ACE 4710 IPS Signature
Hi,
Will ACE 4710 support for IPS features?
Regards,
Lingaraj R N
+91-9920944501
Hi Lingaraj,
Are you looking for any specific features?
Please go through the below link which is security configuration guide for security features available in ACE.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/appinsp.html
Let me know if you have any doubts.
Regards,
Kanwal
Similar Messages
-
I'm using an ACE 4710 in a new datacenter, with the following setup:
2/4 physical ethernet interfaces port channeled into port-channel 1
2/4 physical ethernet interfaces port channeled into port-channel 2
I have the following vlans defined:
1001 - admin - interface ip: 10.53.136.70
400 - client side - interface ip: 10.53.136.100
500 - server side - interface ip: 192.168.128.1
999 - fault tolerance - interface ip: 192.168.11.2
My problem is I am trying to nat ssh and web server traffic from the client side, to the server side, but it's never getting to the server. For example, if I ssh to 10.53.136.102, it times out. (10.53.136.102 should get nat'd to 192.168.128.2)
Also, I can connect to the ACE 4710 via telnet using 10.53.136.70, but cannot connect to 10.53.136.100.
I'm thinking there is either something wrong with the port-channels, or the access lists. On the other hand there could be something wrong with the nat'ing, but I had it working before switching over to the port-channels.
Any thoughts?
Thanks,
BrentI've attached the two contexts which we are using. The admin context is new_lb_config.txt and the second context where the loadbalancing occurs is in the new_lb_config_VC_WBPX.txt file.
From the load balancer, I am able to ping the real server ips in the 192.168. ip range. The 4710 recognizes that they are in service.
I believe the ACL for the VLAN 400 is set to permit all traffic, but I don't know if the service policies are preventing something from happening.
Right now, I have disconnected the two 4710s and I am only working on one of them to see if I can get the basic connectivity going. Once I accomplish that, I will work on high availability. I'll have to check whether it thinks it is in passive mode...not entirely sure how to do that, but I will check it out.
Thanks,
Brent -
I am using an ACE 4710 and am converting incoming WSS username tokens to SAML Tokens - authenicating against Tivoli directory.
The receiving web service is attempting to validate the SAML token but fails on digest verification. i.e. calculates the digest value over the SAML token and compares to the digest in the Xml Signature block.
Is anybody else using SAML tokens?
Has anyone else seen a similar problem?By adding SAML assertions to outgoing requests, the ACE XML Gateway can act as an asserting party for systems that rely on SAML credentials. The SAML assertions generated by the ACE XML Gateway can be in the form of a SAML 1.0, SAML 1.1, or SAML 2.0 credential.
The following url may help you;
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_xml_gateway/v52/user/guide/axg_ug_backendauth.html#wp1049962 -
reposted from another forum:
Am using an ACE 4710 and am converting incoming WSS username tokens to SAML Tokens - authenicating against Tivoli directory.
The receiving web service is attempting to validate the SAML token but fails on digest verification. i.e. calculates the digest value over the SAML token and fails when comparing to the digest in the Xml Signature block.
Is anybody else using SAML tokens?
Has anyone else seen a similar problem?You are right we are using transport encryption (SSL) to protect the WSS Password.
We then use LDAP to authenticate the username/password and create a SAML token using attributes from LDAP. The ACE Xml Gateway creates this SAML token, signs it and inserts into the SOAP header that is forwarded to our service.
At our service we are trying to verify the signed SAML token. The error we are seeing is the Xml signature digest created by the ACE XML Gateway is wrong.
With XML signature some Xml referenced by an ID is canonicalised, hashed (digest created) and then this digest is encrypted using the private key of some certificate.
On receipt we repeat the process, canonicalise and hash the Xml referenced and compare our computed digest to the one created by the ACE device. This is where we get the error. We are using the standard canonicalisation and hashing algorithms (c14n and SHA1 respectively). Our code can successfully verify SAML tokens from other sources. -
Need help to Configure Cisco ACE 4710 Cluster Deployment
Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver ebsapp2 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
serverfarm ebsppsvrfarm
class class-default
compress default-method deflate
sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
loadbalance vip inservice
loadbalance policy ebsapp-vip-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal- -
Cannot Telnet to ACE 4710 after upgrade to A4(2.3)
I have a pair of ACE 4710s with 12 contexts sharing the load, running A4(2.1). Yesterday I upgraded one of them to A4(2.3)
now I cannot telnet to the Admin context.Pings ok. I can telnet to other contexts on the box and everything seems to be working ok
when i do a " sh telnet"
comes back with
No Session Information is available
sh telnet maxsessions
telnet maxsessions 16
Can anybody help?further this post, it was not a resource problem as had allocated 5% for the Admin context.
I up graded IOS Saturday evening, could not Telnet in, tried again on Sunday same result,
though this morning (Monday) Can now telnet in ok very strange
I was connecting via the AUX line of a 2851 router to the console port.
whe I disconnected this morning I saw the following message
INIT: id "T0" respawning too fast : disabled for 5 minutes
not sure if this is a 2851 message or an ACE message, but after getting that message is when I was able to Telnet in
was it a coincidence
anybody any ideas -
Is it really possible to revert IPS signatures from CSM
Hi folks,
I've been trying to revert IPS signatures that I deployed through CSM Signature policies to the older release but it doesn't seem to be working. Contrary to it Cisco's CSM guide says:
If you later decide that you did not want to apply a signature update, you can revert to the
previous update level by selecting the Signatures policy on the device, clicking the View
Update Level button, and clicking Revert
I can't imagine it is possible as the signatures are normally compiled into xml files. How would the sensor do it ?
EugeneDuring installation a copy of files that will be replaced or updated during the installation will be copied into a backup directory.
The CLI has a "downgrade" command that can uninstall the last update, and the backup copies will be used to replace the files being removed.
A few things to be aware of:
1) Old configuration will be copied back. So changes made since the update may be lost.
2) This works only for Engine Updates and Signature Updates. Major Updates, Minor Updates, and Service Packs replace the complete operating system so there is too much data to try and make backup copies for.
3) This works only for the last update installed. Once you've downgraded the latest one, you can't downgrade the previous one.
4) This can be done through CLI, and now also available in CSM.
Here are some things to check in your situation where it appears to not be working.
Login to the sensor and execute "show ver".
Does the history in the "show ver" output show a Signature Update package as the last update installed?
If not then either another downgrade was previously done, or a Major Update, Minor Update, or Service Pack was the last package installed and can't be downgraded.
If it can't be done through CSM you might try the CLI' "downgrade" command and see if it works through the CLI or if the CLI gives you an error and explanation. -
ACE 4710: Possible to allow a user to clear counters but nothing else?
Hello all,
Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc. We would also like to allow this user to clear the interface error counters as well, but nothing else. Is this possible?
Thanks!Hello Brandon-
Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats. You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
i.e.
ACE# conif t
ACE(config)# role MyRole
ACE(config-role)# rule 1 permit modify feature ?
AAA AAA related commands
access-list ACL related commands
connection TCP/UDP related commands
fault-tolerant Fault tolerance related commands
inspect Appln inspection related commands
interface Interface related commands
loadbalance Loadbalancing policy and class commands
pki PKI related commands
probe Health probe related commands
rserver Real server related commands
serverfarm Serverfarm related commands
ssl SSL related commands
sticky Sticky related commands
vip Virtual server related commands
You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
Domains allow you to create containers for objects. You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
Regards,
Chris Higgins -
ACE 4710 in bridge mode not working
I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router (vlan 13: IP 172.16.11.254)
|
ACE (int gig1/2)
|
L2 Switch
|
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
inservice
rserver srv2
inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
permit
policy-map type loadbalance first-match slb
class class-default
sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan" I tried trunk port also but it got disabled" <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles. -
ACE 4710 - show stats connection questions
Hi,
I have three questions regarding the "show stats connection" command in the ACE 4710:
1. What is the criteria for a connection to be added to the "Total Connections Failed" counter?
2. What is the criteria for a connection to be added to the "Total Connections Timed-out" counter?
3. Is there a command to get more information why the connection was failed or timed-out (e.g. to/from which IP, url accessed etc.)?
Thanks in advance for your help!
Best regards,
HarryHarry,
a connection failed if the server did not respond or resonded with a RST.
As long as the connection gets establised, it is counted as a success.
The connection timeout counter is incremented when the connection is idle for the configured timeout value or for L7 connections if it does not complete the 3-way handshale within the embryonic timeout interval.
Since this is clear why those counters are incrementing, the only way to get more information is to capture a sniffer trace to verify if the conditions above are met.
Gilles. -
ACE 4710. Unable to clear ssh sessions
Hi.
Once in the CLI of an ACE 4710, using the command "clear ssh session id" I am unable to clear/kill any of the remote ssh sessions established.
According to the administration guide, the "clear ssh .." command must clear the sessions, but it does not, or maybe I am missing something?
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/administration/guide/access.html#wp1050335
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
ACE/CONTEXTO_A# show ssh session-info
Session ID Remote Host Active Time
13728 222.98.54.158:50556 67:43:38
13732 200.44.158.70:46172 67:43:36
13735 200.44.158.70:46174 67:43:36
13737 200.44.158.70:46177 67:43:36
ACE/CONTEXTO_A#
ACE/CONTEXTO_A# clear ssh 13728
ACE/CONTEXTO_A# clear ssh 13732
ACE/CONTEXTO_A# clear ssh 13735
ACE/CONTEXTO_A# clear ssh 13737
ACE/CONTEXTO_A# show ssh session-info
Session ID Remote Host Active Time
13728 222.98.54.158:50556 67:43:54
13732 200.44.158.70:46172 67:43:52
13735 200.44.158.70:46174 67:43:52
13737 200.44.158.70:46177 67:43:52Hello,
Seems to be working for me in my tests. Works in the Admin context and a user context, and when clearing connections from console connection or one of the SSH sessions.
ace-appliance-15/CTX1# sho ssh sess
Session ID Remote Host Active Time
24705 161.44.77.245:1586 0: 1:42
25100 161.44.77.245:1589 0: 0:27
25116 161.44.77.245:1590 0: 0:16
ace-appliance-15/CTX1# clear ssh 25116
ace-appliance-15/CTX1#
ace-appliance-15/CTX1# sho ssh sess
Session ID Remote Host Active Time
24705 161.44.77.245:1586 0: 2: 5
25100 161.44.77.245:1589 0: 0:50
What version of software are you running on your 4710? I am running the latest A3(2.4). Can you try this version?
Thanks,
Sean -
ACE 4710 and mangled HTTP requests
After replacing a Cisco CSS/SSL Accelorator and PIX firewall with an ACE 4710 to do load balancing and SSL encryption behind an ASA firewall we started seeing mangled HTTP requests in the Apache access logs for the servers in the server farm. Here is one example:
XX.XX.XXX.XXX - - [21/Oct/2012:01:42:12 -0500] "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
Rather than appearing just after the timestamp, the "POST /register/LServlet" is tacked on to header information that shouldn't even appear in the log. Also the first letter in that header information is always missing (heckoutFlag instead of checkoutFlag in this example).
The mangled request always shows up as a 501 HTTP error and shows up late in the Apache access logs (timestamp is out of chronogical order) and always appears with several duplicate POSTs:
XX.XX.XXX.XXX - - [21/Oct/2012:01:42:23 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XX.XXX - - [21/Oct/2012:01:42:12 -0500] "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
This is occurring for several different URLs and not just the one above and for multiple web browsers.
The ACE load balances to servers running Tomcat 7 with Apache HTTP server v. 2.2.14.
A recent ACE software upgrade to A5(2.1) has not fixed the problem.
Has anyone seen this before?
Thanks for any insight you can provide.
-KariHi Kari,
Do you have a sample of the configuration which you got with the CSS?
What is the current configuration which you got on the ACE?
Can you shows this output: # show stats http?
Jorge -
Facing Issue in ACE 4710 ..Secondary ACE showing as FSM_FT_STATE_STANDBY_COLD ...
Hi All ,
I am facing problem with my ACE 4710 in active-standby environment . When I check Show ft group detail on my Active ACE , it shows peer state as
FSM_FT_STATE_STANDBY_COLD for Admin context . Below is the output :
Primary_ACE/Admin#sh ft group detail
FT Group : 1
No. of Contexts : 1
Context Name : Admin
Context Id : 0
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
My Config Priority : 120
My Net Priority : 120
My Preempt : Enabled
Peer State : FSM_FT_STATE_STANDBY_COLD
Peer Config Priority : 100
Peer Net Priority : 100
Peer Preempt : Enabled
Peer Id : 1
Last State Change time : Tue Jan 1 05:32:55 2002
Running cfg sync enabled : Enabled
Running cfg sync status : Peer in Cold State. Error on Standby device when
applying configuration file replicated from active
Startup cfg sync enabled : Enabled
Startup cfg sync status : Peer in Cold State. Startup configuration sync ha
[7m--More--[m
s completed
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
FT Group : 2
No. of Contexts : 1
Context Name : APP_Context
Context Id : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
My Config Priority : 120
My Net Priority : 120
My Preempt : Enabled
Peer State : FSM_FT_STATE_STANDBY_HOT
Peer Config Priority : 100
Peer Net Priority : 100
Peer Preempt : Enabled
Peer Id : 1
Last State Change time : Tue Jan 1 05:32:56 2002
Running cfg sync enabled : Enabled
[7m--More--[m
Running cfg sync status : Running configuration sync has completed
Startup cfg sync enabled : Enabled
Startup cfg sync status : Startup configuration sync has completed
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
Also when I give show ft config-errors on my secondary ACE it gives the following result .
Secondary_ACE/Admin#sh ft config-error
Mon Jun 10 00:04:11 IST 2002
`no 3 match virtual-address 10.40.3.15 tcp eq https`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.15 tcp eq 8082`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.21 tcp eq www`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.21 tcp eq https`
Error: LB action requires match vip command
`2 match virtual-address 10.40.3.21 tcp eq https`
Error: This configuration already exists
`2 match virtual-address 10.40.3.21 tcp eq www`
Error: This configuration already exists
`2 match virtual-address 10.40.3.15 tcp eq 8082`
Error: This configuration already exists
`2 match virtual-address 10.40.3.15 tcp eq https`
Error: This configuration already exists
Error(s) while applying config.
I am attaching the running configuration of both the ACE's . Kindly help me in resolving the issue .
Also I noticed one thing . There is configuration difference in Primary and Secondary ACE . I guess this is causing the issue .
Need help to fix this asap .
Following configuration is missing on the secondary ACE .
======================================================================
class-map match-all WEB_FARM_VIP-80
3 match virtual-address 10.40.3.15 tcp eq www
policy-map type loadbalance first-match WEB_FARM_VIP-80-l7slb
class class-default
serverfarm HTTP-2-HTTPS
class WEB_FARM_VIP-80
loadbalance vip inservice
loadbalance policy WEB_FARM_VIP-80-l7slb
Thanks ,
TusharDear all,
Pls help me out in this regard, I dont have much idea about ACE.
Regards,
Sashi -
Correct procedure to update IOS IPS signatures on 2911 router
What is the correct procedure to update the IOS IPS signatures on an 2911 router?
I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
Thank you in advance!The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
Typically here is how customer would enable/disable signatures:
- Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
- Monitor it for a couple of months
- Disable those that you don't need, and enable others if you think you require it for specific. -
ACE 4710 Web Optimization Licnesing
I currently have a 4710 running the 1Gbps package. We are utilizing Application Acceleration and are comg very close to hitting our 10,000 Web Optimization connection limit. I am trying to find out how to upgrade that.
I see in our license usage an option of ACE-AP-OPT-UP1-K9 but can find no information on this part number. Does anyone know if this is even available and what it brings you connection limit to?
ACE01/Admin# show license usage
License Ins Lic Status Expiry Date Comments
Count
ACE-AP-C-UP1 No - Unused -
ACE-AP-C-UP2 No - Unused -
ACE-AP-C-UP3 No - Unused -
ACE-AP-01-LIC No - Unused -
ACE-AP-01-UP1 No - Unused -
ACE-AP-02-LIC No - Unused -
ACE-AP-02-UP1 No - Unused -
ACE-AP-04-LIC No - Unused -
ACE-AP-04-UP1 No - Unused -
ACE-AP-04-UP2 No - Unused -
ACE-AP-VIRT-5 No - Unused -
ACE-AP-500M-LIC No - Unused -
ACE-AP-VIRT-020 No - Unused -
ACE-AP-C-100-LIC No - Unused -
ACE-AP-C-500-LIC Yes 1 In use never -
ACE-AP-C-500-UP1 No - Unused -
ACE-AP-OPT-50-K9 No - Unused -
ACE-AP-C-1000-LIC No - Unused -
ACE-AP-C-2000-LIC No - Unused -
ACE-AP-OPT-LIC-K9 Yes 1 In use never -
ACE-AP-OPT-UP1-K9 No - Unused -
ACE-AP-SSL-05K-K9 Yes 1 In use never -
ACE-AP-SSL-07K-K9 No - Unused -
ACE-AP-SSL-100-K9 No - Unused -
ACE-AP-SSL-UP1-K9 No - Unused -
ACE-AP-SSLUP-5K-K9 No - Unused -
ACE-AP-VIRT-020-UP No - Unused -Unfortunately, ACE-AP-OPT-LIC-K9 is not available on ACE4710 and
ACE 4710 cannot handle more than 10,000 concurrent connections..
When you use the ACE to perform a specific set of application
acceleration and optimization functions, and the ACE reaches the
maximum of 10,000 concurrent connections, the appliance stops
accepting any additional concurrent connections until the count
drops below 10,000.
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/command/reference/optimize.html#wp1048813
Regards,
Yuji
Maybe you are looking for
-
Potential Args, Computer shutting down while playing a game
I've only had this mac for 5 months, but it keeps shutting down while I'm playing StarCraft II. It should be able to handle the game, but it keeps telling me to restart and I have no idea what the error says or means. I'm not sure what (4 potential a
-
CF8 Multiserver IIS6-Jrun Broken Images
Hello All We have run into a problem with the multiserver install of CF8 Enterprise Edition. I would appreciate any insight into it. Server details: Web Servers IIS 6.0 on Windows 2003 Server Use the JRun connector to communicate with CF servers (.cf
-
Changes not reflected in iWeb 08 program
I have been making changes to my site, publishing them to the web and all is fine. When I close out iWeb (and SAVE) not all of my changes are reflected when I reopen iWeb. The published site is very fine, bu a lot of the changes I have made to the si
-
Hi guys, I am opening a PDF document in a child browser window and calling PrintWithDialog() in order to display the print dialog to encourage our users to print a document. What I then want to do is to close that dialog, or close the browser, while
-
Changes to rpt file not recognised
Post Author: annedonnelly CA Forum: General Hi,I've been asked to help a company whose software supplier is being a bit awkward. The software is a stock control package and some of the reports are created using Crystal.They want to make some minor ch