Ace 4710 monitoring compression and SSL throughput in nagios

Hey guys I have been given a task to create 2 checks using snmp for nagios. I am googling left right and center to maybe try and find the appropriate OID's that i can pass to this nagios check for both ssl throughput as well as compression throughput.
Any help would be greatly appreciated

Jonathan-
ciscoL4L7moduleResourceLimitMIB
DESCRIPTION
        sslConnections     (9) <-- Here
        mgmtBandwidth      (10)
        throughput         (11)
        missedMac          (12)
        httpCompression    (13)   <-- Here
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB.my
The numbers aren't throughput, they are a rate CPS. We don't keep track of packet size in relation to speed for those counters specifically. "throughput (11)" relates to the entire context minus management bandwidth.
Regards,
Chris

Similar Messages

ACE issue with compression when SSL Initiation is turned on?

We currently doing an evaluation of the Cisco ACE 4710 and have some sites where the backend is Tomcat and SSL is turned on. When we set Default L7 Load-Balancing Action to Load Balance with Compression Method Deflate (I haven't tried gzip yet), requests to these sites return badly mangled stuff. Like a gif image at 7,700 bytes comes back as a 7 bytes file, even default should only try compression on text/*.
Has anyone seen a similar issue?

It turned out the problem was a configuration issue and my understanding of the ACE works with compression, policies, etc.
In conjunction with this I seemed to have found a bug in the GUI, which is also still present in A3 (2.3). I now have a default L7 policy which just set SSL Initiation to ssl client. Added another L7 policy but when looking at the virtual server afterwards the GUI doesn't show that policy.
switch/Development# show running-config policy-map FORD-APP.PERF.AUTC.COM-l7slb
Generating configuration....
policy-map type loadbalance first-match F-APP.PERF.AUTC.COM-l7slb
class default-compression-exclusion-mime-type
serverfarm F-APP.PERF.AUTC.COM
compress default-method deflate
insert-http rl_client_ip header-value "%is"
ssl-proxy client Backend
class class-default
serverfarm F-APP.PERF.AUTC.COM
insert-http rl_client_ip header-value "%is"
ssl-proxy client Backend
See attachment with screen shot of GUI

ACE 4710 - Monitoring Real Server Showing N/A

I recently installed a Cisco ACE 4710 version A4(2.0) into our test network. Load balancing across a number of web servers appears to be working ok and serving pages to users. However, when i tried to check the real time stats via device manager (Monitor> virtual contexts> context > Real servers) a number of fields specifically "current connections", "total conns", "failed conns" etc were showing N/A. Do I need to enable this somehow i.e. polling, if so how?

Hello Samson,
You may try to reboot the entire ACE 4710, probably during a maintenance window, some java process might have gotten stuck.
If the issue persists then open a TAC case since there are some software defects related to this behavior.
Jorge

ACE 4710 - end-to-end ssl

Hi,
Is it possible to configure 1024 bits crypto from Client to ACE and 2048 bits from ACE-server, using a CA certificated ? Is Somebody has a config example ?
Thanks

Here is a link to a configuration document regarding end to end SSL. The 2048 keys/certs would be configured on the SSL server, not sure what device that would be in your environment, maybe a webserver?
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml

ACE-4710-01-K9

Dear All,
i have ACE-4710-1F-K9 (ACE 4710 Hardware‐1Gbps‐5K SSL‐500MbpsComp‐5VC-50 APPAccel )
and i need to buy ACE-4710-01-K9
I want to ask does (ACE-4710-01-K9) has 50 AppAccel like the old part number (ACE-4710-1F-K9)???

As per my understanding
Both will give you same functionality
ACE-4710-BAS-SK-K9 is a basic kit/bundle
that Includes:
- ACE 4710 Hardware
- ACE Software
- 1 Gbps Throughput License
- 1,000 SSL TPS
- 100Mbps Compression
- 5 Virtual Devices
Where as
"ACE-4710-K9 with ACE-AP-01-LIC" is kind of La Carte option
ACE-4710-K9 is the ACE Appliance Hardware includes(1K SSL TPS, 5 contexts, 100Mbps comp)
With it you need to select two mandatory options
ACE Software :ACE-AP-SW-XX Software Version XX
Throughput License :("ACE-AP-01-LIC" 1 Gbps OR "ACE-AP-02-LIC" 2 Gbps )
Then you can select optional licences for
SSL TPS, Virtual Devices, compression & App acceleration...(if you need to upgrade the defaults 1K SSL TPS, 5 contexts, 100Mbps comp)
Syed iftekhar Ahmed

Can't install ACE 4710 license

Hi,
I've tried to installed the license, but is not successful, below are the steps which i've taken to installed the license, with error messages. pls. assist.
CBJ6-LBDMZ2/Admin# copy tftp://10.2.18.66/ACE20090909090659371.lic disk0:
Enter the destination filename[]? [ACE20090909090659371.lic]
Trying to connect to tftp server......
TFTP get operation was successful
685 bytes copied
CBJ6-LBDMZ2/Admin# license install disk0:ACE20090909090659371.lic
Installing license... failed: Can't install this license with the current count

CBJ6-LBDMZ2/Admin# show licen
ACE20090727112500202.lic:
SERVER this_host ANY
VENDOR cisco
INCREMENT ACE-AP-01-LIC cisco 1.0 permanent 1 \
        VENDOR_STRING=1 HOSTID=ANY \
        NOTICE="200907271125002021 \
        1211J5CB363" SIGN=F2E3AFA69526
I think you have an HW appliance (code: ACE-4710-K9) with one a la carte license ( ACE-AP-01-LIC).
You bought a Bundle upgrade license, and this is not compatibly with you current license ( a la carte license).
To use the ACE-4710-BUN-UP2= ( 1G Bundle to 2G Bundle Upgrade License) you need to have a bundle product like the
ACE-4710-1F-K9.
Check this:
Table 1     ACE Licensing Bundles
License Model Description Upgrade Path
ACE-4710-0.5F-K9
This license bundle includes the following items:
•ACE 4710 appliance
•0.5-Gbps throughput license (ACE-AP-500M-LIC)
•100-Mbps compression license (ACE-AP-C-100-LIC)
•100 SSL transactions per second (TPS) license (ACE-AP-SSL-100-K9)
•5 virtual contexts license (ACE-AP-VIRT-5)
•Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
You have the option to upgrade to the 1-Gbps, 2-Gbps, or 4-Gbps bundle.
Start the upgrade with ACE-4710-BUN-UP1=.
ACE-4710-1F-K9
This license bundle includes the following items:
•ACE 4710 appliance
•1-Gbps throughput license (ACE-AP-01-LIC)
•500-Mbps compression license (ACE-AP-C-500-LIC)
•5000 SSL TPS license (ACE-AP-SSL-05K-K9)
•5 virtual contexts license (ACE-AP-VIRT-5)
•Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
You have the option to upgrade to the 2-Gbps or 4-Gbps bundle.
Start the upgrade with ACE-4710-BUN-UP2=.
ACE-4710-BAS-2PAK
This license bundle includes the following items:
•Two ACE 4710 appliances
•1-Gbps throughput license (ACE-AP-01-LIC)
ACE-4710-BAS-2PAK also includes the following default options:
•1000 SSL TPS
•100-Mbps compression
•5 virtual contexts
•Application acceleration (50 connections)
You have the option to upgrade to the 2-Gbps or 4-Gbps bundle.
Start the upgrade with ACE-4710-BUN-UP2=. Two upgrade licenses are required for upgrading two units of the ACE-4710-BAS-2PAK bundle.
ACE-4710-2F-K9
This license bundle includes the following items:
•ACE 4710 appliance
•2-Gbps throughput license (ACE-AP-02-LIC)
•1-Gbps compression license (ACE-AP-C-1000-LIC)
•7500 SSL TPS license (ACE-AP-SSL-07K-K9)
•5 virtual contexts license (ACE-AP-VIRT-5)
•Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
You have the option to upgrade to the 4-Gbps bundle.
Start the upgrade with ACE-4710-BUN-UP3=.
ACE-4710-4F-K9
This license bundle includes the following items:
•ACE 4710 appliance
•4-Gbps throughput license (ACE-AP-04-LIC)
•2-Gbps compression license (ACE-AP-C-2000-LIC)
•7500 SSL TPS license (ACE-AP-SSL-07K-K9)
•5 virtual contexts license (ACE-AP-VIRT-5)
•Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
This is the highest value bundle.
ACE-4710-BUN-UP1
0.5 to 1-Gbps throughput bundle upgrade license
See the Upgrade Path outlined above.
ACE-4710-BUN-UP2
1 to 2-Gbps throughput bundle upgrade license
See the Upgrade Path outlined above.
ACE-4710-BUN-UP3
2 to 4-Gbps throughput bundle upgrade license
See the Upgrade Path outlined above.
Table 2     ACE Licensing Options
Feature License Model Description
Performance Throughput
Default
1-Gbps throughput.
ACE-AP-500M-LIC
0.5-Gbps throughput.
ACE-AP-01-LIC
1-Gbps throughput.
ACE-AP-02-LIC
2-Gbps throughput.
ACE-AP-04-LIC
4-Gbps throughput.
ACE-AP-02-UP1
Upgrade from 1-Gbps to 2-Gbps throughput.
ACE-AP-04-UP1
Upgrade from 1-Gbps to 4-Gbps throughput.
ACE-AP-04-UP2
Upgrade from 2-Gbps to 4-Gbps throughput.
Virtualization
Default
1 admin/5 user contexts.
ACE-AP-VIRT-020
1 admin/20 user contexts.
SSL
Default
100 TPS.
ACE-AP-SSL-05K-K9
5000 TPS.
ACE-AP-SSL-07K-K9
7500 TPS.
ACE-AP-SSL-UP1-K9
Upgrade from 5000 TPS to 7500 TPS.
HTTP Compression
Default
100-Mbps.
ACE-AP-C-500-LIC
500-Mbps.
ACE-AP-C-1000-LIC
1-Gbps.
ACE-AP-C-2000-LIC
2-Gbps.
ACE-AP-C-UP1
Upgrade from 500-Mbps to 1 Gbps.
ACE-AP-C-UP2
Upgrade from 500-Mbps to 2 Gbps.
ACE-AP-C-UP3
Upgrade from 1 Gbps to 2 Gbps.
Application Acceleration Feature Pack License
ACE-AP-OPT-LIC-K9
Application acceleration and optimization. By default, the ACE performs up to 50 concurrent connections. With the application acceleration and optimization software feature pack installed, the ACE can provide greater than 50 concurrent connections.
This license increases the operating capabilities of the following features:
•Delta optimization
•Adaptive dynamic caching
•FlashForward
•Dynamic Etag
ACE-AP-02-LIC=
Upgrade Performance License 2   Gbps Spare

ACE 4710 bundle license backup

Hello,
Is it possible to backup ACE appliance licenses if product is bought as a bundle?
ACE-4710-BAS-SK-K9
Promo Bundle - ACE 4710 HW-1Gbps-1K SSL-100MbpsComp-5VC
Following is mentioned in the ACE documentation:
"If you need to replace the ACE, you can copy and install the license file for the license onto the replacement appliance."
But, when we try to backup licenses, we get following results:
ACE-1/Admin# sh license
ACE-1/Admin# copy licenses disk0:mylicenses.tar
Backing up license... failed: License file not found
ACE-1/Admin# sh license status
Licensed Feature Count
Compression Performance in Mbps 100
Web Optimization Concurrent Conns. 50
SSL transactions per second 1000
Virtualized contexts 5
Module bandwidth in Gbps 1.0
ACE-1/Admin# sh license usage
License Ins Lic Status Expiry Date Comments
Count
ACE-AP-C-UP1 No - Unused -
ACE-AP-C-UP2 No - Unused -
ACE-AP-C-UP3 No - Unused -
ACE-AP-01-LIC No - Unused -
ACE-AP-01-UP1 No - Unused -
ACE-AP-02-LIC No - Unused -
ACE-AP-02-UP1 No - Unused -
ACE-AP-04-LIC No - Unused -
ACE-AP-04-UP1 No - Unused -
ACE-AP-04-UP2 No - Unused -
ACE-AP-VIRT-5 No - Unused -
ACE-AP-500M-LIC No - Unused -
ACE-AP-VIRT-020 No - Unused -
ACE-AP-C-100-LIC No - Unused -
ACE-AP-C-500-LIC No - Unused -
ACE-AP-C-500-UP1 No - Unused -
ACE-AP-OPT-50-K9 No - Unused -
ACE-AP-C-1000-LIC No - Unused -
ACE-AP-C-2000-LIC No - Unused -
ACE-AP-OPT-LIC-K9 No - Unused -
ACE-AP-OPT-UP1-K9 No - Unused -
ACE-AP-SSL-05K-K9 No - Unused -
ACE-AP-SSL-07K-K9 No - Unused -
ACE-AP-SSL-100-K9 No - Unused -
ACE-AP-SSL-UP1-K9 No - Unused -
ACE-AP-SSLUP-5K-K9 No - Unused -
ACE-AP-VIRT-020-UP No - Unused -
I suppose licenses cannot be backuped because they are bundled and delivered with the bundle by default, and not installed...
Does anyone know what would be the procedure for this bundled licenses in case of ACE HW replacement needed?
Best regards,
Jasmina

Hi Jasmina,
License file management is quite simple for ACE. Two methods; save original license email or copy from disk0:.
If you purchased and upgraded license, and followed procedure to generate it, you would have received your license via email. We recommend per documentation (License ordering section) that you:
"Step 5 Save the license key e-mail in a safe place in case you need it in the future (for example, to transfer the license to another ACE). "
Also, to apply, you copy the license file to disk0: on the ACE. This *.lic file resides on disk0: thereafter.
So if you did not happen to save the original email when you obtained the license, and the license has been installed, then you can simply copy the *.lic file off the ACE from disk0: to a safe place. Example copying file from ACE to FTP server:
Switch/Admin# copy disk0: ftp:
Enter source filename]? 1ACE2009060306445454.lic
Enter Address for the ftp server]? 10.2.3.4
Enter the destination filename]? [1ACE2009060306445454.lic]
Enter username]? anonymous
Enter the file transfer mode[bin/ascii]: [bin]
Enable Passive mode[Yes/No]: [Yes]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
Switch/Admin#
Administrator Guide - Licenses on ACE:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/administration/guide/license.html#wp1010344
Hope this helps.
-pefrench

Question about ACE-4710-BAS-2PAK bundle

Hello,
I want to order ACE-4710-BAS-2PAK bundle (2 Units of ACE 4710 Hardware-1Gbps-1K SSL-100MbpsComp-5VC- 5) and then separate two units of this bundle.
I couldn't get any information about separation possibility, therefore âsome howâ i need to ensure that 2 units of ACE-4710-BAS-2PAK will be able to work separate.
Could you please provide me some suggestion about this issue.
Any advise are welcome.

yes, these units can work alone.
The pak is just a sale operation.
The HW is still the same.
G.

ACE 4710 in bridge mode not working

I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router   (vlan 13: IP 172.16.11.254)
     |
ACE     (int gig1/2)
     |
L2 Switch
     |
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
    inservice
rserver srv2
    inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
    permit
policy-map type loadbalance first-match slb
class class-default
    sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan

" I tried trunk port also but it got disabled"   <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles.

ACE 4710 and mangled HTTP requests

After replacing a Cisco CSS/SSL Accelorator and PIX firewall with an ACE 4710 to do load balancing and SSL encryption behind an ASA firewall we started seeing mangled HTTP requests in the Apache access logs for the servers in the server farm. Here is one example:
XX.XX.XXX.XXX - - [21/Oct/2012:01:42:12 -0500] "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
Rather than appearing just after the timestamp, the "POST /register/LServlet" is tacked on to header information that shouldn't even appear in the log. Also the first letter in that header information is always missing (heckoutFlag instead of checkoutFlag in this example).
The mangled request always shows up as a 501 HTTP error and shows up late in the Apache access logs (timestamp is out of chronogical order) and always appears with several duplicate POSTs:
XX.XX.XXX.XXX - - [21/Oct/2012:01:42:23 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XX.XXX - - [21/Oct/2012:01:42:12 -0500] "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
This is occurring for several different URLs and not just the one above and for multiple web browsers.
The ACE load balances to servers running Tomcat 7 with Apache HTTP server v. 2.2.14.
A recent ACE software upgrade to A5(2.1) has not fixed the problem.
Has anyone seen this before?
Thanks for any insight you can provide.
-Kari

Hi Kari,
Do you have a sample of the configuration which you got with the CSS?
What is the current configuration which you got on the ACE?
Can you shows this output: # show stats http?
Jorge

ACE 4710 transparent LB with two Caches and two routers.

Hello,
I have ACE 4710 that load balance two cach flows (bluecoat), i am doing pbr on the routers to send the traffic destined to port 80 to ACE then Cach farm. After that the Cach flow will get the page from the internet via two routers. The return traffic will match another pbr on the routers with source port 80 that will send it to the ACE then CachFlow again .....then to the users.
I am not using ip-spoofing on the CachFlow for now. In the figure attached i created a VIP 0.0.0.0 0.0.0.0 port 80 on the interface on the ACE facing the routers, but the question is do i have to create another VIP 0.0.0.0 0.0.0.0 port 80 on the interface on ACE facing the Cach Flow? or just forward the traffic on the default route? What might be the default route since i have to use two routers and i cannot use hsrp?
Kindly I need some assistance
Thank you and regards,
George
access-list PERMIT_ALL line 8 extended permit ip any any
access-list CFLOW line 8 extended permit ip any any
ip name-server 8.8.8.8
ip name-server 4.2.2.2
##################################Config for Cache Cache Servers###################
probe http CISCO_WWW_PROBE
ip address 72.163.4.161
interval 2
faildetect 2
passdetect interval 2
passdetect count 5
request method head url /index.html
expect status 200 200
exit
probe http YAHOO_WWW_PROBE
ip address 87.248.112.181
interval 2
faildetect 2
passdetect interval 2
passdetect count 5
request method head url /index.html
expect status 200 200
exit
serverfarm host TRANSPARENT_PROXY_SF
description Transparent Proxy Farm
transparent
predictor hash url
probe CISCO_WWW_PROBE
probe YAHOO_WWW_PROBE
rserver CFLOW01
    inservice
rserver CFLOW02
    inservice
exit
exit
############################################# Router Cache Farm ############################
probe icmp ICMP_PROBE
description *** Probe for icmp health monitoring ***
interval 5
faildetect 2
passdetect interval 60
passdetect count 2
exit
rserver host Router01
description Connection to Sodetel Router
ip address 192.168.14.4
probe ICMP_PROBE
inservice
rserver host Router02
description Connection to IDM Router
ip address 192.168.14.5
probe ICMP_PROBE
inservice
serverfarm host Routers
description Transparent Proxy Farm
transparent
predictor hash url
probe ICMP_PROBE
rserver Router01
    inservice
rserver Router02
    inservice
exit
exit
################################# Management################################
class-map type management match-any REMOTE_MGMT
description Allow Remote management for below protocols
8 match protocol icmp any
9 match protocol ssh source-address 172.31.13.31 255.255.255.255
10 match protocol ssh source-address 172.31.31.21 255.255.255.255
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_MGMT
    permit
class-map match-all CFLO2Internet
2 match virtual-address 0.0.0.0 0.0.0.0 any
class-map match-all TRANSPARENT_VIP_CM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
policy-map type loadbalance first-match TRANSPARENT_LB_PM
class class-default
    serverfarm TRANSPARENT_PROXY_SF backup Routers
policy-map type loadbalance first-match CFLO2Internet_LB
class class-default
    serverfarm Routers
policy-map multi-match CFLO2Internet_PM
class CFLO2Internet
    loadbalance vip inservice
    loadbalance policy CFLO2Internet_LB
    loadbalance vip icmp-reply active
    connection advanced-options TCP
policy-map multi-match L3L4_PM
class TRANSPARENT_VIP_CM
    loadbalance vip inservice
    loadbalance policy TRANSPARENT_LB_PM
    loadbalance vip icmp-reply active
    connection advanced-options TCP
====Interfaces======
interface vlan 11
description Interface between Routers and ACE
ip address 192.168.14.2 255.255.255.224
alias 192.168.14.1 255.255.255.224
peer ip address 192.168.14.3 255.255.255.224
no icmp-guard
access-group input PERMIT_ALL
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input L3L4_PM
no shutdown
interface vlan 21
description Connection to CFlow ServerFarm
ip address 192.168.12.2 255.255.255.224
alias 192.168.12.1 255.255.255.224
peer ip address 192.168.12.3 255.255.255.224
no icmp-guard
access-group input CFLOW
service-policy input CFLO2Internet_PM ------>>>> Is this necessary???
no shutdown

Hi George,
In the topology you described, only the service-policy in the interface towards the routers is necessary. For the traffic from the caches, the ACE will just forward to the default gateway.
The only problem is, as you mentioned, that you cannot use HSRP. In that case, you can still configure two default gateways, but there is no way to predict which one the ACE will use at a given time (the way it does to select the one it will use is sending an ARP request to both gateways and using the one that replies first until the ARP entry expires)
If you need to load-balance the traffic between both routers, then yes, you would need to configure a new VIP on the cache side and load-balanced to a transparent serverfarm composed of both routers.
Regards
Daniel

SSL Certificates Update Error in ACE 4710

Hi,
I am facing a problem while updating the SSL certificates in ACE 4710. Our certificate is expired and we have purchased a new certificate from CA. Moreover the common name of the certificate is also changed.
I tried importing the certificate to the repository and change the SSL proxy likewise to use the new certificate. but still the new certificate with new CN is not recognised by the clients. they can see the old certificate only. I even tried deleting and creating a new ssl proxy service with the new cert and attaching it to policy map.
but still the new certificate is not used even after a reboot,
Attaching screenshots and running config. Any help will be appreciated.
BR//Rajiv

Ravi,
Here are the procedures for updating your certificate on the ACE.
1) Create New RSA Key
2) Create CSR
3) Send CSR to CA authority for a new certificate
4) Import Certificate into the ACE
5) Change the ssl-proxy to use the new Certificate and Key
6) Remove the SSL-Proxy from the policy map and reapply
Now if you created the CSR on a different box, you will need to import both the RSA key are the certificate. Another thing you should be aware of is a possible change in the Root and intermediate certicates that are used by the CA. In your configuration, you have
crypto chaingroup iotms-chain-gr-1
cert inter-root-new
Is the the correct certificates for your cert? If so, it seems odd that there is only on certificate in the Chaingroup. Most CAs use an intermediate and and a root certificate.
Verify that you have the correct chaingroup (with the correct root and intermediate certificates).

SSL Termination in ACE 4710 not working

Hi,
I have configured a new ACE 4710 with only a sinlge context to redirect https traffic to http real servers using SSL Termination. When I do a telnet on port 443 or 80 to the VIP it works fine but when I try to open the URL it prompts me for accepting the certificate then it tries to find and establish connection to the URL but eventually dies out giving a "Page cannot be displayed error". I have done some troubleshooting and found that the connection to the VIP on 443 port is Established but the out connection from the real server to the client remains in the INIT state. I am attaching the configs and all the troubleshooting data I have collected. Pls someone help.

Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE.So as suggested I have configured default route in the servers towards the ACE interface vlan ip address. Still the server packet count is not incrementing. I am posting the updated configuration of the ACE as an attachment. Pls help.

ACE 4710 in failover - ssl offload, cert for second ACE

Hi,
I'm testing two ACE 4710 appliances that should work in active/standby mode and do ssl offload in bridged mode.
At the moment I have configured one of the devices to do basic load balancing (without ssl offload).
Now I would like to move further and configure ssl offload and configure High availability.
I read that the certificate for ssl can be localy generated on the ACE device but I couldn't find any information regarding the cert that should be used on the second ACE.
Should I generate a new cert od the standby unit or somehow use the one on the first ACE?
Is it better to first set up high availability and then configure ssl offload or vice versa?
Does anyone have a config example of ssl offload and active/standby configuration?
Thank you in advance.

You simply need to generate keys & CSR on the primary ACE. Export the Keys from Primary ACE, Import these keys to Standby ACE and once you recieve the certs from CA then simply import the cert to both ACEs.
FOllowing will be steps to achive that
On primary Ace
1. create RSA Keys
crypto generate key 2048 app1.key
2. Create CSR & send it to CA
ace/Admin(config)# crypto csr-params app1-csr
ace/Admin(config-csr-params)# common-name www.app1.com
ace/Admin(config-csr-params)# country US
ace/Admin(config-csr-params)# email [email protected]
ace/Admin(config-csr-params)# locality xyz
ace/Admin(config-csr-params)# organization-name xyz
ace/Admin(config-csr-params)# organization-unit xyz
ace/Admin(config-csr-params)# state CA
ace/Admin(config-csr-params)# serial-number 1234
ace/Admin(config-csr-params)# end
ace/Admin(config)# crypto generate csr app1-csr app1.key
(copy the result to a file)
4. Import certificate recieved from CA
crypto import terminal app1.cert
(pasted the content from the cert)
5. verify the cert & keys match
crypto verify app1.key app1.cert
6. Export the keys from Active
crypto export app1.key
(copy the result to a file)
ON Standby ACE:
1. Import the keys
crypto import terminal app1.key
2. Import the cert
crypto import terminal app1.cert
3.verify the cert & keys match
crypto verify app1.key app1.cert
Hope this helps
Syed

ACE 4710 - need help configuring backend server monitoring

Currently running an ACE 4710, which is handling all of our inbound SSL connections and then forwarding requests thru
to backend web servers. This all works fine.
My question is this..Right now we are not load balancing any of the backen web servers. But I now have a requirement that should
a web server crash or become unavailable I need to redirect that backend connection to another web server.
Scenario is more like I have 2 web servers both serving same content, but I want one server to take all the connections unless it fails, at that point
have all the connections forwarded to 2nd server.
Is there a way to setup the load balancing where the 1st server gets all the connections until a failure happens ?
Any help would be appreciated.
Cheers
Dave

Hi Dave,
You can use sorry-server or backup server feature. details can be found at
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1000264

Ace 4710 monitoring compression and SSL throughput in nagios

Similar Messages

Maybe you are looking for