Ace 4710 3.2.4 and script

Similar Messages

• ACE 4710 A3(2.0) and ACS - TACACS+

  Hi.
  I am having trouble getting my ACE 4710 (A3(2.0) Build 3.0) to cooperate with my Cisco Secure ACS-server. In the same environment I have it working on my ACE Module, with the same configuration.
  ACE 4710:
  tacacs-server host 10.7.50.20 key 7 "fewhg"
  aaa group server tacacs+ tacacs_server_group
      server 10.7.50.20
      deadtime 15
  aaa authentication login default group tacacs_server_group local none
  aaa accounting default group tacacs_server_group local
  aaa authentication login error-enable
  ACS is configured correctly too. I have tried with several users, both in groups, with and without attributes and so forth. The ACS installation works with other devices and with my ACE modules running A2(3.1). I have tried this on both ACS 4.2(0).124 and 4.2(1).15.
  The strange part is what I see when I set up Wireshark on my ACS-server to look at the traffic. From what I can see, the ACE only sends a request to the AAA-server if the user exists locally. But I do not get authenticated and Failed Attempts show a line with with Message-Type: "Unknown NAS".
  It seems like others have the same problem. The problem is that the link attacked in the topic beneath only leads me back to forum and not to a topic with solution.
  https://supportforums.cisco.com/thread/132445?decorator=print&displayFullThread=true#132445
  Any help is appreciated and thanks in advance!

  are you using telnet or ssh ?
  if ssh can you try telnet, allow telent on your management policy to do this. Then if it works via telnet , then try ssh again, if it now works then you have hit CSCsu36078
  http://tools.cisco.com/squish/03240

• Ace 4710 - same context routed and load-sharing

  Hi All
  Can an ACE 4710 have , in the same context - servers which are
  a. just being routed to
  b. a set of load-shared servers
  I have been told you may not be able to do this on this version
  Does anyone know if this is correct
  Thanks
  Steve

  Hi Boris
  I have been on the ACE course and before we install the 4700 box i have been
  asked to set up a test setup.
  This would involve have a context which would have one ip address range and
  a few pcs (pretending to be servers ) and one which would be just routed.
  A colleague of mine seemed to think that something had been said on the course
  to the effect that if the ACE was deployed  in line the you couldnt have some
  of your servers in load-sharing and some just routed on the same subnet and
  in the same context.
  Steve

• ACE 4710 A3.2.5 and unknown script error (30009)

  Hi all,
  i've got a problem with scripted probes. In two contexts i have configured the same scripted probe:
  probe scripted PRO-SSL636
    port 636
    interval 5
    faildetect 2
    passdetect interval 10
    passdetect count 2
    receive 3
    script SSL_PROBE_SCRIPT
  In one context it work's fine, in the other one I get the following error:
  serverfarm  : SRF-LDAPS
       real      : SRV123-DOMAIN-COM[0]
                  192.168.0.200 636   PROBE    0        0        0        INIT
     Socket state        : RESET
     No. Passed states   : 0         No. Failed states : 0
     No. Probes skipped  : 0         Last status code  : 30009
     No. Out of Sockets  : 0         No. Internal error: 16833
     Last disconnect err : Internal error: Unknown script error
     Last probe time     : Never
     Last fail time      : Never
     Last active time    : Never
  The script SSL_PROBE_SCRIPT is located in probe: with other Cisco-Standard-Scripts.
  Has anyone an idea ?
  Thanks for your help.
  swiss_ewok

  Hi Sven,
  quick question: did you load the script also in the context where it fails?
  Just check if you have "script file name " in your config.
  Thanks,
  Alessandro
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Ace 4710 strange behaviour

  Hi, We have two ACE-4710-K9 (named LB01 and LB02) configured in HA mode. Besides Admin, on each of them there are tree context configured, named, ACADEMIC, COMMERCIAL, STREAMING. On LB01 the active context is ACADEMIC. On LB02 the active contexts are COMMERCIAL and STREAMING. Each context is configured with a FrontEnd and a BackEnd Vlan interface, and a "management" Vlan interface used for accessing and monitoring the device and for the downloading of the needed ssl certificates. Recently we upgraded the devices to Version A3(2.6) form a previous A3(2.4). After that upgrade we experienced some strange behaviour. From the context in STANDBY state we are not able to ping the host on the "management" Vlan interface, while there is no problem on the other Vlans. We see that the ICMP packets are sent to the Vlan, are replayed by the remote host BUT are not received at all on the LB01 or LB02. No messages in the log. Trying with 5 consecutive (failed) ping we can see that the counters of unicast packet output on LB01/LB02 Vlan is incremented by 5 BUT the unicast packets input counters is unchanged even if the remote host sent the replays. In the STREAMING context this behaviour isn't constant, ie the ping *sometimes* starts working for a few second and then returns to stop. In the other standby context the ping never works instead. In the active context all works fine. This strange problem prevents us to load the ssl certificates in the STANDBY context from the "management" Vlan. We was not able to find any reference to a similar problem in the Cisco documentation or Tac collection, so we are curious to know wheter someone else experienced such a behaviour. Thank you and best regards. Alessandro Asson - CINECA

  Thanks,
  I see you are using shared VLAN config in both ACE.
  Same VLAN 1000 is used for both Admin and streaming context.
  In this config, you may need to use the shared-vlan-host-id command as explained here:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/vlansif.html#wp1025243
  In fact as explained:
  'By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE appliances in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank, which results in the use of the same MAC addresses. To avoid this conflict, you must configure the bank that the ACEs will use.'
  This would also reply to your question in the readme file:
  SHOW ARP TABLE ON THE D01,D02,D07 ROUTERS SHOWS THE SAME MAC ADDRESS FOR
  BOTH IP ADDRESSES OF LB01 AND LB02: is that normal ??
  Hope this helps,
  Dom.

• ACE 4710 and mangled HTTP requests

  After replacing a Cisco CSS/SSL  Accelorator and PIX firewall with an ACE 4710 to do load balancing and  SSL encryption behind an ASA firewall we started seeing mangled HTTP  requests in the Apache access logs for the servers in the server farm.  Here is one example:
  XX.XX.XXX.XXX  - - [21/Oct/2012:01:42:12 -0500]  "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  Rather  than appearing just after the timestamp, the "POST /register/LServlet"  is tacked on to header information that shouldn't even appear in the  log. Also the first letter in that header information is always missing  (heckoutFlag instead of checkoutFlag in this example). 
  The  mangled request always shows up as a 501 HTTP error and shows up late  in the Apache access logs (timestamp is out of chronogical order) and  always appears with several duplicate POSTs:
  XX.XX.XXX.XXX - - [21/Oct/2012:01:42:23 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XX.XXX  - - [21/Oct/2012:01:42:12 -0500]   "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet"  "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  This is occurring for several different URLs and not just the one above and for multiple web browsers.
  The ACE load balances to servers running Tomcat 7 with Apache HTTP server v. 2.2.14.
  A recent ACE software upgrade to A5(2.1) has not fixed the problem.
  Has anyone seen this before?
  Thanks for any insight you can provide.
  -Kari

  Hi Kari,
  Do you have a sample of the configuration which you got with the CSS?
  What is the current configuration which you got on the ACE?
  Can you shows this output: # show stats http?
  Jorge

• ACE 4710 transparent LB with two Caches and two routers.

  Hello,
  I have ACE 4710 that load balance two cach flows (bluecoat), i am doing pbr on the routers to send the traffic destined to port 80 to ACE then Cach farm. After that the Cach flow will get the page from the internet via two routers. The return traffic will match another pbr on the routers with source port 80 that will send it to the ACE then CachFlow again .....then to the users.
  I am not using ip-spoofing on the CachFlow for now. In the figure attached i created a VIP 0.0.0.0 0.0.0.0 port 80 on the interface on the ACE facing the routers, but the question is do i have to create another VIP 0.0.0.0 0.0.0.0 port 80 on the interface on ACE facing the Cach Flow? or just forward the traffic on the default route? What might be the default route since i have to use two routers and i cannot use hsrp?
  Kindly I need some assistance
  Thank you and regards,
  George
  access-list PERMIT_ALL line 8 extended permit ip any any
  access-list CFLOW line 8 extended permit ip any any
  ip name-server 8.8.8.8
  ip name-server 4.2.2.2
  ##################################Config for Cache Cache Servers###################
  probe http CISCO_WWW_PROBE
    ip address 72.163.4.161
    interval 2
    faildetect 2
    passdetect interval 2
    passdetect count 5
    request method head url /index.html
    expect status 200 200
    exit
  probe http YAHOO_WWW_PROBE
    ip address 87.248.112.181
    interval 2
    faildetect 2
    passdetect interval 2
    passdetect count 5
    request method head url /index.html
    expect status 200 200
    exit
  serverfarm host TRANSPARENT_PROXY_SF
    description Transparent Proxy Farm
    transparent
    predictor hash url
    probe CISCO_WWW_PROBE
    probe YAHOO_WWW_PROBE
    rserver CFLOW01
      inservice
    rserver CFLOW02
      inservice
    exit
    exit
  ############################################# Router Cache Farm ############################
  probe icmp ICMP_PROBE
    description *** Probe for icmp health monitoring ***
    interval 5
    faildetect 2
    passdetect interval 60
    passdetect count 2
    exit
  rserver host Router01
    description Connection to Sodetel Router
    ip address 192.168.14.4
    probe ICMP_PROBE
    inservice
  rserver host Router02
    description Connection to IDM Router
    ip address 192.168.14.5
    probe ICMP_PROBE
    inservice
  serverfarm host Routers
    description Transparent Proxy Farm
    transparent
    predictor hash url
    probe ICMP_PROBE
    rserver Router01
      inservice
    rserver Router02
      inservice
    exit
    exit
  ################################# Management################################
  class-map type management match-any REMOTE_MGMT
    description Allow Remote management for below protocols
    8 match protocol icmp any
    9 match protocol ssh source-address 172.31.13.31 255.255.255.255
    10 match protocol ssh source-address 172.31.31.21 255.255.255.255
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
    class REMOTE_MGMT
      permit
  class-map match-all CFLO2Internet
    2 match virtual-address 0.0.0.0 0.0.0.0 any
  class-map match-all TRANSPARENT_VIP_CM
    2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
  policy-map type loadbalance first-match TRANSPARENT_LB_PM
    class class-default
      serverfarm TRANSPARENT_PROXY_SF backup Routers
  policy-map type loadbalance first-match CFLO2Internet_LB
    class class-default
      serverfarm Routers
  policy-map multi-match CFLO2Internet_PM
    class CFLO2Internet
      loadbalance vip inservice
      loadbalance policy CFLO2Internet_LB
      loadbalance vip icmp-reply active
      connection advanced-options TCP
  policy-map multi-match L3L4_PM
    class TRANSPARENT_VIP_CM
      loadbalance vip inservice
      loadbalance policy TRANSPARENT_LB_PM
      loadbalance vip icmp-reply active
      connection advanced-options TCP
  ====Interfaces======
  interface vlan 11
    description Interface between Routers and ACE
    ip address 192.168.14.2 255.255.255.224
    alias 192.168.14.1 255.255.255.224
    peer ip address 192.168.14.3 255.255.255.224
    no icmp-guard
    access-group input PERMIT_ALL
    service-policy input REMOTE_MGMT_ALLOW_POLICY
    service-policy input L3L4_PM
    no shutdown
  interface vlan 21
    description Connection to CFlow ServerFarm
    ip address 192.168.12.2 255.255.255.224
    alias 192.168.12.1 255.255.255.224
    peer ip address 192.168.12.3 255.255.255.224
    no icmp-guard
    access-group input CFLOW
    service-policy input CFLO2Internet_PM ------>>>> Is this necessary???
    no shutdown

  Hi George,
  In the topology you described, only the service-policy in the interface towards the routers is necessary. For the traffic from the caches, the ACE will just forward to the default gateway.
  The only problem is, as you mentioned, that you cannot use HSRP. In that case, you can still configure two default gateways, but there is no way to predict which one the ACE will use at a given time (the way it does to select the one it will use is sending an ARP request to both gateways and using the one that replies first until the ARP entry expires)
  If you need to load-balance the traffic between both routers, then yes, you would need to configure a new VIP on the cache side and load-balanced to a transparent serverfarm composed of both routers.
  Regards
  Daniel

• ACE 4710 and DSCP marking

  I'm trying to set DSCP flags in traffic from ACE 4710 to clients. Unfortunatly it doesn't seem to work this way:
  class-map type http loadbalance match-any URL-AF21
    2 match http url /aaa/.*
    4 match http url /bbb/.*
  policy-map type loadbalance http first-match LB-WITH-DSCP
    class URL-AF21
      set ip tos 72
      serverfarm MyServerFram
    class default
      set ip tos 0
      serverfarm MyServerFram
  Traffic from ACE to Real Server is tagged but not traffic from ACE to clients.
  Any idea which config might work ?

  Hi,
  If we are setting the TOS Bit in the Policy map, as in you are doing it, ToS Bit will only get set in the ACE to Server Leg of connection. Ace will not set the value for the traffic returning back to Clients.
  The way around to this situation is to set the TOS bit via the parameter map and then call it under the class in multimatcg policy. In this way you will have the TOS bit set for both direction of the traffic (From ACE to Server and from ACE to client. The down side of this approach will be that you won't be able to use it for a specific class of traffic.
  If you are interested in applying the TOS bit for the whole flows hitting a VIP then please follow this configuration example.
  parameter-map type connection SET_TOS
  set ip tos 72
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• ACE 4710 and load balancing with sticky cookie

  Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers.  I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall.  The ACE is in bridged mode to load balance web servers that reside in the DMZ.  Everything seems to work just fine, but the cookie stickiness does not seem to be working.

  Hi David,
  As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
  When using cookie-insert, the ACE will not create any dynamic cookie entries.  It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value.  So what you see there is what is expected.
  You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie.   The cookie is included in the server's response, and the ACE will look for the value as configured.  The cookie will also be sent to the client.  If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses.  If the browser opens new connections with that cookie, then the ACE will stick to the same server.
  My suggestion would be to get sticky working with cookie-insert first.  Then if that meets your needs, go with that permanently.  If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
  Sean

• Xchange 2010 and ACE 4710

  Currently testing our new xchange servers behind our ACE 4710 in qa..
  I have 2 xchange servers in 1 server farm behind the ACE. No SSL being used.
  All seems to be working thru the mapi client, but the OWA web connection seems to be timing out quickly.
  Any ideas on what could be causing this timeout ?
  Do I have to configure a timeout period for these connections ?
  Any help would be appreciated.
  Cheers
  Dave

  can you share your config ?

• Need help to Configure Cisco ACE 4710 Cluster Deployment

  Dear Experts,
  I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between  two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
  http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
  This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
  This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
  My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
  Thanks....!
  -Amal-

  Dear Kanwal,
  I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
  Following detail required for configuring Oracle EBS Apps tier on HA:
  LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
  Suggested IP and Name for LBR:
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm detail for LBR Setup
  Following detail will be use for configuring the LBR:
  LBR IP and Name :
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm Detail for LBR setup:
  Server 1 (EBS App1 Node, ap1ebs):
  IP : 172.25.45.19
  Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Server 2 (EBS App2 Node, ap2ebs):
  IP : 172.25.45.20
  Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
  Following are my latest config :
  probe http Get-Method
    description Check to url access /OA_HTML/OAInfo.jsp
    interval 10
    faildetect 2
    passdetect interval 30
    request method get url /OA_HTML/OAInfo.jsp
    expect status 200 200
  probe udp http-8000-iRDMI
    description IRDMI (HTTP - 8000)
    port 8000
  probe http http-probe
    description HTTP Probes
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    request method get url /index.html
    expect status 200 200
  probe https https-probe
    description HTTPS traffic
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    ssl version all
    request method get url /index.html
  probe icmp icmp-probe
    description ICMP PROBE FOR TO CHECK ICMP SERVICE
  rserver host ebsapp1
    description ebsapp1.xxxx.lk
    ip address 172.25.45.19
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  rserver host ebsapp2
    description ebsapp2.xxxx.lk
    ip address 172.25.45.20
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  serverfarm host ebsppsvrfarm
    description ebsapp server farm
    failaction purge
    predictor response app-req-to-resp samples 4
    probe http-probe
    probe icmp-probe
    inband-health check log 5 reset 500
    retcode 404 404 check log 1 reset 3
    rserver ebsapp1 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
    rserver ebsapp2 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
  sticky http-cookie jsessionid HTTP-COOKIE
    cookie insert browser-expire
    replicate sticky
    serverfarm ebsppsvrfarm
  class-map type http loadbalance match-any default-compression-exclusion-mime-type
    description DM generated classmap for default LB compression exclusion mime types.
    2 match http url .*gif
    3 match http url .*css
    4 match http url .*js
    5 match http url .*class
    6 match http url .*jar
    7 match http url .*cab
    8 match http url .*txt
    9 match http url .*ps
    10 match http url .*vbs
    11 match http url .*xsl
    12 match http url .*xml
    13 match http url .*pdf
    14 match http url .*swf
    15 match http url .*jpg
    16 match http url .*jpeg
    17 match http url .*jpe
    18 match http url .*png
  class-map match-all ebsapp-vip
    2 match virtual-address 172.25.45.21 tcp eq www
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match ebsapp-vip-l7slb
    class default-compression-exclusion-mime-type
      serverfarm ebsppsvrfarm
    class class-default
      compress default-method deflate
      sticky-serverfarm HTTP-COOKIE
  policy-map multi-match int455
    class ebsapp-vip
      loadbalance vip inservice
      loadbalance policy ebsapp-vip-l7slb
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 455
  interface vlan 455
    ip address 172.25.45.36 255.255.255.0
    peer ip address 172.25.45.35 255.255.255.0
    access-group input ALL
    nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input int455
    no shutdown
  ft interface vlan 999
    ip address 10.1.1.1 255.255.255.0
    peer ip address 10.1.1.2 255.255.255.0
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 999
  ft group 1
    peer 1
    no preempt
    priority 110
    associate-context Admin
    inservice
  ip route 0.0.0.0 0.0.0.0 172.25.45.1
  Hope you will reply me soon
  Thanks....!
  -Amal-

• Cannot Telnet to ACE 4710 after upgrade to A4(2.3)

           I have a pair of ACE 4710s with 12 contexts sharing the load, running A4(2.1). Yesterday I upgraded one of them to A4(2.3)
  now I cannot telnet to the Admin context.Pings ok. I can telnet to other contexts on the box and everything seems to be working ok   
  when i do a " sh telnet"
  comes back with
  No Session Information is available
  sh telnet maxsessions
  telnet maxsessions 16
  Can anybody help?

  further this post, it was not a resource problem as had allocated 5% for the Admin context.
  I up graded IOS Saturday evening, could not Telnet in, tried again on Sunday same result,
  though this morning (Monday) Can now telnet in ok very strange
  I was connecting via the AUX line of a 2851 router to the console port.
  whe I disconnected this morning I saw the following message
  INIT: id "T0" respawning too fast : disabled for  5 minutes
  not sure if this is a 2851 message or an ACE message, but after getting that message is when I was able to Telnet in
  was it a coincidence
  anybody any ideas

• ACE 4710: Possible to allow a user to clear counters but nothing else?

  Hello all,
  Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc.  We would also like to allow this user to clear the interface error counters as well, but nothing else.  Is this possible?
  Thanks!

  Hello Brandon-
  Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats.  You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
  i.e.
  ACE# conif t
  ACE(config)# role MyRole
  ACE(config-role)# rule 1 permit modify feature ?
    AAA             AAA related commands
    access-list     ACL related commands
    connection      TCP/UDP related commands
    fault-tolerant  Fault tolerance related commands
    inspect         Appln inspection related commands
    interface       Interface related commands
    loadbalance     Loadbalancing policy and class commands
    pki             PKI related commands
    probe           Health probe related commands
    rserver         Real server related commands
    serverfarm      Serverfarm related commands
    ssl             SSL related commands
    sticky          Sticky related commands
    vip             Virtual server related commands
  You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
  Domains allow you to create containers for objects.  You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
  Regards,
  Chris Higgins

• ACE 4710 in bridge mode not working

  I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
  I am not able to ping servers as well as gateway. Below are the topology and context configuration:
  Router   (vlan 13: IP 172.16.11.254)
       |
  ACE     (int gig1/2)
       |
  L2 Switch
       |
  Servers (vlan 11: IP 172.16.11.1 and 11.2)
  Admin Context
  ===========
  resource-class rc1
    limit-resource all minimum 0.00 maximum unlimited
    limit-resource sticky minimum 0.20 maximum unlimited
  boot system image:c4710ace-mz.A3_2_4.bin
  interface gigabitEthernet 1/1
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    switchport trunk allowed vlan 11,13
    no shutdown
  interface gigabitEthernet 1/3
    shutdown
  interface gigabitEthernet 1/4
    shutdown
  access-list ALL line 8 extended permit ip any any
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  interface vlan 1000
    ip address 172.16.16.16 255.255.255.0
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.16.254
  context test
    allocate-interface vlan 11
    allocate-interface vlan 13
    member rc1
  test Context
  =========
  access-list bpdu-fixup ethertype permit bpdu
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 16 extended permit icmp any any
  rserver host srv1
    ip address 172.16.11.1
    inservice
  rserver host srv2
    ip address 172.16.11.2
    inservice
  serverfarm host srv
    rserver srv1
      inservice
    rserver srv2
      inservice
  sticky ip-netmask 255.255.255.255 address both SG1
    timeout 120
    serverfarm srv
  class-map type management match-any remote-mgmt
    201 match protocol snmp any
    202 match protocol ssh any
    203 match protocol icmp any
    204 match protocol http any
    205 match protocol https any
    206 match protocol xml-https any
  class-map match-all slb-vip
    2 match virtual-address 172.16.11.10 any
  policy-map type management first-match remote-mgmt
    class remote-mgmt
      permit
  policy-map type loadbalance first-match slb
    class class-default
      sticky-serverfarm SG1
  policy-map multi-match client-vips
    class slb-vip
      loadbalance vip inservice
      loadbalance policy slb
      loadbalance vip icmp-reply
  interface vlan 11
    bridge-group 1
    access-group input bpdu-fixup
    access-group input ALL
    access-group output ALL
    no shutdown
  interface vlan 13
    bridge-group 1
    access-group input bpdu-fixup
    access-group input ALL
    access-group output ALL
    service-policy input remote-mgmt
    service-policy input client-vips
    no shutdown
  interface bvi 1
    ip address 172.16.11.9 255.255.255.0
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.11.254
  Could you pls. suggest where I am doing wrong?
  Thanks,
  Pawan

  " I tried trunk port also but it got disabled"   <----- if your L2 config is not correct, nothing will work.
  What is the setup on the switch ? Trunk or access vlan ?
  What is the status of the interface ? up ? down ?
  Do you see something in your arp table ?
  Gilles.

• ACE 4710. Unable to clear ssh sessions

  Hi.
  Once in the CLI of an ACE 4710, using the command "clear ssh session id" I am unable to clear/kill any of the remote ssh sessions established.
  According to the administration guide, the "clear ssh .." command must clear the sessions, but it does not, or maybe I am missing something?
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/administration/guide/access.html#wp1050335
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Tabla normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  ACE/CONTEXTO_A# show ssh session-info
  Session ID     Remote Host         Active Time
  13728          222.98.54.158:50556   67:43:38
  13732          200.44.158.70:46172   67:43:36
  13735          200.44.158.70:46174   67:43:36
  13737          200.44.158.70:46177   67:43:36
  ACE/CONTEXTO_A#
  ACE/CONTEXTO_A# clear ssh 13728
  ACE/CONTEXTO_A# clear ssh 13732
  ACE/CONTEXTO_A# clear ssh 13735
  ACE/CONTEXTO_A# clear ssh 13737
  ACE/CONTEXTO_A# show ssh session-info
  Session ID     Remote Host         Active Time
  13728          222.98.54.158:50556   67:43:54
  13732          200.44.158.70:46172   67:43:52
  13735          200.44.158.70:46174   67:43:52
  13737          200.44.158.70:46177   67:43:52

  Hello,
  Seems to be working for me in my tests.  Works in the Admin context and a user context, and when clearing connections from console connection or one of the SSH sessions.
  ace-appliance-15/CTX1# sho ssh sess
  Session ID     Remote Host         Active Time
  24705          161.44.77.245:1586     0: 1:42
  25100          161.44.77.245:1589     0: 0:27
  25116          161.44.77.245:1590     0: 0:16
  ace-appliance-15/CTX1# clear ssh 25116
  ace-appliance-15/CTX1#
  ace-appliance-15/CTX1# sho ssh sess
  Session ID     Remote Host         Active Time
  24705          161.44.77.245:1586     0: 2: 5
  25100          161.44.77.245:1589     0: 0:50
  What version of software are you running on your 4710?  I am running the latest A3(2.4).  Can you try this version?
  Thanks,
  Sean