ACE 4710 LDAP probe

Folks,
We'll be adding a farm this weekend to do some kind of balance for LDAP and LDAPs servers.
I've been thinking about what would be the best way to probe that servers.
I assume an generic TCP probe has to be created testing 389 and 636, but i honestly don't know what should i expect coming from the real servers.
Does anyone have a LDAP farm in place or something like that.. ? I've found an script on the internet, but it seems a little bit further that what i can understand.. therefore i'm not really confident to use this.
Thanks for any advices.
Andre

Hi Andre,
You can use scripted ldap probe (LDAP_PROBE) available with ACE. It sends an anonymous bind request and check for bind success.
probe tcp LDAPS_Probe
port 636
probe tcp LDAP_Probe
port 389
This is how you can apply the script for LDAP port 389.
script file 1 LDAP_PROBE
probe scripted LDAP_PROBE_389
interval 5
passdetect interval 30
receive 5
script LDAP_PROBE
serverfarm host SF-LDAP-389
description SF LDAP Port 389
predictor leastconns
probe LDAP_PROBE_389
rserver LDAP-RS1-389
inservice
The only supported LDAP probe on the ACE module is the unsecure scripted probe,
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/script.html#wp1111558
The pre-made TCL script probes available from the Software download page also contains an LDAP probe that you can use to verify the health of the LDAP servers.
The ace_scripts.tgz zip file contains these scripts and is located at this URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6500-ace
To unzip this file, use the gunzip command in Exec mode,
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/slb/guide/script.html#wp1107470
For your convenience, the following sample scripts for the ACE are available to support the TCL feature and are supported by Cisco TAC:
•CHECKPORT_STD_SCRIPT
•ECHO_PROBE_SCRIPT
•FINGER_PROBE_SCRIPT
•FTP_PROBE_SCRIPT
•HTTP_PROBE_SCRIPT
•HTTPCONTENT_PROBE
•HTTPHEADER_PROBE
•HTTPPROXY_PROBE
•IMAP_PROBE
•LDAP_PROBE -----------------> "The LDAP probe you are looking for"
•MAIL_PROBE
•POP3_PROBE
•PROBENOTICE_PROBE
•RTSP_PROBE
•SSL_PROBE_SCRIPT
•TFTP_PROBE
Also remember that the binding request should be send as a binary and not via ASCII. To get a packet capture of a succeessful credential binding request with username and password and then convert this to HEX value and insert it in the script.
The easiest way is to capture a packet with the authentication credentials and then replace the hex bind string in the example.
The alternative is to handcode the BER coded ASN.1 data string - which while more fun is time consuming. The remainder of the script can stay the same.
You can do this on an ACE module. You have to be aware that 300c02010160 in the example script string is a sort of "header" that holds the request id (1). This will be different in your packet capture.
If you look at the decomposition of the example you'll be able to see how it is put together and what you need to change.
0x30 The start of a universal constructed sequence
0x0c The length of the sequence minus the tag and length bytes = 12 bytes
0x02 Next field is an integer
0x01 The length of the next field (1 byte)
0x01 Value (this is the message ID)
0x60 Application, number 0, use RFC2251 to decode. This is a Bind Request
0x07 Length of data to follow.
0x02 Integer
0x01 Length 1
0x03 3 - this is the LDAP version.
0x04 String
0x00 Length 0
0x80 Simple Authentication
0x00 Length 0
Just keep the id the same in the unbind.
The string I use is:
302d02010160280201030418636e3d41636550726f78792c6f3d556e69766572736974798009ffffffffffffffffff
where I've replaced the 9 character password with 9*x'ff'.
The username for binding is AceProxy. If you want to use the same script then create that username and set the password in the string above (in hex). If for example you set the password to Example12 then you need to set the 9*x'ff' to '4578616d706c653132' - which is the hex representation of the ASCII.
Note that if you use fewer or more than 9 characters then you'll need to change other values in the string because they refer to lengths.
You need to create a copy of the standard LDAP probe into your own file and then replace the hex string in the "puts" line which you identified above with the new string.
Then copy the file to the ACE:
ace1/ldap# copy ftp: disk0:
Enter source filename[]? My-LDAP_PROBE
Enter the destination filename[]? [My-LDAP_PROBE]
Enter hostname for the ftp server[]?
1.2.3.4
Enter username[]? anonymous
Enter the file transfer mode[bin/ascii]: [bin]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
In the context create a scripted probe definition:
probe scripted PROBE-LDAP-389
interval 60
receive 20
script My-LDAP_PROBE
Load the script into the context:
script file 10 My-LDAP_PROBE
And then add it to the serverfarm:
serverfarm host FARM-LDAP
probe PROBE-LDAP-389
The manual implies that you can pass arguments to a scripted probe, but you would then have to build the hex string dynamically - taking care that all the length values were correct.
This should be enough to enable you to implement the script.
Find another example on this
URL:http://scuq.abyle.org/?page_id=201
#!name = ADV_LDAP_PROBE
#### > user for linux tclsh !/usr/bin/tclsh8.4
# Stefan Nistelberger
# changes to cisco's original probe
# * username and password with ldap simple bind (dynamically generated packets)
# * unable to connect exception handling
# * debug message for invalidCredentials
# debug procedure
# set the EXIT_MSG environment variable to help debug
# also print the debug message when debug flag is on
proc ace_debug { msg } {
    global debug ip port EXIT_MSG
    set EXIT_MSG $msg
    if { [ info exists ip ] && [ info exists port ] } {
        set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
    if { [ info exists debug ] && $debug } {
        puts $EXIT_MSG
# main
# parse cmd line args and initialize variables
## set debug value
set debug 1
if { [ regsub -nocase "DEBUG" $argv "" argv] } {
    set debug 1
ace_debug "initializing variable"
set EXIT_MSG "Error config: script ADV_LDAP_PROBE \[DEBUG\]"
set ip $scriptprobe_env(realIP)
set port "0"
set ldap_start "30"
set ldap_bindheader "02010160"
set ldap_bind "0201"
set ldap_version "02"
set ldap_gap1 "04"
set ldap_gap2 "80"
set ldap_bindheader_len 5
set base_len 0c
set ldap_simple_auth "8007"
proc toASCII { char } {
   scan $char %c value
   return [format %-x $value]
set username [ lindex $argv 0 ]
set hexusername ""
set password [ lindex $argv 1 ]
set hexpassword ""
foreach char [split $username ""] {
     set hexchar [toASCII $char]
     append hexusername $hexchar
foreach char [split $password ""] {
     set hexchar [toASCII $char]
     append hexpassword $hexchar
set username_len [string length $username]
ace_debug $username_len
set password_len [string length $password]
ace_debug $password_len
set base_len [expr 0x$base_len]
set seq_len [expr $username_len + $password_len + $base_len]
set sub_seq_len [expr $seq_len - $ldap_bindheader_len]
set seq_len [format %02x $seq_len]
set sub_seq_len [format %02x $sub_seq_len]
set hexldapbindpckt ""
append hexldapbindpckt $ldap_start
append hexldapbindpckt "$seq_len"
append hexldapbindpckt $ldap_bindheader
append hexldapbindpckt $sub_seq_len
append hexldapbindpckt $ldap_bind
append hexldapbindpckt $ldap_version
append hexldapbindpckt $ldap_gap1
append hexldapbindpckt [format %02x $username_len]
append hexldapbindpckt $hexusername
append hexldapbindpckt $ldap_gap2
append hexldapbindpckt [format %02x $password_len]
append hexldapbindpckt $hexpassword
# if port is zero the use well known ldap port 389
if { $port == 0 } {
    set port 389
#ace_debug $hexldapbindpckt
# PROBE START
set errorcode [catch {
        set sock [ socket $ip $port ]
} msg ]
if {$errorcode != 0} {
        ace_debug $msg
        exit 30002
fconfigure $sock -buffering line -translation binary
# anonymous bind request
#puts -nonewline $sock [ binary format "H*" 300c020101600702010304008000 ]
puts -nonewline $sock [ binary format "H*" $hexldapbindpckt ]
set code "ffffff"
flush $sock
ace_debug "bef"
set line [read $sock 22]
ace_debug "aft"
binary scan $line H* res
binary scan $line @15H6 code
close $sock
# make probe fail by exit with 30002 if ldap reply code != success code 0x0a0100
if { $code != "0a0100" } {
    if { $code == "0a0131" } {
        ace_debug " probe failed : expect response code \'0a0100\' but received
\'$code\' = invalidCredentials"
    } else {
        ace_debug " probe failed : expect response code \'0a0100\' but received
\'$code\'"
    exit 30002
## make probe success by exit with 30001
ace_debug "probe success"
exit 30001
URL for reference:
https://cisco-support.hosted.jivesoftware.com/thread/132800?decorator=print&displayFullThread=true
HTH
Sachin Garg

Similar Messages

ACE 4710 HTTP Probes

Using the ACE 4710 for loadbalancing a Sharepoint site.
We currently have a HTTP probe setup to check the port 80 status of the rserver.
Is there anyway to get the HTTP probe to check a DNS entry for each of the application sites? For instance http://info vs http://site are two different web sites running on the same IP. One site could have a problem but the actual port 80 for the IP may be still alive.
Thanks for any information.

Has anyone figure this out? I am tring to get healthchecks/probes setup in this same fashion. I have 2 servers with 1 IP but have many sites. I want to probe each side and ensure I get a 200 code. I also have to provide credentials to the site. It seems that if i open IE I can log in just fine to the site with the credentials. However there is an active x control box that is wanting to be installed. When I set this up on my ACE it seems I am getting a http 401 unauthorized error. I have done a wireshark capture while I was browsing and I see the 401 however it also reports a 200 code after that. Do you think this is a problem because of the active x control wanting to be downloaded? Or is this an issue with the first http code that is recieved by the probe, that being the 401 and then the 200? Below is my config (cleaned of course).
probe http HTTP-80-OUR.DOMAIN.COM
interval 15
passdetect interval 60
credentials
request method get url http://our.domain.com/default.aspx
expect status 200 200
header Host header-value "our.domain.com"
open 1
rserver host SERVER-A
ip address X.X.X.47
inservice
rserver host SERVER-B
ip address X.X.X.48
inservice
serverfarm host FARM-AB
predictor leastconns
probe HTTP-80-OUR.DOMAIN.COM
rserver SERVER-A
    inservice
rserver SERVER-B
    inservice
ACE4710# show probe HTTP-80-OUR.DOMAIN.COM detail
probe       : HTTP-80-OUR.DOMAIN.COM
type        : HTTP
state       : ACTIVE
description :
   port      : 80      address     : 0.0.0.0         addr type : -
   interval : 15      pass intvl : 60              pass count : 3
   fail count: 3       recv timeout: 10
   http method      : GET
   http url         : http://our.domain.com
   conn termination : GRACEFUL
   expect offset    : 0         , open timeout     : 1
   expect regex     : -
   send data        : -
                ------------------ probe results ------------------
   associations ip-address      port porttype probes   failed   passed   health
   ------------ ---------------+-----+--------+--------+--------+--------+------
   serverfarm : OUR.DOMAIN.COM-10.25.4.12-L3-FARM
     real      : SERVER-A[0]
                X.X.X.47      80    DEFAULT 414      406      8        FAILED
   Socket state        : CLOSED
   No. Passed states   : 1         No. Failed states : 2
   No. Probes skipped : 0         Last status code : 401
   No. Out of Sockets : 0         No. Internal error: 0
   Last disconnect err : Received invalid status code
   Last probe time     : Wed Jun 2 17:44:18 2010
   Last fail time      : Wed Jun 2 13:37:04 2010
   Last active time    : Wed Jun 2 13:34:19 2010
     real      : SERVER-B[0]
                X.X.X.48      80    DEFAULT 414      406      8        FAILED
   Socket state        : CLOSED
   No. Passed states   : 1         No. Failed states : 2
   No. Probes skipped : 0         Last status code : 401
   No. Out of Sockets : 0         No. Internal error: 0
   Last disconnect err : Received invalid status code
   Last probe time     : Wed Jun 2 17:44:20 2010
   Last fail time      : Wed Jun 2 13:37:06 2010
   Last active time    : Wed Jun 2 13:34:21 2010

ACE 4710 http probe get url question

I am trying to create a http probe using the request method get url command. My url contains a question mark and the ACE will not accept the url as is and it strips out the question mark character. Is there a way to make the ace accept a url containg a question mark?
probe http HTTP_PROBE
port 9040
interval 10
faildetect 5
passdetect interval 60
expect status 200 200
open 1
The url I am trying to enter is /psp/epprod/?cmd=login
When I enter it the ACE does as shown below
(config-probe-http)# request method get url /psp/epprod/?
<LINE>
ACE-APP-02/vc_peoplesoft(config-probe-http)# request method get url /psp/epprod/cmd=login
It strips out the ? character.

Hi Nicholas,
To enter a question mark you need to type ctrl+v prior to entering the ?
You enter the control key then lowercase v, then your question mark.
HTH
Pablo

Need help to Configure Cisco ACE 4710 Cluster Deployment

Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-

Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice
rserver ebsapp2 80
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
    serverfarm ebsppsvrfarm
class class-default
    compress default-method deflate
    sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
    loadbalance vip inservice
    loadbalance policy ebsapp-vip-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal-

ACE 4710: Possible to allow a user to clear counters but nothing else?

Hello all,
Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc. We would also like to allow this user to clear the interface error counters as well, but nothing else. Is this possible?
Thanks!

Hello Brandon-
Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats. You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
i.e.
ACE# conif t
ACE(config)# role MyRole
ACE(config-role)# rule 1 permit modify feature ?
AAA             AAA related commands
access-list     ACL related commands
connection      TCP/UDP related commands
fault-tolerant Fault tolerance related commands
inspect         Appln inspection related commands
interface       Interface related commands
loadbalance     Loadbalancing policy and class commands
pki             PKI related commands
probe           Health probe related commands
rserver         Real server related commands
serverfarm      Serverfarm related commands
ssl             SSL related commands
sticky          Sticky related commands
vip             Virtual server related commands
You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
Domains allow you to create containers for objects. You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
Regards,
Chris Higgins

ACE 4710 - Internet Explorer cannot display the webpage randomly

We have a ACE 4710 with a basic config, (see below).
When clicking on a tab from a window within Interent explorer we occasionally get an issue with it returning: "Internet Explorer cannot display the webpage" The details show "Access is denied" accessing a particular line of a javascript file.
We have put one web server out of service in the farm to make sure that this isn't a result of stickyness not quite working.
We have tested extensively by going directly to the web server directly without the load balancer and cannot reproduce the problem but we can produce the issue within a few minutes when going to the load balanced address.
Thanks in advance for any advice.
HOST-1/Admin# show run
Generating configuration....
logging enable
logging fastpath
logging standby
logging timestamp
logging trap 6
logging history 6
resource-class SLB_ResourceClass_T_R
limit-resource all minimum 10.00 maximum unlimited
resource-class sticky
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-t1k9-mz.A5_1_2.bin
peer hostname HOST-2
hostname HOST-1
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
description LB003
switchport access vlan 1
shutdown
interface gigabitEthernet 1/4
description LB004
switchport access vlan 2
shutdown
interface port-channel 1
port-channel load-balance src-dst-port
no shutdown
clock timezone standard GMT
switch-mode
context Admin
description SUTLB01
member SLB_ResourceClass_T_R
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe tcp probe_tcp_80
port 80
rserver host Server_S_W301
description Server_S_W301
ip address x.x.32.152
inservice
rserver host Server_S_W302
description Server_S_W302
ip address x.x.32.154
inservice
serverfarm host sfarm_T_R
description sfarm_T_R
predictor leastconns
probe probe_tcp_80
rserver Server_S_W301 80
rserver Server_S_W302 80
    inservice
sticky http-cookie Cookie1 T_R_sticky_cookie
cookie insert browser-expire
timeout 3600
serverfarm sfarm_T_R
class-map match-any T_R_L4Class
2 match virtual-address x.x.33.150 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
policy-map type loadbalance first-match T_R_L7policy
class class-default
    sticky-serverfarm T_R_sticky_cookie
policy-map multi-match T_R_L4Policy
class T_R_L4Class
    loadbalance vip inservice
    loadbalance policy T_R_L7policy
    loadbalance vip icmp-reply active
    nat dynamic 2 vlan 1000
interface vlan 1000
ip address x.x.33.148 255.255.254.0
access-group input ALL
nat-pool 2 x.x.33.151 x.x.33.151 netmask 255.255.254.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input T_R_L4Policy
no shutdown
ip route 0.0.0.0 0.0.0.0 x.x.32.1
ssh key rsa 1024 force

+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 421347     , TCP data msgs sent       : 2099597
Inspect parse result msgs : 0          , SSL data msgs sent       : 0
                      sent
TCP fin msgs sent         : 6169       , TCP rst msgs sent:       : 769
Bounced fin msgs sent     : 5          , Bounced rst msgs sent:   : 1
SSL fin msgs sent         : 0          , SSL rst msgs sent:       : 0
Drain msgs sent           : 337811     , Particles read           : 5040829
Reuse msgs sent           : 0          , HTTP requests            : 342499
Reproxied requests        : 183422     , Headers removed          : 37475
Headers inserted          : 342124     , HTTP redirects           : 0
HTTP chunks               : 224859     , Pipelined requests       : 71466
HTTP unproxy conns        : 267246     , Pipeline flushes         : 0
Whitespace appends        : 0          , Second pass parsing      : 0
Response entries recycled : 71302      , Analysis errors          : 0
Header insert errors      : 22         , Max parselen errors      : 215
Static parse errors       : 99         , Resource errors          : 0
Invalid path errors       : 0          , Bad HTTP version errors : 0
Headers rewritten         : 0          , Header rewrite errors    : 0
SSL headers inserted      : 0          , SSL header insert errors : 0
SSL spoof headers deleted : 0         , Unproxy msgs sent         : 267246
HTTP passthrough stat     : 0
NOTE - We did turn on caching at one point to try and resolve the issue but it has since been turned off

SIP load balancing issue with ACE 4710

SIP Load balancing Issue with ACE 4710
I have a Cisco ace 4710 with vesion Version A4(2.2). i configued simple SIP load balancing first without stickiness. without stikeiness we are having a problem because bye packet at the was not going to the same server all the time that left our port in used even though user hang up the phone. its happen randmly. i have a total 20 licenced ports and its fill out very quickly. so i dicided to use the stickiness with call-ID but still same issue. below is the config
rserver host CIN-VOX-31
ip address 172.20.130.31
inservice
rserver host CIN-VOX-32
ip address 172.20.130.32
inservice
serverfarm host CIN-VOX
probe SIP-5060
rserver CIN-VOX-31
    inservice
rserver CIN-VOX-32
    inservice
sticky sip-header Call-ID VOX_SIP_GROUP
timeout 1
timeout activeconns
replicate sticky
serverfarm CIN-VOX
class-map match-all CIN_VOX_L4_CLASS
2 match virtual-address 172.22.12.30 any
class-map match-all CIN_VOX_SIP_L4_CLASS
2 match virtual-address 172.22.12.30 udp eq sip
policy-map type loadbalance sip first-match CIN_VOX_LB_SIP_POLICY
class class-default
    sticky-serverfarm VOX_SIP_GROUP
policy-map multi-match GLOBAL_DMZ_POLICY
   class CIN_VOX_SIP_L4_CLASS
    loadbalance vip inservice
    loadbalance policy CIN_VOX_LB_SIP_POLICY
    loadbalance vip icmp-reply
class CIN_VOX_L4_CLASS
    loadbalance vip inservice
    loadbalance policy CIN_VOX_LB_SIP_POLICY
    loadbalance vip icmp-reply
interface vlan 20
description VIP_DMZ_VLAN
ip address 172.22.12.4 255.255.255.192
alias 172.22.12.3 255.255.255.192
peer ip address 172.22.12.5 255.255.255.192
access-group input PERMIT-ANY-LB
service-policy input GLOBAL_DMZ_POLICY
could you please help me on this...
thanks
Rakesh Patel

I mean there should be one more statement-
class-map type sip loadbalance match-any CIN_VOX_LB_SIP_POLICY
match sip header Call_ID header-value sip:
and that will be called under-
policy-map multi-match GLOBAL_DMZ_POLICY
   class CIN_VOX_SIP_L4_CLASS
    loadbalance vip inservice
    loadbalance policy CIN_VOX_LB_SIP_POLICY
    loadbalance vip icmp-reply
is that missing in your config ?

ACE 4710 transparent LB with two Caches and two routers.

Hello,
I have ACE 4710 that load balance two cach flows (bluecoat), i am doing pbr on the routers to send the traffic destined to port 80 to ACE then Cach farm. After that the Cach flow will get the page from the internet via two routers. The return traffic will match another pbr on the routers with source port 80 that will send it to the ACE then CachFlow again .....then to the users.
I am not using ip-spoofing on the CachFlow for now. In the figure attached i created a VIP 0.0.0.0 0.0.0.0 port 80 on the interface on the ACE facing the routers, but the question is do i have to create another VIP 0.0.0.0 0.0.0.0 port 80 on the interface on ACE facing the Cach Flow? or just forward the traffic on the default route? What might be the default route since i have to use two routers and i cannot use hsrp?
Kindly I need some assistance
Thank you and regards,
George
access-list PERMIT_ALL line 8 extended permit ip any any
access-list CFLOW line 8 extended permit ip any any
ip name-server 8.8.8.8
ip name-server 4.2.2.2
##################################Config for Cache Cache Servers###################
probe http CISCO_WWW_PROBE
ip address 72.163.4.161
interval 2
faildetect 2
passdetect interval 2
passdetect count 5
request method head url /index.html
expect status 200 200
exit
probe http YAHOO_WWW_PROBE
ip address 87.248.112.181
interval 2
faildetect 2
passdetect interval 2
passdetect count 5
request method head url /index.html
expect status 200 200
exit
serverfarm host TRANSPARENT_PROXY_SF
description Transparent Proxy Farm
transparent
predictor hash url
probe CISCO_WWW_PROBE
probe YAHOO_WWW_PROBE
rserver CFLOW01
    inservice
rserver CFLOW02
    inservice
exit
exit
############################################# Router Cache Farm ############################
probe icmp ICMP_PROBE
description *** Probe for icmp health monitoring ***
interval 5
faildetect 2
passdetect interval 60
passdetect count 2
exit
rserver host Router01
description Connection to Sodetel Router
ip address 192.168.14.4
probe ICMP_PROBE
inservice
rserver host Router02
description Connection to IDM Router
ip address 192.168.14.5
probe ICMP_PROBE
inservice
serverfarm host Routers
description Transparent Proxy Farm
transparent
predictor hash url
probe ICMP_PROBE
rserver Router01
    inservice
rserver Router02
    inservice
exit
exit
################################# Management################################
class-map type management match-any REMOTE_MGMT
description Allow Remote management for below protocols
8 match protocol icmp any
9 match protocol ssh source-address 172.31.13.31 255.255.255.255
10 match protocol ssh source-address 172.31.31.21 255.255.255.255
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_MGMT
    permit
class-map match-all CFLO2Internet
2 match virtual-address 0.0.0.0 0.0.0.0 any
class-map match-all TRANSPARENT_VIP_CM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
policy-map type loadbalance first-match TRANSPARENT_LB_PM
class class-default
    serverfarm TRANSPARENT_PROXY_SF backup Routers
policy-map type loadbalance first-match CFLO2Internet_LB
class class-default
    serverfarm Routers
policy-map multi-match CFLO2Internet_PM
class CFLO2Internet
    loadbalance vip inservice
    loadbalance policy CFLO2Internet_LB
    loadbalance vip icmp-reply active
    connection advanced-options TCP
policy-map multi-match L3L4_PM
class TRANSPARENT_VIP_CM
    loadbalance vip inservice
    loadbalance policy TRANSPARENT_LB_PM
    loadbalance vip icmp-reply active
    connection advanced-options TCP
====Interfaces======
interface vlan 11
description Interface between Routers and ACE
ip address 192.168.14.2 255.255.255.224
alias 192.168.14.1 255.255.255.224
peer ip address 192.168.14.3 255.255.255.224
no icmp-guard
access-group input PERMIT_ALL
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input L3L4_PM
no shutdown
interface vlan 21
description Connection to CFlow ServerFarm
ip address 192.168.12.2 255.255.255.224
alias 192.168.12.1 255.255.255.224
peer ip address 192.168.12.3 255.255.255.224
no icmp-guard
access-group input CFLOW
service-policy input CFLO2Internet_PM ------>>>> Is this necessary???
no shutdown

Hi George,
In the topology you described, only the service-policy in the interface towards the routers is necessary. For the traffic from the caches, the ACE will just forward to the default gateway.
The only problem is, as you mentioned, that you cannot use HSRP. In that case, you can still configure two default gateways, but there is no way to predict which one the ACE will use at a given time (the way it does to select the one it will use is sending an ARP request to both gateways and using the one that replies first until the ARP entry expires)
If you need to load-balance the traffic between both routers, then yes, you would need to configure a new VIP on the cache side and load-balanced to a transparent serverfarm composed of both routers.
Regards
Daniel

ACE 4710 Pls need help

Hi,
Pls can you help me find out where is my error in the below:
I have an ACE 4710. Also I have 2 Bluecoat Proxy SG working in proxy mode. I want the ACE to be the Load Balancer for these 2 Proxy SG. I configure the ACE as below and put the vip-address in the Internet Explorer LAN Settings but it did not work. Also I configure Policy-based Routing on the Core Switch (for any http or https traffic going through core apply set ip next-hop vip-address).
Core SW SVI:
interface Vlan56
description BC Proxy
ip address 10.0.1.33 255.255.255.224
interface Vlan57
description ACE-LB-Alias
ip address 10.0.1.65 255.255.255.224
ACE 4710:
hostname VSS-ACE-BC-01
interface gigabitEthernet 1/1
description Management
speed 1000M
duplex FULL
switchport access vlan 101
no shutdown
interface gigabitEthernet 1/2
description User Side
speed 1000M
duplex FULL
switchport access vlan 56
no shutdown
interface gigabitEthernet 1/3
description BC Proxy Side
speed 1000M
duplex FULL
switchport access vlan 57
no shutdown
interface gigabitEthernet 1/4
description Failover
speed 1000M
duplex FULL
ft-port vlan 900
no shutdown
context Admin
member sticky
access-list external line 10 extended permit ip any any
access-list external line 20 extended permit icmp any any
access-list external line 30 extended permit tcp any any
access-list external line 40 extended permit udp any any
access-list internal line 10 extended permit ip any any
access-list internal line 20 extended permit icmp any any
access-list internal line 30 extended permit tcp any any
access-list internal line 40 extended permit udp any any
probe tcp web443
port 443
interval 30
faildetect 1
passdetect interval 30
passdetect count 1
open 1
probe tcp web8080
port 8080
interval 30
faildetect 1
passdetect interval 30
passdetect count 1
open 1
rserver host BC01
ip address 10.0.1.41
inservice
rserver host BC02
ip address 10.0.1.42
inservice
serverfarm host web443
probe web443
rserver BC01
    inservice
rserver BC02
    inservice
serverfarm host web8080
probe web8080
rserver BC01
    inservice
rserver BC02
    inservice
sticky ip-netmask 255.255.255.255 address source group1
replicate sticky
serverfarm web8080
sticky ip-netmask 255.255.255.255 address source group2
replicate sticky
serverfarm web443
class-map type management match-any REMOTE_ACCESS
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
5 match protocol http any
6 match protocol snmp any
class-map match-all external-web
2 match virtual-address 10.0.1.70 any
class-map match-all external-web443
2 match virtual-address 10.0.1.70 any
class-map match-any nat-class
2 match access-list external
policy-map type management first-match REMOTE_MGMT
class REMOTE_ACCESS
    permit
policy-map type loadbalance http first-match slb
class class-default
    sticky-serverfarm group1
policy-map type loadbalance http first-match slb443
class class-default
    sticky-serverfarm group2
policy-map multi-match external-access
class nat-class
    nat dynamic 1 vlan 57
class external-web
    loadbalance vip inservice
    loadbalance policy slb
class external-web443
    loadbalance vip inservice
    loadbalance policy slb443
timeout xlate 120
interface vlan 56
description Server-Side
ip address 10.0.1.43 255.255.255.224
ip verify reverse-path
alias 10.0.1.40 255.255.255.224
peer ip address 10.0.1.44 255.255.255.224
mac-address autogenerate
access-group input internal
service-policy input REMOTE_MGMT
no shutdown
interface vlan 57
description VIP-Interface
ip address 10.0.1.67 255.255.255.224
alias 10.0.1.66 255.255.255.224
peer ip address 10.0.1.68 255.255.255.224
mac-address autogenerate
access-group input external
service-policy input external-access
service-policy input REMOTE_MGMT
no shutdown
interface vlan 101
description Management
ip address 10.220.1.131 255.255.255.0
alias 10.220.1.133 255.255.255.0
peer ip address 10.220.1.132 255.255.255.0
mac-address autogenerate
service-policy input REMOTE_MGMT
no shutdown
ft interface vlan 900
ip address 172.20.100.1 255.255.255.252
peer ip address 172.20.100.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 900
ft group 1
peer 1
priority 200
peer priority 150
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 10.0.1.65

I see that you used:
nat dynamic 1 vlan 57
Where is the nat pool on Vlan 57 ?
May be you can try to assign that and that should help.
Something like below:
Interface vlan 57
nat-pool 1 10.0.1.93 10.0.1.93 netmask 255.255.255.224 pat
regards,
Ajay Kumar

ACE 4710 - serverfarm predictor

Hi, I have a pair of ACE 4710 running in failover bundle and I have a number of server farms configured on them. For one of the server farm I'd like to use a different predictor than round robin. I have two real servers members of the server farm. Usually I do select predictor round robin and put both real servers in service. In this situation I need to have only one server as active and the 2nd one to be in standby and take over when the first one is down. I have tried to put the 2nd server in standby and when I shut down the primary the 2nd one won't become active. I do have a health probe to check for the status of the server so I thought this would be enough to detect the status of the server. So my question is , how can I configure the ACE to have one server as active and the second as a backup and this second one to take traffic only when the primary is down. Thank you, Florin.

Hi,
There are a couple of ways of achieving your objective.
The first method works for the simple case of two servers:
serverfarm host FARM-Redacted
probe PROBE-Redacted
rserver am03
    backup-rserver am04
    inservice
rserver am04
    inservice standby
or you could use two serverfarms:
serverfarm host FARM-Redacted-Pri
description Redacted Serverfarm Primary
probe PROBE-Redacted
rserver am03
    inservice
serverfarm host FARM-Redacted-Sec
description Redacted Serverfarm Secondary
probe PROBE-Redacted
rserver am04
    inservice
policy-map type loadbalance first-match LB-POLICY-443
class class-default
    serverfarm FARM-Redacted-Pri backup FARM-Redacted-Sec
HTH
Cathy

ACE 4710 is not working

Hi. I'm working on the Cisco ACE 4710 to be able to load balance web Traffic between several web servers. but despite following the steps mentioned on the Cisco configuration guide (specially this link and related docs: http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Creating_a_Virtual_Context) we did not managed to make it. we tested both the "bridged scenario" and "routed scenario" but none of them is working. specifically "configuring Nat" in the above link is very confusing and is not clear; because it's not the same as Cisco IOS, which we used to implement it that way.
Routed Scenario:
==========================================
probe http Http_Probe
description Server Healty Check
port 80
request method head url /index.htm
probe icmp ICMP_Check
interval 10
passdetect interval 5
rserver host NetCad_Server_1
ip address 172.16.1.100
probe ICMP_Check
inservice
rserver host NetCad_Server_2
ip address 172.16.1.101
probe ICMP_Check
inservice
rserver host NetCad_Server_3
ip address 172.16.1.102
probe ICMP_Check
inservice
serverfarm host NetCad_Servers
probe Http_Probe
rserver NetCad_Server_1 80
inservice
rserver NetCad_Server_2 80
inservice
rserver NetCad_Server_3 80
inservice
sticky http-cookie Cookie1 1
serverfarm NetCad_Servers
class-map match-all VS_NetCad
2 match virtual-address 192.168.13.162 255.255.252.0 tcp any
policy-map type management first-match mgmt-pm
class class-default
permit
policy-map type loadbalance first-match VS_NetCad-l7slb
class class-default
serverfarm NetCad_Servers
policy-map multi-match int40
class VS_NetCad
loadbalance vip inservice
loadbalance policy VS_NetCad-l7slb
loadbalance vip icmp-reply
interface vlan 40
description Client Side
ip address 192.168.13.161 255.255.252.0
ip options allow
no normalization
no icmp-guard
access-group input Permit_ALL
service-policy input mgmt-pm
service-policy input int40
no shutdown
interface vlan 41
description Server Side
ip address 172.16.1.1 255.255.255.0
ip options allow
no normalization
no icmp-guard
access-group input Permit_ALL
nat-pool 1 172.16.1.110 172.16.1.110 netmask 255.255.255.255 pat
service-policy input mgmt-pm
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.12.1
==========================================

Hi,
Let me explain you.
Assuming client IP as 1.1.1.1, VIP as 2.2.2.2 and Real Server as 3.3.3.3
Consider the simple situation where client needs to access an application hosted on 3.3.3.3. Client sends a request which comes to VIP.
src 1.1.1.1----->dst------->2.2.2.2. ACE after matching conditions and taking LB decision decides to send it to 3.3.3.3 real server. Performs destination NAT and forwards the client request to 3.3.3.3. So the above packet L3 header will now look like:
src 1.1.1.1 dst 3.3.3.3. When reply comes from server, ACE will change src 3.3.3.3 back to 2.2.2.2 and forwards the request to client 1.1.1.1. SIMPLE LB.
Now comes a situation where let's say you want to hide the client IP from server or let's say server's default GW is not ACE or client and server are in same subnet but need to communicate through VIP on ACE etc.
Src 1.1.1.1 dst 2.2.2.2
After LB ace decides to send it to 3.3.3.3 but also policy multi match has nat rule (nat dynamic 1 vlan x). But packet would be forwarded from server vlan where you have NAT pool defined. So let's say pool IP is 3.3.3.4. So ACE will perform both destination as well as src NAT here before forwarding the packet to server and packet L3 header will look like:
src 3.3.3.4 ----->dst 3.3.3.3
Now when 3.3.3.3 has to send packet back, ACE will answer ARP for 3.3.3.3 and hence packet will come back to ACE which will again change the L3 header IP's and send it out the client VLAN towards client.
So NAT is always applied to server side vlan and that's why pool is chosen from server side subnet.
Let me know if you have any questions.
Regards,
Kanwal

ACE 4710: Find out the response time of a real server

Hi to everyone,
I have a couple of ACE 4710 and I need to find out what is the response time of a real server.
Is there a way for this?
Thank you for any answer!
giorgio romano

Hi,
Kindly add the following line in your serverfarm configuration:
predictor response syn-to-synack
Suppose your serverfarm looks like this:
serverfarm host AAA_FARM
predictor response syn-to-synack
probe HTTP_PROBE
probe TCP9001_PROBE
rserver SC106
inservice
rserver SC107
inservice
rserver SC108
inservice
rserver SC109
inservice
rserver SC110
inservice
rserver SC111
inservice
rserver SC112
inservice
rserver SC113
inservice
rserver SC114
inservice
rserver SC120
inservice
rserver SC131
inservice
And then use the following command to see the average response time from your rserver as follows:
ACE1/prod# show serverfarm AAA_FARM detail
serverfarm     : AAA_FARM, type: HOST
total rservers : 11
active rservers: 11
description    : ServerFarm AAA
state          : ACTIVE
predictor      : RESPONSE
method            : syn-to-synack
samples           : 8
failaction     : -
back-inservice    : 0
partial-threshold : 0
num times failover       : 0
num times back inservice : 0
total conn-dropcount : 0
Probe(s) :
HTTP_PROBE, type = HTTP
TCP9001_PROBE, type = TCP
----------connections-----------
real                  weight state        current    total      failures
---+---------------------+------+------------+----------+----------+---------
rserver: SC106
x.x.x.x.:0        8      OPERATIONAL 2          1125       0
max-conns            : 4000000   , out-of-rotation count : 0
min-conns            : 4000000
conn-rate-limit      : -         , out-of-rotation count : -
bandwidth-rate-limit : -         , out-of-rotation count : -
retcode out-of-rotation count : -
load value           : 0
average response time (usecs) : 81   ----> thats what you might be looking for
From other day :
rserver: SC114
x.x.x.x:0        8      OPERATIONAL 70         10903      2
max-conns            : 4000000   , out-of-rotation count : 0
min-conns            : 4000000
conn-rate-limit      : -         , out-of-rotation count : -
bandwidth-rate-limit : -         , out-of-rotation count : -
retcode out-of-rotation count : -
load value           : 0
         average response time (usecs) : 1334                       ----> thats what you might be looking for
For Serverfarm BBB_FARM
serverfarm     : BBB_FARM, type: HOST
total rservers : 1
active rservers: 1
description    : ServerFarm BBB
state          : ACTIVE
predictor      : RESPONSE
method            : syn-to-synack
samples           : 8
failaction     : -
back-inservice    : 0
partial-threshold : 0
num times failover       : 1
num times back inservice : 1
total conn-dropcount : 0
Probe(s) :
----------connections-----------
real                  weight state        current    total      failures
---+---------------------+------+------------+----------+----------+---------
rserver: SC208
x.x.x.x:0        8      OPERATIONAL 0          0          0
max-conns            : 4000000   , out-of-rotation count : 0
min-conns            : 4000000
conn-rate-limit      : -         , out-of-rotation count : -
bandwidth-rate-limit : -         , out-of-rotation count : -
retcode out-of-rotation count : -
load value           : 0
         average response time (usecs) : 0   ----> thats what you might be looking for
Use more detials for response predictor:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1068831
Configuring the Application Response Predictor
To instruct the ACE to select the server with the lowest average response time for the specified response-time measurement based on the current connection count and server weight (if configured), use the predictor response command in server farm host or redirect configuration mode. This predictor is considered adaptive because the ACE continuously provides feedback to the load-balancing algorithm based on the behavior of the real server.
To select the appropriate server, the ACE measures the absolute response time for each server in the server farm and averages the result over a specified number of samples (if configured). With the default weight connection option configured, the ACE also takes into account the server's average response time and current connection count. This calculation results in a connection distribution that is proportional to the average response time of the server.
The syntax of this command is as follows:
predictor response {app-req-to-resp | syn-to-close | syn-to-synack}[samples number]
The keywords and arguments are as follows:
•app-request-to-resp—Measures the response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request.
•syn-to-close—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server.
•syn-to-synack—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server.
•samples number—(Optional) Specifies the number of samples over which you want to average the results of the response time measurement. Enter an integer from 1 to 16 in powers of 2. Valid values are 1, 2, 4, 8, and 16. The default is 8.
For example, to configure the response predictor to load balance a request based on the response time from when the ACE sends an HTTP request to a server to when the ACE receives a response back from the server and average the results over four samples, enter:
host1/Admin(config)# serverfarm SFARM1
host1/Admin(config-sfarm-host)# predictor response app-req-to-resp
samples 4
To reset the predictor method to the default of round-robin, enter:
host1/Admin(config-sfarm-host)# no predictor
To configure an additional parameter to take into account the current connection count of the servers in a server farm, use the weight connection command in server farm host predictor configuration mode. By default, this command is enabled. The syntax of this command is as follows:
weight connection
For example, enter:
host1/Admin(config)# serverfarm SF1
host1/Admin(config-sfarm-host)# predictor response app-request-to-resp
samples 4
host1/Admin(config-sfarm-host-predictor)# weight connection
To remove the current connection count from the calculation of the average server response time, enter:
host1/Admin(config-sfarm-host-predictor)# no weight connection
You can use threshold milliseconds parameter which is optional Specifies the required minimum average response time for a server. If the server response time is greater than the specified threshold value, the ACE removes the server from the load-balancing decision process (takes the server out of service).
Enter an integer from 1 to 300000 milliseconds (5 minutes). The default is no threshold (servers are not taken out of service).
In case if you have measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server use syn-to-close      (already discussed previously)
If you have to measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server use syn-to-synack   (already discussed previously)
SAMPLES parameter is optional and specifies the number of samples that you want to average from the results of the response time measurement and response time is used to select the server with the lowest response time for the requested response-time measurement. If you do not specify a response-time measurement method, the ACE uses the HTTP app-req-to-response method.
Whenever a server's load reaches zero, by default, the ACE uses the autoadjust feature to assign a maximum load value of 16000 to that server to prevent it from being flooded with new incoming connections. The ACE periodically adjusts this load value based on feedback from the server's SNMP probe and other configured options.
Using the least-loaded predictor with the configured server weight and the current connection count option enabled, the ACE calculates the final load of a real server as follows:
final load = weighted load Ã— static weight Ã— current connection count
where:
â€¢weighted load is the load reported by the SNMP probe
â€¢static weight is the configured weight of the real server
â€¢current connection count is the total number of active connections to the real server
The ACE recalculates the final load whenever the connection count changes, provided that the (config-sfarm-host-predictor) weight connection command is configured. If the (config-sfarm-host-predictor) weight connection command is not configured, the ACE updates the final load when the next load update arrives from the SNMP probe.
If two servers have the same lowest load (either zero or nonzero), the ACE load balances the connections between the two servers in a round-robin manner.
HTH
Plz rate if u find it useful.
Sachin

Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710

One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
Traffic flow as follows
===============
ACE 4710                                                       FWSM (Firewall static NAT)                    Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)
                                             VIP
Rserver 1   - 10.1.104.80       10.1.246.32           10.1.246.32 < - > 2.2.2.2                              1.1.1.1
Rserver 2   - 10.1.104.81c
---------------------------------------------------------->           ------------------------------->                      - traffic flow from server to the device when we send msg
Configs:
======
rserver host server1
ip address 10.1.104.80
inservice
rserver host server2
ip address 10.1.104.81
inservice
serverfarm host SFARM
failaction purge
probe ICMP
rserver server1
    inservice
rserver server2
    inservice
access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
parameter-map type connection UDP_TIMEOUT
set timeout inactivity 3600
sticky ip-netmask 255.255.255.255 address source STKY-SFARM
serverfarm SFARM
timeout 180
replicate sticky
class-map match-all CLS-SFARM
2 match virtual-address 10.1.246.32 udp eq 1120
class-map match-all SERVERNAT
2 match access-list TEST-1120
policy-map type loadbalance first-match POL-SFARM
class class-default
    sticky-serverfarm STKY-SFARM
policy-map multi-match POL-LB
class CLS-SFARM
    loadbalance vip inservice
    loadbalance policy POL-SFARM
    loadbalance vip icmp-reply active
    connection advanced-options UDP_TIMEOUT
class SERVERNAT
   nat dynamic 1 vlan 244
int vlan 244
ip address 10.1.246.2 255.255.255.0
service-policy input POL-LB
nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
mac-sticky enable
no icmp-guard
no shut
interface vlan 2506
ip address 10.1.104.2 255.255.255.0
service-policy input POL-LB
mac-sticky enable
no icmp-guard
no shut

I see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
portmap disable in ACE 4710
Disabling Port Mapping
By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services,

Access Server through VIP (ACE 4710) but very slow

Re: Access Server through VIP (ACE 4710) but very slow
Hi Shiva
Kindly Help .....Accessing the server very slow.., Plz check my real configuration... this configuration is for application server and after this i have to configure more serverfarm for different server like webmail etc. in this ACE 4710. I have only one ACE 4710 .
ACE Version A4(2.0) = is there supports Probe with this version.??? without probe server will work but very slow. And plz guide Nat-pool is required
VIP :-- 172.16.15.8
LB/Admin# sh run
Generating configuration....
no ft auto-sync startup-config
logging enable
logging host 172.29.91.112 udp/514
resource-class RC1
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A4_2_0.bin
hostname LB
interface gigabitEthernet 1/1
description Management
speed 1000M
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description clientside
switchport access vlan 30
no shutdown
interface gigabitEthernet 1/3
description serverside
switchport access vlan 31
no shutdown
interface gigabitEthernet 1/4
no shutdown
context Admin
description Management
member RC1
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe http probe1
description health check
interval 5
passdetect interval 10
request method head
expect status 200 200
open 1
rserver redirect https_redirect
description redirect traffic to https
webhost-redirection / 302
inservice
rserver redirect maintenance_page
description maintenance page displayed
webhost-redirection /sry.html 301
inservice
rserver host web1
ip address 192.168.10.3
inservice
rserver host web2
ip address 192.168.10.4
inservice
rserver host web3
ip address 192.168.10.5
inservice
serverfarm host http
rserver web1
    inservice
rserver web2
    inservice
rserver web3
    inservice
serverfarm redirect https_redirect_farm
description Redirect traffic to https
serverfarm redirect maintenance_farm
description send user to maintenance page
parameter-map type connection paramap_http
description parameter connection tcp
exceed-mss allow
sticky ip-netmask 255.255.255.0 address source Sticky_http
timeout activeconns
serverfarm http
class-map match-all REMOTE-ACCESS
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
class-map match-all slb-vip
2 match virtual-address 172.16.15.8 tcp eq www
policy-map type management first-match remote_access
class class-default
    permit
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
policy-map type loadbalance first-match slb
class class-default
    serverfarm http
policy-map type inspect http all-match slb-vip-http
class class-default
    permit
policy-map multi-match client-vips
class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply active
    inspect http policy slb-vip-http
    connection advanced-options paramap_http
interface vlan 30
description "Client Side"
ip address 172.16.15.24 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown
interface vlan 31
description "Server Side"
ip address 192.168.10.1 255.255.255.0
service-policy input remote_access
no shutdown
interface vlan 1000
description managment
ip address 172.29.91.110 255.255.255.0
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.15.1
snmp-server contact "PHQ"
snmp-server community phq group Network-Monitor
snmp-server trap-source vlan 1000
username admin password 5 $1$b2txbc5U$TA74D920oSdd2eOZ4hSFe/ role Admin domain
default-domain
username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR. role Admin domain de
fault-domain
username prem password 5 $1$8C7eRKrI$it3UV4URZ26X4S/Bh6OEr0 role Admin domain d
efault-domain
ssh key rsa 1024 force
banner motd # "ro" #
Regards,
Prem

Hi Shiva,
plz guide i'm new with ACE LB, also find my n/w design for connected ace to server. but server accessing very very slow, but when i connect through my old server software LB (with two interface)then accessing very fast. I just replace my old serverLB(with two interface) to ACE4710 and connect the same scenario then why not server accessing smoothly with VIP .Reply soon only I connect ACE's two interface with switch.....
Regards,
Prem

ACE 4710 using SAML Tokens

reposted from another forum:
Am using an ACE 4710 and am converting incoming WSS username tokens to SAML Tokens - authenicating against Tivoli directory.
The receiving web service is attempting to validate the SAML token but fails on digest verification. i.e. calculates the digest value over the SAML token and fails when comparing to the digest in the Xml Signature block.
Is anybody else using SAML tokens?
Has anyone else seen a similar problem?

You are right we are using transport encryption (SSL) to protect the WSS Password.
We then use LDAP to authenticate the username/password and create a SAML token using attributes from LDAP. The ACE Xml Gateway creates this SAML token, signs it and inserts into the SOAP header that is forwarded to our service.
At our service we are trying to verify the signed SAML token. The error we are seeing is the Xml signature digest created by the ACE XML Gateway is wrong.
With XML signature some Xml referenced by an ID is canonicalised, hashed (digest created) and then this digest is encrypted using the private key of some certificate.
On receipt we repeat the process, canonicalise and hash the Xml referenced and compare our computed digest to the one created by the ACE device. This is where we get the error. We are using the standard canonicalisation and hashing algorithms (c14n and SHA1 respectively). Our code can successfully verify SAML tokens from other sources.

ACE 4710 LDAP probe

Similar Messages

Maybe you are looking for