a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
      a67a897as a67a897as a67a897as a67a897as a67a897as
    quit
  crypto isakmp enable internet2-outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash md5
  group 2
  lifetime 86400
  telnet 10.0.0.2 255.255.255.255 CSC-MGMT
  telnet 10.0.0.8 255.255.255.255 CSC-MGMT
  telnet timeout 5
  ssh 1.2.3.3 255.255.255.240 internet1-outside
  ssh 1.2.2.2 255.255.255.255 internet1-outside
  ssh 1.2.2.2 255.255.255.255 internet2-outside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy VPN_TG_1 internal
  group-policy VPN_TG_1 attributes
  vpn-tunnel-protocol IPSec
  username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
  username administrator password xxxxxxxxxxxxxx encrypted privilege 15
  username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
  username vpnuser1 attributes
  vpn-group-policy VPN_TG_1
  tunnel-group VPN_TG_1 type remote-access
  tunnel-group VPN_TG_1 general-attributes
  address-pool vpnpool1
  default-group-policy VPN_TG_1
  tunnel-group VPN_TG_1 ipsec-attributes
  pre-shared-key *
  class-map cmap-DNS
  match access-list DNS-inspect
  class-map csc-class
  match access-list csc-acl
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class csc-class
    csc fail-open
  class cmap-DNS
    inspect dns preset_dns_map
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
  : end
  Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
  Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
  That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted  against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
  I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
  Thanks & Regards
  maxs

  Hi Jouni,
  Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
  But my problem is not solved fully here.
  Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
  Here the packet tracer output for the traffic:
  packet-tracer output
  asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: FLOW-LOOKUP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Found no matching flow, creating a new flow
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   172.16.0.0      255.255.0.0     campus-lan
  Phase: 4
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.150.1   255.255.255.255 internet2-outside
  Phase: 5
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group internnet1-in in interface internet2-outside
  access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: CP-PUNT
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: NAT-EXEMPT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 10
  Type: NAT
  Subtype:     
  Result: DROP
  Config:
  nat (internet2-outside) 1 192.168.150.0 255.255.255.0
    match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
      dynamic translation to pool 1 (No matching global)
      translate_hits = 14, untranslate_hits = 0
  Additional Information:
  Result:
  input-interface: internet2-outside
  input-status: up
  input-line-status: up
  output-interface: internet2-outside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
  dynamic nat
  asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
  Is it possible to access both
  1)LAN behind ASA
  2)INTERNET via HAIRPINNING  
  simultaneously via a single tunnel-group?
  If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
  Thanks & Regards
  Abhijit

• Cisco ACE 4710 - Health Monitoring for Real Servers

  Hi,
  I have setup the following health probe to check for the existence of a specific web page.  My intention is that when the web page is removed, the health check fails and the rserver status changes to 'out of service'.  Unfortunately, when I remove the web page, I see the health check fail, and the rserver state change to 'PROBE-FAILED', however the rserver does not go 'out of service' and continues to respond to requests.
  Can anyone see where I'am going wrong?
  Health check probe config
  probe http live_http_int
    interval 15
    passdetect interval 60
    request method get url /loadbalancer/internal.html
    expect status 199 201
    open 10
  RSERVER config
  rserver host Server1
    description Server1
    ip address 10.10.10.1
    conn-limit max 4000000 min 4000000
    probe live_http_int
    inservice
  rserver host Server2
    ip address 10.10.10.2
    conn-limit max 4000000 min 4000000
    probe live_http_int
    inservice

  Hi syannetwork,
  I think you have to "force" the failed server to close the connection when it has failed. Otherwise it will still serve the available HTML pages.
  Have a look at the "Configuring the ACE Action when a Server Fails" in the "Cisco Application Control Engine Module Server Load-Balancing Configuration Guide" and let me know if the following command helped:
  conf t
  serverfarm host ServerFarm
  failaction purge
  Have a good WE.
  Cheers
  LPL

• Need Help:Reading Data from RU payroll cluster for table GRREC

  Hi...
  I need help on how to read data from RU cluster table for table GRREC for the employee & run date and get the value from structure PC292 .
  Please let me know about the includes and the import and export statements to be used.
  Thanks in advance,
  RAVI.

  Hi,
  Here goes pseudocode
  Includes:
  include: rpppxd00    ,
              rpppxd10     ,
              rpc2cd09     , 
              rpc2rx02_ce , "if ldb pnp_ce is used else use the same include with out _ce
              rpc2rx29      ,  
              rpc2rx39      ,
              rpppxm00    ,
              rpc2ruu0_ce ,
  Declare:
  DATA : i_rgdir   LIKE pc261        OCCURS 0 WITH HEADER LINE     ,
             i_result  TYPE pay99_result OCCURS 0 WITH HEADER LINE ,
             i_grrec   LIKE  pc292           OCCURS 0 WITH HEADER LINE .
  start-of-selection:
  GET pernr.
  Get the RGDIR VALUE for the current PERNR & selected Molga
  get rgdir data TABLES i_rgdir
                        USING pernr-pernr
                                   p_molga " parameter
  CD-KEY-PERNR = PERNR-PERNR.
  RP-IMP-C2-CU.
  i_rgdir [] = rgdir[].
    LOOP AT i_rgdir WHERE fpbeg  LE  pn-endda
                      AND fpend  GE  pn-begda
                      AND srtza  EQ 'A'
                      AND void   NE   'V'.
    get_result_tabs   TABLES i_result
                                 USING 'RU'    "  US cluster
                                       pernr-pernr
                                       i_rgdir-seqnr
        RX-KEY-PERNR = PERNR-PERNR.
        UNPACK i_RGDIR-SEQNR TO RX-KEY-SEQNO.
        RP-IMP-C2-RU.
    i_grrec[] = i_result-inter-grrec[].
    LOOP AT i_grrec.
    case i_grrec.
    use wage types required here and pass the data to output table.
    endcase.
    endloop.
    endloop
  end-of-selction.

• Configuring Cisco ACE

  I have been given the task of configuring a Cisco ACE20 initially for SLB. I have configured IOS SLB sucesfully but the ACE appears far more complex. Does anyone have any confgiuration guides with diagrams. The Cisco documentation only gives command guides which I am finding difficult to follow. I have set up a test scenario as follows:
  Client side vlan 10 - 172.22.152.0 / 21
  Server side vlan 17 - 172.22.244.0 /24
  Vlan 10 is set up on Sup720 as L2/3
  Vlan 17 is set up on Sup720 as L2 only
  PC with IIS running with IP address 172.22.244.101
  VIP address 172.22.152.6
  Rserver address 172.22.244.101
  Route on ACE 0.0.0.0 0.0.0.0 172.22.152.2
  I can ping the rserver from ACE OK as I have captured the ICMP traffic with analyser, when I attempt to HTTP to the vserver address I see the traffic hit the ACE but it sends TCP resets.
  I can provide the full config of the ACE etc if needed.
  With IOS SLB (without NAT) I used loopback addresses on the real servers from the ACE documentation it appears the VIP address has to be completely unique, does this mean there is no need for loopback interfaces. Also does the VIP address have to be in a different subnet than the clients as mine is not but it is in the same subnet as my client side vlan as was stated in the ACE getting started guide.
  I am very new to content swithing especially classifying traffic etc, can anyone please help ?

  Giles
  Capture attached (etherreal).
  I am the client on 172.21.17.20, the VIP address 172.22.152.6 replies with a RST/ACK. I can see the connection attempt on the ACE:
  switch/Admin# sh conn
  total current connections : 6
  conn-id np dir proto vlan source destination state
  ----------+--+---+-----+----+---------------------+---------------------+------+
  4 1 in TCP 10 172.21.17.20:1291 172.22.152.6:80 SYNSEEN
  1 1 out TCP 17 172.22.152.6:80 172.21.17.20:1291 INIT
  3 1 in TCP 10 172.21.17.20:1285 172.22.152.5:23 ESTAB
  5 1 out TCP 10 172.22.152.5:23 172.21.17.20:1285 ESTAB
  4 2 in UDP 17 172.22.244.101:1042 172.28.7.25:161 --
  2 2 out UDP 10 172.28.7.25:161 172.22.244.101:1042 --
  switch/Admin#
  Do I need a loopback address on the real server. Also I only have one real server set-up at the moment - I didn't think this would matter.
  Hope this helps....
  Paul

• Need help with configuring a Printer Driver in Oracle apps

  Hi,
  We have set of interfaces/concurrent jobs which are programed to send the output file to file location1. Now we need to direct the output for all these jobs to file location2. The idea is to not modify the existing code, but have configuration in place which will re-direct the output files to the new “file location2”, once the concurrent job run is complete.
  We have come across “Using Dummy Printer driver” option wherein we created a dummy printer driver with arguments as below and attached this printer to all these concurrent jobs.
  mv <file location1>/$PROFILES$.TITLE <file location2>
  This option is working fine if both the file locations are hard coded. But both these locations are configured in 2 separate profile options and the filepath would change from once Oracle instance to another.
  We are looking for solutions where we can pass the profile option value to this printer driver instead of hardcoding it in the argument.
  Also, please suggest any other solution to move the output files to a different location.
  Please note that our client is on Oracle On-Demand environment (apps – 11.5.10) and hence a shell script cannot be used for this.
  Thanks,
  Kiranmayi.

  Hello Mark,
  I can't support the netopia router/modem, but I would think there should be an admin guide for the configuration. If it is a modem/router and you said there is rules for allowing or blocking services, which sounds like access list you should be able to create a rule for the client you want to block on the modem/router to prevent it from talking to the internet.
  If you want to insure no outside security threats can make it to the computer staticly assign an IP address but don't give it a default gateway address. The client will not be able to talk to any other network but its own. It sounds like you only have one vlan or a flat network so this should work, but if you need to be able to have this computer in the future talk to other networks internally then it isn't a viable solution. Blocking at the modem/router would be the only solution.
  The SG300-08 Switch you could setup an ACL to block that client from talking to the modem/router, but the potential for causing valid traffic from being blocked in your own network grows.
  To create this rule you would first
  go to Access Control
  Create a MAC Base ACL (give it a meaning full name)
  Create 2 a MAC BASE ACE
  Rule 1
  Priority 10
  Action Deny
  Destination Any
  Source User Defined
  MAC address of client wanting to be blocked
  Apply
  Rule 2
  Priority 20
  Action Permit
  Destination Any
  Source Any
  Apply
  Bind the ACL to a port
  Make sure to only bind the ACL to the port that connects to the router/modem.
  Cisco Small Business Support Center
  Randy Manthey
  CCNA, CCNA - Security

• Need help with configuring a particular setting on SF300-08

  I work for a small business and we have a couple computers that we want to share a ethernet enabled copier/printer with, but for security reasons want to block those computers from internet access.  How would one go about allowing that?
  Thanks in advance,
  Mark Davis

  Hello Mark,
  I can't support the netopia router/modem, but I would think there should be an admin guide for the configuration. If it is a modem/router and you said there is rules for allowing or blocking services, which sounds like access list you should be able to create a rule for the client you want to block on the modem/router to prevent it from talking to the internet.
  If you want to insure no outside security threats can make it to the computer staticly assign an IP address but don't give it a default gateway address. The client will not be able to talk to any other network but its own. It sounds like you only have one vlan or a flat network so this should work, but if you need to be able to have this computer in the future talk to other networks internally then it isn't a viable solution. Blocking at the modem/router would be the only solution.
  The SG300-08 Switch you could setup an ACL to block that client from talking to the modem/router, but the potential for causing valid traffic from being blocked in your own network grows.
  To create this rule you would first
  go to Access Control
  Create a MAC Base ACL (give it a meaning full name)
  Create 2 a MAC BASE ACE
  Rule 1
  Priority 10
  Action Deny
  Destination Any
  Source User Defined
  MAC address of client wanting to be blocked
  Apply
  Rule 2
  Priority 20
  Action Permit
  Destination Any
  Source Any
  Apply
  Bind the ACL to a port
  Make sure to only bind the ACL to the port that connects to the router/modem.
  Cisco Small Business Support Center
  Randy Manthey
  CCNA, CCNA - Security

• Need help to Configure FTPS connection for File Sender Adapter

  Hi,
  I want to Configure, FTPS connection (Secured Connection) for File Sender Adapter. Could anyone please guide me, what Information I require to configure. I just want to know what Information should I request the team inorder the configure FTPS so that it can be deployed properly.
  I have checked with [SAP Help Link|http://help.sap.com/saphelp_nw04/helpdata/EN/e3/94007075cae04f930cc4c034e411e1/content.htm] and while configuring the communication channel found that I need Keystore and the X.509 Certificate and Private Key.  which needs to be deployed on the J2EE server by using the Visual Administrator.
  Is there anything else, I need to configure.
  Any help would be appreciated in this regard.
  Thanks & Regards,
  Varun.K

  The basic things are Certificate/Keys which you already know. Usually it is enough for running a sceanrio.
  However, if you have additional requirements, like FTPS for "Connection Security" for encryption, then you may need additional details like commands. Rest all settings are same as FTP.
  Regards,
  Prateek

• Need Help on Configurations of Data Services on IBM AIX Platform

  Hi All,
  We are in the process of installing Data Services XI 3.2 on IBM AIX platform.We are having some showstoppers which we are not able to resolve.
  It would be of great help to us if anyone can give some inputs.
  Lanscape:
  Data services server: Server A
  OS - AIBM AIX
  DB2 Database: Server B
  OS - AIBM AIX
  Activities Performed till now on DB2 Side:
  Multi user development:
  1.       Created 2 DBu2019s on Server B
  ·          REPO_CR (Central Repository u2013 Which is used for multi-user environment).
  ·          REPO_LR (Local Repository u2013 Which is used for actual development like login and build   jobs).
  2.       Created multiple schemas under REPO_LR(One Schema for each user).
  ·          User1, User2, User3, etcu2026 (These schemas can hold metadata of Data Services XI which can be used for reference).
  Each and every schema should have itu2019s their own user name and password
  Activities Performed till now on Data Services Side:
  1.Installed Dataservices
  Activities Yet to be done on Data Services Side:
  1.Configure Repository manager (Create central repository REPO_CR of type sucure using repository manager)
  2.Configure Job Server(Create a Job server and assign the local repository REPO_LR to the same)
  Issues:
  While creating the central repository usning the below command:
  ./repoman -UCRREP -Ppassword -SServer B -NDB2 -QREPO_CR -tcentral -c -a -d
  an error ocurred as :"Error while creating the Local Repository"
  I think we are getting this error because of some connectivity issue between DB2 server and Data services Server.
  Please share all of your valuable thoughts.
  Note:Our DB2 admin said we cannot create any ODBC connections on AIX platform
  Thanks,
  Muni

  the arguments that you are passing to repoman are not correct, if your server name has space then you should enclose that in quotes, else it will be treated as 2 arguments, you are passing -SServer B it should be -S"Server B"
  -SServer B
  I don't think you need to pass -Q option for DB2, its required only for Sybase Repo
  for DB2 you will have to install the DB2 Client, and create a Node and Catalog the database on that node
  if you are able to open DB2 command prompt form the unix and use that database, then try using the following args to create DB2 Repo
  -Uusername -Ppassword -NDB2 -SDBName -tcentral -c -a -d
  or better use Repository Manager from Windows to create repos

• New to sap - need help in configure backup strategy for SAP XI server.

  hi gurus
  being a netweaver guy, recently i have been given  the responsibility of few basis activities.like database backup.
  can any one tell me clear procedure to take both daily online and weekend full offline backup of oracle in to disk first and then to tape.   i have seen in the internet  material few discussing about brbackup and few about sap DB13. i am totally confused which one to use, and which is good. please help
  akhil

  Hi,
  welcome on board as SAP Netweaver guy,
  don't be confused both DB13 and BRtools are the same both of them will call brbackup.
  to configure the brtools you have to change in your brtools profiles located at  %ORACLE_HOME%/dbs
  please before changing any thing take backup from that folder.
  - to take the backup to disk then to tape you will need extra backup software, because using the SAP slandered tools you have to select either Disk or Tape.
  Thanks
  Sherif

• Need Help for configuring Floating static route in My ASA.

  Hi All,
  I need your support for doing a floating static route in My ASA.
  I have tried this last time but i was not able to make it. But this time i have to Finish it.
  Please find our network Diagram and configuration of ASA
  route outside 0.0.0.0 0.0.0.0 6.6.6.6 1 track 1
  route outside 0.0.0.0 0.0.0.0 6.6.6.6 1
  route rOutside 0.0.0.0 0.0.0.0 3.3.3.3 10
  route inside 10.10.4.0 255.255.255.0 10.10.3.1 1
  route inside 10.10.8.0 255.255.255.0 10.10.3.1 1
  route inside 10.10.9.0 255.255.255.0 10.10.3.1 1
  route inside 10.10.15.0 255.255.255.0 10.10.3.1 1
  route rOutside x.x.x.x 255.255.255.255 5.5.5.5 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 10.10.3.77 255.255.255.255 inside
  http 10.10.8.157 255.255.255.255 inside
  http 10.10.3.59 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sla monitor 123
  type echo protocol ipIcmpEcho 8.8.8.8 interface outside
  num-packets 3
  frequency 10
  sla monitor schedule 123 life forever start-time now
  crypto ipsec transform-set cpa esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map vpn_cpa 1 match address acl_cpavpn
  crypto map vpn_cpa 1 set peer a.a.a.a
  crypto map vpn_cpa 1 set transform-set abc
  crypto map vpn_cpa 1 set security-association lifetime seconds 3600
  crypto map vpn_cpa interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  track 1 rtr 123 reachability
  telnet 10.10.3.77 255.255.255.255 inside
  telnet 10.10.8.157 255.255.255.255 inside
  telnet 10.10.3.61 255.255.255.255 inside
  telnet timeout 500
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 10.10.3.14
  webvpn
  tunnel-group .a.a.a.a ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
  inspect sip 
    inspect xdmcp
  service-policy global_policy global
  smtp-server 10.10.5.11
  prompt hostname context
  Cryptochecksum:eea6e7b6efe5d1a180439658c3912942
  : end
  i think half of the configuration stil there in the ASA.
  Diagram.
  Thanks
  Roopesh

  You have missed the last command in your configuration, Please check it again
  route ISP1  0.0.0.0 0.0.0.0 6.6.6.6 track 1
  route ISP2   0.0.0.0 0.0.0.0 3.3.3.3
  sla monitor 10
  type echo protocol ipIcmpEcho 8.8.8.8 interface ISP1
  num-packets 3
  frequency 10
  sla monitor schedule 123 life forever start-time now
  track 1 rtr 123 reachability
  You can do NAT in same way, here the logical name of the interface will be different.
  Share the result
  Please rate any helpful posts.