Ace 4710 3.2.4 and script
Hi all,
i've got a problem with script...
from debug command i receive msg
'(ctx:1) TCLPROBE(hm_tcl_exit_proc): File open failed'
same script works on ACE module....why cannot read script ACE4710?
tnx
Dan
Hi Gilles,
AceFemaster/FE# show probe script_ver_pippo_CS01_80 detail
probe : script_ver
type : SCRIPTED
state : ACTIVE
description :
port : 0 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 30 pass count : 2
fail count: 5 recv timeout: 10
script filename : script_ver.tcl
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
real : pippo_CS01[80]
serverfarm: S_pippo_80
1.1.1.1 80 REAL 2 2 0 FAILED
Socket state : RESET
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 30006
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Internal error: Script error
Last probe time : Tue Nov 17 15:07:35 2009
Last fail time : Tue Nov 17 15:07:20 2009
Last active time : Never
in debug i can see a empty string as exit message...
2009 Nov 17 15:09:05.761594 scripted_hm: (ctx:1) TCLWT (scripted_hm_run_probe_msg): Received MTS_RUN_MSG
2009 Nov 17 15:09:05.761656 scripted_hm: (ctx:1)tcl_wt_create_qnode: temp_qnode 0x81137b8 em_msg 0xb689e054
2009 Nov 17 15:09:05.761695 scripted_hm: (ctx:1) TCL_UTIL(hm_tcl_associate_script_buf) - ENTER em_msg = 0xb689e054
2009 Nov 17 15:09:05.761725 scripted_hm: (ctx:1) TCL_UTIL (hm_tcl_associate_script_buf) : Associating script-buf with script_ver.tcl em_msg = 0xb689e054
2009 Nov 17 15:09:05.761755 scripted_hm: (ctx:1) TCL_UTIL(hm_tcl_find_script_buf) - ENTER
2009 Nov 17 15:09:05.761785 scripted_hm: (ctx:1) TCL_UTIL(hm_tcl_find_script_buf) - Found script buf
2009 Nov 17 15:09:05.761814 scripted_hm: (ctx:1)TCL_UTIL(hm_tcl_associate_script_buf) - EXIT
2009 Nov 17 15:09:05.761844 scripted_hm: (ctx:1) TCLWT(tcl_wt_create_qnode): Created qnode 81137b8
2009 Nov 17 15:09:05.761454 scripted_hm: (ctx:1)hm_tcl_run: pid 24428 return_fd 13 ZÃô·h^U÷(Jî·
2009 Nov 17 15:09:05.762007 scripted_hm: (ctx:1) TCL_UTIL(hm_tcl_set_env_vars): arg list = "GET /pls/portal30/ecare.monitoring HTTP/1.0" html 0 172.18.255.172 80 OK
2009 Nov 17 15:09:05.762041 scripted_hm: (ctx:1) TCL_UTIL(hm_tcl_get_argcount) - ENTER, argv("GET /pls/portal30/ecare.monitoring HTTP/1.0" html 0 172.18.255.172 80 OK)
2009 Nov 17 15:09:05.762090 scripted_hm: (ctx:1)hm_tcl_run: About to run the TCL interpreter
2009 Nov 17 15:09:05.762387 scripted_hm: (ctx:1)Tcl_Itasca_SocketObjCmd: g_num_socket 1
2009 Nov 17 15:09:05.763381 scripted_hm: (ctx:1)tclret 1
2009 Nov 17 15:09:05.763524 scripted_hm: (ctx:1) TCLPROBE(hm_tcl_exit_proc): File open failed
2009 Nov 17 15:09:05.765827 scripted_hm: (ctx:1)TCL-WT(tcl_wt_process_interp_return) - ENTER
2009 Nov 17 15:09:05.765870 scripted_hm: (ctx:1) TCLWT(tcl_wt_process_interp_return): received error from scripted probe!
2009 Nov 17 15:09:05.765903 scripted_hm: (ctx:1) TCLWT(tclwt_send_em_msg): ENTER
2009 Nov 17 15:09:05.765932 scripted_hm: (ctx:1) TCL-WT(tclwt_send_em_msg): exit msg = empty string
2009 Nov 17 15:09:05.764984 scripted_hm: (ctx:1) TCLWT(tclwt_send_em_msg): EXIT without Error
2009 Nov 17 15:09:05.765015 scripted_hm: (ctx:1)TCL-WT(tcl_wt_process_interp_return) - EXIT
for network trace i'm trying to obtain it.
tnx a lot
Dan
Similar Messages
-
ACE 4710 A3(2.0) and ACS - TACACS+
Hi.
I am having trouble getting my ACE 4710 (A3(2.0) Build 3.0) to cooperate with my Cisco Secure ACS-server. In the same environment I have it working on my ACE Module, with the same configuration.
ACE 4710:
tacacs-server host 10.7.50.20 key 7 "fewhg"
aaa group server tacacs+ tacacs_server_group
server 10.7.50.20
deadtime 15
aaa authentication login default group tacacs_server_group local none
aaa accounting default group tacacs_server_group local
aaa authentication login error-enable
ACS is configured correctly too. I have tried with several users, both in groups, with and without attributes and so forth. The ACS installation works with other devices and with my ACE modules running A2(3.1). I have tried this on both ACS 4.2(0).124 and 4.2(1).15.
The strange part is what I see when I set up Wireshark on my ACS-server to look at the traffic. From what I can see, the ACE only sends a request to the AAA-server if the user exists locally. But I do not get authenticated and Failed Attempts show a line with with Message-Type: "Unknown NAS".
It seems like others have the same problem. The problem is that the link attacked in the topic beneath only leads me back to forum and not to a topic with solution.
https://supportforums.cisco.com/thread/132445?decorator=print&displayFullThread=true#132445
Any help is appreciated and thanks in advance!are you using telnet or ssh ?
if ssh can you try telnet, allow telent on your management policy to do this. Then if it works via telnet , then try ssh again, if it now works then you have hit CSCsu36078
http://tools.cisco.com/squish/03240 -
Ace 4710 - same context routed and load-sharing
Hi All
Can an ACE 4710 have , in the same context - servers which are
a. just being routed to
b. a set of load-shared servers
I have been told you may not be able to do this on this version
Does anyone know if this is correct
Thanks
SteveHi Boris
I have been on the ACE course and before we install the 4700 box i have been
asked to set up a test setup.
This would involve have a context which would have one ip address range and
a few pcs (pretending to be servers ) and one which would be just routed.
A colleague of mine seemed to think that something had been said on the course
to the effect that if the ACE was deployed in line the you couldnt have some
of your servers in load-sharing and some just routed on the same subnet and
in the same context.
Steve -
ACE 4710 A3.2.5 and unknown script error (30009)
Hi all,
i've got a problem with scripted probes. In two contexts i have configured the same scripted probe:
probe scripted PRO-SSL636
port 636
interval 5
faildetect 2
passdetect interval 10
passdetect count 2
receive 3
script SSL_PROBE_SCRIPT
In one context it work's fine, in the other one I get the following error:
serverfarm : SRF-LDAPS
real : SRV123-DOMAIN-COM[0]
192.168.0.200 636 PROBE 0 0 0 INIT
Socket state : RESET
No. Passed states : 0 No. Failed states : 0
No. Probes skipped : 0 Last status code : 30009
No. Out of Sockets : 0 No. Internal error: 16833
Last disconnect err : Internal error: Unknown script error
Last probe time : Never
Last fail time : Never
Last active time : Never
The script SSL_PROBE_SCRIPT is located in probe: with other Cisco-Standard-Scripts.
Has anyone an idea ?
Thanks for your help.
swiss_ewokHi Sven,
quick question: did you load the script also in the context where it fails?
Just check if you have "script file name " in your config.
Thanks,
Alessandro
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Hi, We have two ACE-4710-K9 (named LB01 and LB02) configured in HA mode. Besides Admin, on each of them there are tree context configured, named, ACADEMIC, COMMERCIAL, STREAMING. On LB01 the active context is ACADEMIC. On LB02 the active contexts are COMMERCIAL and STREAMING. Each context is configured with a FrontEnd and a BackEnd Vlan interface, and a "management" Vlan interface used for accessing and monitoring the device and for the downloading of the needed ssl certificates. Recently we upgraded the devices to Version A3(2.6) form a previous A3(2.4). After that upgrade we experienced some strange behaviour. From the context in STANDBY state we are not able to ping the host on the "management" Vlan interface, while there is no problem on the other Vlans. We see that the ICMP packets are sent to the Vlan, are replayed by the remote host BUT are not received at all on the LB01 or LB02. No messages in the log. Trying with 5 consecutive (failed) ping we can see that the counters of unicast packet output on LB01/LB02 Vlan is incremented by 5 BUT the unicast packets input counters is unchanged even if the remote host sent the replays. In the STREAMING context this behaviour isn't constant, ie the ping *sometimes* starts working for a few second and then returns to stop. In the other standby context the ping never works instead. In the active context all works fine. This strange problem prevents us to load the ssl certificates in the STANDBY context from the "management" Vlan. We was not able to find any reference to a similar problem in the Cisco documentation or Tac collection, so we are curious to know wheter someone else experienced such a behaviour. Thank you and best regards. Alessandro Asson - CINECA
Thanks,
I see you are using shared VLAN config in both ACE.
Same VLAN 1000 is used for both Admin and streaming context.
In this config, you may need to use the shared-vlan-host-id command as explained here:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/vlansif.html#wp1025243
In fact as explained:
'By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE appliances in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank, which results in the use of the same MAC addresses. To avoid this conflict, you must configure the bank that the ACEs will use.'
This would also reply to your question in the readme file:
SHOW ARP TABLE ON THE D01,D02,D07 ROUTERS SHOWS THE SAME MAC ADDRESS FOR
BOTH IP ADDRESSES OF LB01 AND LB02: is that normal ??
Hope this helps,
Dom. -
ACE 4710 and mangled HTTP requests
After replacing a Cisco CSS/SSL Accelorator and PIX firewall with an ACE 4710 to do load balancing and SSL encryption behind an ASA firewall we started seeing mangled HTTP requests in the Apache access logs for the servers in the server farm. Here is one example:
XX.XX.XXX.XXX - - [21/Oct/2012:01:42:12 -0500] "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
Rather than appearing just after the timestamp, the "POST /register/LServlet" is tacked on to header information that shouldn't even appear in the log. Also the first letter in that header information is always missing (heckoutFlag instead of checkoutFlag in this example).
The mangled request always shows up as a 501 HTTP error and shows up late in the Apache access logs (timestamp is out of chronogical order) and always appears with several duplicate POSTs:
XX.XX.XXX.XXX - - [21/Oct/2012:01:42:23 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XX.XXX - - [21/Oct/2012:01:42:12 -0500] "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
This is occurring for several different URLs and not just the one above and for multiple web browsers.
The ACE load balances to servers running Tomcat 7 with Apache HTTP server v. 2.2.14.
A recent ACE software upgrade to A5(2.1) has not fixed the problem.
Has anyone seen this before?
Thanks for any insight you can provide.
-KariHi Kari,
Do you have a sample of the configuration which you got with the CSS?
What is the current configuration which you got on the ACE?
Can you shows this output: # show stats http?
Jorge -
ACE 4710 transparent LB with two Caches and two routers.
Hello,
I have ACE 4710 that load balance two cach flows (bluecoat), i am doing pbr on the routers to send the traffic destined to port 80 to ACE then Cach farm. After that the Cach flow will get the page from the internet via two routers. The return traffic will match another pbr on the routers with source port 80 that will send it to the ACE then CachFlow again .....then to the users.
I am not using ip-spoofing on the CachFlow for now. In the figure attached i created a VIP 0.0.0.0 0.0.0.0 port 80 on the interface on the ACE facing the routers, but the question is do i have to create another VIP 0.0.0.0 0.0.0.0 port 80 on the interface on ACE facing the Cach Flow? or just forward the traffic on the default route? What might be the default route since i have to use two routers and i cannot use hsrp?
Kindly I need some assistance
Thank you and regards,
George
access-list PERMIT_ALL line 8 extended permit ip any any
access-list CFLOW line 8 extended permit ip any any
ip name-server 8.8.8.8
ip name-server 4.2.2.2
##################################Config for Cache Cache Servers###################
probe http CISCO_WWW_PROBE
ip address 72.163.4.161
interval 2
faildetect 2
passdetect interval 2
passdetect count 5
request method head url /index.html
expect status 200 200
exit
probe http YAHOO_WWW_PROBE
ip address 87.248.112.181
interval 2
faildetect 2
passdetect interval 2
passdetect count 5
request method head url /index.html
expect status 200 200
exit
serverfarm host TRANSPARENT_PROXY_SF
description Transparent Proxy Farm
transparent
predictor hash url
probe CISCO_WWW_PROBE
probe YAHOO_WWW_PROBE
rserver CFLOW01
inservice
rserver CFLOW02
inservice
exit
exit
############################################# Router Cache Farm ############################
probe icmp ICMP_PROBE
description *** Probe for icmp health monitoring ***
interval 5
faildetect 2
passdetect interval 60
passdetect count 2
exit
rserver host Router01
description Connection to Sodetel Router
ip address 192.168.14.4
probe ICMP_PROBE
inservice
rserver host Router02
description Connection to IDM Router
ip address 192.168.14.5
probe ICMP_PROBE
inservice
serverfarm host Routers
description Transparent Proxy Farm
transparent
predictor hash url
probe ICMP_PROBE
rserver Router01
inservice
rserver Router02
inservice
exit
exit
################################# Management################################
class-map type management match-any REMOTE_MGMT
description Allow Remote management for below protocols
8 match protocol icmp any
9 match protocol ssh source-address 172.31.13.31 255.255.255.255
10 match protocol ssh source-address 172.31.31.21 255.255.255.255
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_MGMT
permit
class-map match-all CFLO2Internet
2 match virtual-address 0.0.0.0 0.0.0.0 any
class-map match-all TRANSPARENT_VIP_CM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
policy-map type loadbalance first-match TRANSPARENT_LB_PM
class class-default
serverfarm TRANSPARENT_PROXY_SF backup Routers
policy-map type loadbalance first-match CFLO2Internet_LB
class class-default
serverfarm Routers
policy-map multi-match CFLO2Internet_PM
class CFLO2Internet
loadbalance vip inservice
loadbalance policy CFLO2Internet_LB
loadbalance vip icmp-reply active
connection advanced-options TCP
policy-map multi-match L3L4_PM
class TRANSPARENT_VIP_CM
loadbalance vip inservice
loadbalance policy TRANSPARENT_LB_PM
loadbalance vip icmp-reply active
connection advanced-options TCP
====Interfaces======
interface vlan 11
description Interface between Routers and ACE
ip address 192.168.14.2 255.255.255.224
alias 192.168.14.1 255.255.255.224
peer ip address 192.168.14.3 255.255.255.224
no icmp-guard
access-group input PERMIT_ALL
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input L3L4_PM
no shutdown
interface vlan 21
description Connection to CFlow ServerFarm
ip address 192.168.12.2 255.255.255.224
alias 192.168.12.1 255.255.255.224
peer ip address 192.168.12.3 255.255.255.224
no icmp-guard
access-group input CFLOW
service-policy input CFLO2Internet_PM ------>>>> Is this necessary???
no shutdownHi George,
In the topology you described, only the service-policy in the interface towards the routers is necessary. For the traffic from the caches, the ACE will just forward to the default gateway.
The only problem is, as you mentioned, that you cannot use HSRP. In that case, you can still configure two default gateways, but there is no way to predict which one the ACE will use at a given time (the way it does to select the one it will use is sending an ARP request to both gateways and using the one that replies first until the ARP entry expires)
If you need to load-balance the traffic between both routers, then yes, you would need to configure a new VIP on the cache side and load-balanced to a transparent serverfarm composed of both routers.
Regards
Daniel -
I'm trying to set DSCP flags in traffic from ACE 4710 to clients. Unfortunatly it doesn't seem to work this way:
class-map type http loadbalance match-any URL-AF21
2 match http url /aaa/.*
4 match http url /bbb/.*
policy-map type loadbalance http first-match LB-WITH-DSCP
class URL-AF21
set ip tos 72
serverfarm MyServerFram
class default
set ip tos 0
serverfarm MyServerFram
Traffic from ACE to Real Server is tagged but not traffic from ACE to clients.
Any idea which config might work ?Hi,
If we are setting the TOS Bit in the Policy map, as in you are doing it, ToS Bit will only get set in the ACE to Server Leg of connection. Ace will not set the value for the traffic returning back to Clients.
The way around to this situation is to set the TOS bit via the parameter map and then call it under the class in multimatcg policy. In this way you will have the TOS bit set for both direction of the traffic (From ACE to Server and from ACE to client. The down side of this approach will be that you won't be able to use it for a specific class of traffic.
If you are interested in applying the TOS bit for the whole flows hitting a VIP then please follow this configuration example.
parameter-map type connection SET_TOS
set ip tos 72
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
ACE 4710 and load balancing with sticky cookie
Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers. I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall. The ACE is in bridged mode to load balance web servers that reside in the DMZ. Everything seems to work just fine, but the cookie stickiness does not seem to be working.
Hi David,
As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
When using cookie-insert, the ACE will not create any dynamic cookie entries. It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value. So what you see there is what is expected.
You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie. The cookie is included in the server's response, and the ACE will look for the value as configured. The cookie will also be sent to the client. If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses. If the browser opens new connections with that cookie, then the ACE will stick to the same server.
My suggestion would be to get sticky working with cookie-insert first. Then if that meets your needs, go with that permanently. If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
Sean -
Currently testing our new xchange servers behind our ACE 4710 in qa..
I have 2 xchange servers in 1 server farm behind the ACE. No SSL being used.
All seems to be working thru the mapi client, but the OWA web connection seems to be timing out quickly.
Any ideas on what could be causing this timeout ?
Do I have to configure a timeout period for these connections ?
Any help would be appreciated.
Cheers
Davecan you share your config ?
-
Need help to Configure Cisco ACE 4710 Cluster Deployment
Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver ebsapp2 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
serverfarm ebsppsvrfarm
class class-default
compress default-method deflate
sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
loadbalance vip inservice
loadbalance policy ebsapp-vip-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal- -
Cannot Telnet to ACE 4710 after upgrade to A4(2.3)
I have a pair of ACE 4710s with 12 contexts sharing the load, running A4(2.1). Yesterday I upgraded one of them to A4(2.3)
now I cannot telnet to the Admin context.Pings ok. I can telnet to other contexts on the box and everything seems to be working ok
when i do a " sh telnet"
comes back with
No Session Information is available
sh telnet maxsessions
telnet maxsessions 16
Can anybody help?further this post, it was not a resource problem as had allocated 5% for the Admin context.
I up graded IOS Saturday evening, could not Telnet in, tried again on Sunday same result,
though this morning (Monday) Can now telnet in ok very strange
I was connecting via the AUX line of a 2851 router to the console port.
whe I disconnected this morning I saw the following message
INIT: id "T0" respawning too fast : disabled for 5 minutes
not sure if this is a 2851 message or an ACE message, but after getting that message is when I was able to Telnet in
was it a coincidence
anybody any ideas -
ACE 4710: Possible to allow a user to clear counters but nothing else?
Hello all,
Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc. We would also like to allow this user to clear the interface error counters as well, but nothing else. Is this possible?
Thanks!Hello Brandon-
Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats. You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
i.e.
ACE# conif t
ACE(config)# role MyRole
ACE(config-role)# rule 1 permit modify feature ?
AAA AAA related commands
access-list ACL related commands
connection TCP/UDP related commands
fault-tolerant Fault tolerance related commands
inspect Appln inspection related commands
interface Interface related commands
loadbalance Loadbalancing policy and class commands
pki PKI related commands
probe Health probe related commands
rserver Real server related commands
serverfarm Serverfarm related commands
ssl SSL related commands
sticky Sticky related commands
vip Virtual server related commands
You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
Domains allow you to create containers for objects. You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
Regards,
Chris Higgins -
ACE 4710 in bridge mode not working
I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router (vlan 13: IP 172.16.11.254)
|
ACE (int gig1/2)
|
L2 Switch
|
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
inservice
rserver srv2
inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
permit
policy-map type loadbalance first-match slb
class class-default
sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan" I tried trunk port also but it got disabled" <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles. -
ACE 4710. Unable to clear ssh sessions
Hi.
Once in the CLI of an ACE 4710, using the command "clear ssh session id" I am unable to clear/kill any of the remote ssh sessions established.
According to the administration guide, the "clear ssh .." command must clear the sessions, but it does not, or maybe I am missing something?
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/administration/guide/access.html#wp1050335
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
ACE/CONTEXTO_A# show ssh session-info
Session ID Remote Host Active Time
13728 222.98.54.158:50556 67:43:38
13732 200.44.158.70:46172 67:43:36
13735 200.44.158.70:46174 67:43:36
13737 200.44.158.70:46177 67:43:36
ACE/CONTEXTO_A#
ACE/CONTEXTO_A# clear ssh 13728
ACE/CONTEXTO_A# clear ssh 13732
ACE/CONTEXTO_A# clear ssh 13735
ACE/CONTEXTO_A# clear ssh 13737
ACE/CONTEXTO_A# show ssh session-info
Session ID Remote Host Active Time
13728 222.98.54.158:50556 67:43:54
13732 200.44.158.70:46172 67:43:52
13735 200.44.158.70:46174 67:43:52
13737 200.44.158.70:46177 67:43:52Hello,
Seems to be working for me in my tests. Works in the Admin context and a user context, and when clearing connections from console connection or one of the SSH sessions.
ace-appliance-15/CTX1# sho ssh sess
Session ID Remote Host Active Time
24705 161.44.77.245:1586 0: 1:42
25100 161.44.77.245:1589 0: 0:27
25116 161.44.77.245:1590 0: 0:16
ace-appliance-15/CTX1# clear ssh 25116
ace-appliance-15/CTX1#
ace-appliance-15/CTX1# sho ssh sess
Session ID Remote Host Active Time
24705 161.44.77.245:1586 0: 2: 5
25100 161.44.77.245:1589 0: 0:50
What version of software are you running on your 4710? I am running the latest A3(2.4). Can you try this version?
Thanks,
Sean
Maybe you are looking for
-
No audio device installed after windows vista sp2 update
Ok I will try to be as thorough as possible because I want to fix this problem and I hope somebody can help me. So A few days ago There was an update for my audio driver so I accepted. But after this update my sound worked but on next use the sound w
-
PDF printer has a problem with Safari in "Reader" mode in Windows7
As shown in the image above. When I try to use the PDF printer to print out a web page in Safari "Reader" mode, the lines near the bottom of each page get squeezed like this. There is no problem with XPS printer. I guess this problem is because of so
-
InDesign CS6 Crashing Constantly
Ever since upgrading to the Creative Cloud thing (from CS3) InDesign CS6 has been crashing constantly. Photoshop, Illustrator, Dreamweaver and Acrobat are just fine. As far as I can tell, the crashes are arbitrary. It's not only when I'm using a spec
-
I was transferring from my old iMac to new iMac using Migration Assistant. I accidentally overwritten my administrator id. Now, the new iMac only shows one account as standard. There is no id that is an administrator. Anyone know how i can set it up
-
I have looked and have not found an answer that fits my issue. I am using itunes 7.4.2 My podcasts wont download .. "network connection was refused" I cannot play itunes radio .. "check your internet connection" no itunes store .. "network connection