ACE 4710 not responding

Similar Messages

• SSL Termination in ACE 4710 not working

  Hi,
  I have configured a new ACE 4710 with only a sinlge context to redirect https traffic to http real servers using SSL Termination. When I do a telnet on port 443 or 80 to the VIP it works fine but when I try to open the URL it prompts me for accepting the certificate then it tries to find and establish connection to the URL but eventually dies out giving a "Page cannot be displayed error". I have done some troubleshooting and found that the connection to the VIP on 443 port is Established but the out connection from the real server to the client remains in the INIT state. I am attaching the configs and all the troubleshooting data I have collected. Pls someone help.

  Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE.So as suggested I have configured default route in the servers towards the ACE interface vlan ip address. Still the server packet count is not incrementing. I am posting the updated configuration of the ACE as an attachment. Pls help.

• ACE VIP not Responding to Ping and cant Connect

  Hello All,
  I recently deployed an ACE 4710 Appliance. Configs seems right but clients cant Ping the VIP and acnt also connect to the VIP. Also VIP Dosent show in 'sh arp'.
  Pls HELP!!!
  See the configs!!
  =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.10.11 10:48:14 =~=~=~=~=~=~=~=~=~=~=~=
  sh runGenerating configuration....
  boot system image:c4710ace-mz.A4_2_0.bin
  hostname STERLING-ACE
  interface gigabitEthernet 1/1
    channel-group 1
    no shutdown
  interface gigabitEthernet 1/2
    channel-group 1
    no shutdown
  interface gigabitEthernet 1/3
    channel-group 1
    no shutdown
  interface gigabitEthernet 1/4
    channel-group 1
    no shutdown
  interface port-channel 1
    switchport trunk allowed vlan 10,200,205,210,215
    no shutdown
  --More--
  access-list INBOUND line 10 extended permit ip any any
  access-list INBOUND line 16 extended permit icmp any any
  access-list INBOUND line 24 extended permit icmp any any echo
  probe http BANK-APP
    interval 2
    faildetect 2
    passdetect interval 2
    expect status 200 200
    open 1
  probe icmp PING
    description ***simple ping monitor***
    interval 10
    passdetect interval 60
    passdetect count 2
    receive 1
  probe tcp TCP80
    interval 10
    passdetect interval 10
    passdetect count 2
  --More--
    receive 1
    open 5
  rserver host BANK-APP-SERVER1
    description ***GUI SERVER 1***
    ip address 172.20.1.50
    probe PING
    inservice
  rserver host BANK-APP-SERVER2
    description ***GUI SERVER 2***
    ip address 172.20.1.51
    probe PING
    inservice
  rserver host BANK-APP-SERVER3
    description ***GUI SERVER 3***
    ip address 172.20.1.52
    probe PING
    inservice
  rserver host BANK-APP-SERVER4
    description ***GUI SERVER 4***
    ip address 172.20.1.53
    probe PING
  --More--
    inservice
  rserver host THIN-CLIENT1
    description ***CLI SERVER 1***
    ip address 172.20.1.34
    probe PING
    inservice
  rserver host THIN-CLIENT2
    description ***CLI SERVER 2***
    ip address 172.20.1.35
    probe PING
    inservice
  rserver host THIN-CLIENT3
    description ***CLI SERVER 3***
    ip address 172.20.1.36
    probe PING
    inservice
  rserver host THIN-CLIENT4
    description ***CLI SERVER 4***
    ip address 172.20.1.37
    probe PING
    inservice
  --More--
  serverfarm host CLI-GROUP
    predictor leastconns
    probe TCP80
    rserver THIN-CLIENT1
      inservice
    rserver THIN-CLIENT2
      inservice
    rserver THIN-CLIENT3
      inservice
    rserver THIN-CLIENT4
      inservice
  serverfarm host GUI-GROUP
    predictor leastconns
    probe TCP80
    rserver BANK-APP-SERVER1
      inservice
    rserver BANK-APP-SERVER2
      inservice
    rserver BANK-APP-SERVER3
      inservice
    rserver BANK-APP-SERVER4
      inservice
  --More--
  parameter-map type connection TCP-PARAM-MAP
    set timeout inactivity 360000
  class-map type management match-any REMOTEACCESS
    description remote access traffic match
    2 match protocol ssh any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol xml-https any
    6 match protocol http any
    7 match protocol https any
  class-map match-all TCP-CLASS
    description TCP CONNECTION TIMER
    2 match any
  class-map match-all VS_WEB1
    2 match virtual-address 10.0.0.115 any
  class-map match-all VS_WEB2
    2 match virtual-address 10.0.0.113 any
  policy-map type management first-match REMOTEPOLICY
  --More--
    class REMOTEACCESS
      permit
  policy-map type loadbalance first-match HTTP_LB1
    class class-default
      serverfarm CLI-GROUP
  policy-map type loadbalance first-match HTTP_LB2
    class class-default
      serverfarm GUI-GROUP
  policy-map multi-match HTTP_MULTI_MATCH1
    class VS_WEB1
      loadbalance vip inservice
      loadbalance policy HTTP_LB1
      loadbalance vip icmp-reply
  policy-map multi-match HTTP_MULTI_MATCH2
    class VS_WEB2
      loadbalance vip inservice
      loadbalance policy HTTP_LB2
      loadbalance vip icmp-reply
  policy-map multi-match TCPIP-POLICY
    class TCP-CLASS
  connection advanced-options TCP-PARAM-MAP
  service-policy input REMOTEPOLICY
  service-policy input TCPIP-POLICY
  interface vlan 10
    description ***LAN LEG***
    ip address 10.0.0.66 255.255.255.0
    no icmp-guard
    access-group input INBOUND
    no shutdown
  interface vlan 200
    description ***THIN CLIENT VLAN****
    ip address 172.20.1.33 255.255.255.240
    no icmp-guard
    access-group input INBOUND
    service-policy input HTTP_MULTI_MATCH1
    no shutdown
  interface vlan 210
    description ***BANK APP SERVER VLAN****
    ip address 172.20.1.49 255.255.255.240
    no icmp-guard
  --More--
    access-group input INBOUND
    service-policy input HTTP_MULTI_MATCH2
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.0.0.200
  username admin password 5 $1$ouG5.Okh$jwBoWkMiWstoTPwb9K9ku1  role Admin domain
  default-domain
  username www password 5 $1$M31zwdiF$iY8Y5e9nV2sMM2HxwrQI7/  role Admin domain de
  fault-domain
  STERLING-ACE/Admin#
  Thanks!!

  Hi Joshua,
  class-map match-all VS_WEB1
    2 match virtual-address 10.0.0.115 any
  class-map match-all VS_WEB2
    2 match virtual-address 10.0.0.113 any
  You have  applied
  "service-policy input HTTP_MULTI_MATCH1"  in VLAN 200 and 210 but as per the config I believe it should be applied to VLAN10.
  interface vlan 10
    description ***LAN LEG***
    ip address 10.0.0.66 255.255.255.0
    no icmp-guard
    access-group input INBOUND
    no shutdown
  Can you apply the service policy in VLAN 10 and let me know the result.

• Cisco ACE VIP not responding to Pings

  I've searched.....  I cannot figure out why my VIPs do not ping.  I have two vlans that both replay to a ping on the interface IPs.  And I'm new at this, thanks in advace.
  GKEL2-ACE1/35568059-Axia# show run
  Generating configuration....
  no ft auto-sync startup-config
  logging enable
  logging timestamp
  logging trap 5
  logging host 10.85.242.100 udp/514
  login timeout 60
  crypto chaingroup walnut-wcrt100
    cert .dom.cer
    cert wcrt100.pem
  crypto chaingroup .dom-wcrt100
    cert .dom.cer
    cert wcrt100.pem
  crypto csr-params .dom
    country CA
    state AB
    organization-unit IT
    common-name .dom
    serial-number 1000
    email support
  crypto csr-params .dom
    country CA
    state AB
    organization-unit IT
    common-name .dom
    serial-number 1001
    email support
  access-list ANYONE line 10 extended permit ip any any
  access-list ANYONE line 20 extended permit icmp any any
  access-list All line 1 extended permit ip any any
  probe http HTTP1025
    port 1025
    interval 2
    faildetect 2
    passdetect interval 2
    request method get url /Login.css
    open 1
  probe icmp PING
    interval 2
    faildetect 2
    passdetect interval 60
  probe tcp PROBE-TCP
    interval 2
    faildetect 2
    passdetect interval 10
    passdetect count 2
    open 1
  rserver redirect REDIRECT-HTTPS
    webhost-redirection https://%h%p 302
    inservice
  rserver host WL1
    ip address 10.205.70.100
    inservice
  rserver host WL2
    ip address 10.205.70.101
    inservice
  rserver host WLDev1
    ip address 10.205.71.202
    inservice
  rserver host WLDev2
    ip address 10.205.71.203
    inservice
  rserver host WLTest1
    ip address 10.205.71.150
    inservice
  rserver host WLTest2
    ip address 10.205.71.151
    inservice
  serverfarm redirect REDIRECT-SERVERFARM
    rserver REDIRECT-HTTPS
      inservice
  serverfarm host WEBLOGIC-7433
    predictor leastconns
    probe PING
    rserver WL1 7433
      inservice
    rserver WL2 7433
      inservice
  serverfarm host WEBLOGIC-PROD
    predictor leastconns
    probe PING
    rserver WL1 1025
      inservice
    rserver WL2 1026
      inservice
  serverfarm host WEBLOGIC-TEST-SSH
    predictor leastconns
    rserver WLTest1 22
      inservice
    rserver WLTest2 22
      inservice
  sticky http-cookie acecookie STICKY-INSERT-COOKIE
    cookie insert
    serverfarm WEBLOGIC-PROD
  action-list type modify http REWRITE
    header insert response Via header-value "1.1 web:%ps (ace10-8/a2)value"
    header insert request Via header-value "1.1 web:%ps (ace10-8/a2)value"
    header insert request X-Forwarded-Proto header-value "%pd"
    ssl url rewrite location "*.*"
    ssl header-insert session Id
  ssl-proxy service ssl-client
  ssl-proxy service ssl-proxy
    key netcracker.cal.dom.key
    cert netcracker.cal.dom.cer
    chaingroup netcracker.cal.dom-wcrt100
  class-map match-any L4VIPCLASS
    2 match virtual-address 10.205.70.80 any
  class-map type http loadbalance match-any L7-URL
    2 match http url /*.*
  class-map type http loadbalance match-all L7SLBCLASS
    2 match http url /*
  class-map type management match-any REMOTE-MANAGEMENT
    2 match protocol telnet any
    3 match protocol icmp any
    4 match protocol ssh any
    5 match protocol snmp any
    6 match protocol http any
    7 match protocol https any
  class-map match-any SSH_Test
    2 match virtual-address 10.205.71.80 tcp eq 22
  class-map match-any weblogic-7433
    2 match virtual-address 10.205.70.80 tcp eq 7433
  class-map match-any weblogic-http
    2 match virtual-address 10.205.70.80 tcp eq www
  class-map match-any weblogic-https
    2 match virtual-address 10.205.70.80 tcp eq https
  policy-map type management first-match REMOTE-MANAGEMENT
    class REMOTE-MANAGEMENT
      permit
  policy-map type loadbalance first-match L7SLBPOLICY
    class L7SLBCLASS
      ssl-proxy client ssl-client
  policy-map type loadbalance first-match SSH_Test_Policy
    class class-default
      serverfarm WEBLOGIC-TEST-SSH
  policy-map type loadbalance first-match weblogic-7433-policy
    class class-default
      serverfarm WEBLOGIC-7433
      ssl-proxy client ssl-client
  policy-map type loadbalance first-match weblogic-http-policy
    class class-default
      serverfarm REDIRECT-SERVERFARM
  policy-map type loadbalance first-match weblogic-https-policy
    class L7-URL
      sticky-serverfarm STICKY-INSERT-COOKIE
    class class-default
      serverfarm WEBLOGIC-PROD
      action REWRITE
      ssl-proxy client ssl-proxy
  policy-map multi-match L4LSBPOLICY
    class L4VIPCLASS
      loadbalance policy L7SLBPOLICY
  policy-map multi-match LB-VIP
    class weblogic-http
      loadbalance vip inservice
      loadbalance policy weblogic-http-policy
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 3440
    class weblogic-https
      loadbalance vip inservice
      loadbalance policy weblogic-https-policy
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 3440
      ssl-proxy server ssl-proxy
    class weblogic-7433
      loadbalance vip inservice
      loadbalance policy weblogic-7433-policy
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 3440
      ssl-proxy server ssl-proxy
  policy-map multi-match LB-VIP-Test
    class SSH_Test
      loadbalance vip inservice
      loadbalance policy SSH_Test_Policy
      loadbalance vip icmp-reply
  interface vlan 3440
    description Internal Production
    ip address 10.205.70.250 255.255.255.0
    access-group input All
    access-group output All
    nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
    service-policy input REMOTE-MANAGEMENT
    service-policy input LB-VIP
    service-policy input L4LSBPOLICY
    no shutdown
  interface vlan 3516
    description Internal Test/Dev
    ip address 10.205.71.250 255.255.255.0
    access-group input All
    access-group output All
    nat-pool 2 10.205.71.249 10.205.71.249 netmask 255.255.255.0 pat
    service-policy input REMOTE-MANAGEMENT
    service-policy input LB-VIP-Test
    no shutdown
  interface vlan 3520
    description LB
    ip address 10.205.72.1 255.255.255.0
    access-group input All
    access-group output All
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.205.70.253
  username admin password 5 $1$r2r0NmEH$z8S0RxYdhwOE4RGXQ41  role Admin domain default-domain
  username cust_admin password 5 $1$/tOIIfUK$yigE519cqLq1IFgX.  role Admin domain default-domain

  I have removed that service policy completely.  It was from some knowledgebase article when I was trying to get http redirection working. 
  There is no more L4LSBPOLICY nor L4VIPCLASS, Thanks a lot for looking at this...
  GKEL2-ACE1/35568059-Axia# show service-policy summary
  service-policy: LB-VIP
  Class                            VIP             Prot  Port        VLAN          State    Curr Conns   Hit Count  Conns Drop
  weblogic-http                    10.205.70.80    tcp   eq 80       1,3440        IN-SRVC           0       50773         53
  weblogic-https                   10.205.70.80    tcp   eq 443      1,3440        IN-SRVC           0        7406        112
  weblogic-7433                    10.205.70.80    tcp   eq 7433     1,3440        IN-SRVC           0      145321         30
  service-policy: LB-VIP-Dev
  Class                            VIP             Prot  Port        VLAN          State    Curr Conns   Hit Count  Conns Drop
  weblogic-http-dev                10.205.71.90    tcp   eq 80       1,3516        IN-SRVC           0           0          0
  weblogic-https-dev               10.205.71.90    tcp   eq 443      1,3516        IN-SRVC           0           0          0
  weblogic-7433-dev                10.205.71.90    tcp   eq 7433     1,3516        IN-SRVC           0           0          0
  service-policy: LB-VIP-Test
  Class                            VIP             Prot  Port        VLAN          State    Curr Conns   Hit Count  Conns Drop
  SSH_Test                         10.205.71.80    tcp   eq 22       1,3516        IN-SRVC           0          29         24
  weblogic-http-test               10.205.71.80    tcp   eq 80       1,3516        IN-SRVC           0         117         40
  weblogic-https-test              10.205.71.80    tcp   eq 443      1,3516        IN-SRVC           0         161         61
  weblogic-7433-test               10.205.71.80    tcp   eq 7433     1,3516        IN-SRVC           0          27         11
  class-map type http loadbalance match-any L7-URL
    2 match http url /*.*
  class-map type http loadbalance match-all L7SLBCLASS
    2 match http url /*
  class-map type management match-any REMOTE-MANAGEMENT
    2 match protocol telnet any
    3 match protocol icmp any
    4 match protocol ssh any
    5 match protocol snmp any
    6 match protocol http any
    7 match protocol https any
  class-map match-any SSH_Test
    2 match virtual-address 10.205.71.80 tcp eq 22
  class-map match-any weblogic-7433
    2 match virtual-address 10.205.70.80 tcp eq 7433
  class-map match-any weblogic-7433-dev
    2 match virtual-address 10.205.71.90 tcp eq 7433
  class-map match-any weblogic-7433-test
    2 match virtual-address 10.205.71.80 tcp eq 7433
  class-map match-any weblogic-http
    2 match virtual-address 10.205.70.80 tcp eq www
  class-map match-any weblogic-http-dev
    2 match virtual-address 10.205.71.90 tcp eq www
  class-map match-any weblogic-http-test
    2 match virtual-address 10.205.71.80 tcp eq www
  class-map match-any weblogic-https
    2 match virtual-address 10.205.70.80 tcp eq https
  class-map match-any weblogic-https-dev
    2 match virtual-address 10.205.71.90 tcp eq https
  class-map match-any weblogic-https-test
    2 match virtual-address 10.205.71.80 tcp eq https
  policy-map type management first-match REMOTE-MANAGEMENT
    class REMOTE-MANAGEMENT
      permit
  policy-map type loadbalance first-match L7SLBPOLICY
    class L7SLBCLASS
      ssl-proxy client ssl-client
  policy-map type loadbalance first-match SSH_Test_Policy
    class class-default
      serverfarm WEBLOGIC-TEST-SSH
  policy-map type loadbalance first-match weblogic-7433-dev-policy
    class class-default
      serverfarm WEBLOGIC-7433-Dev
  policy-map type loadbalance first-match weblogic-7433-policy
    class class-default
      serverfarm WEBLOGIC-7433
      ssl-proxy client ssl-client
  policy-map type loadbalance first-match weblogic-7433-test-policy
    class class-default
      serverfarm WEBLOGIC-7433-Test
      ssl-proxy client ssl-client
  policy-map type loadbalance first-match weblogic-http-dev-policy
    class class-default
      serverfarm REDIRECT-SERVERFARM
  policy-map type loadbalance first-match weblogic-http-policy
    class class-default
      serverfarm REDIRECT-SERVERFARM
  policy-map type loadbalance first-match weblogic-http-test-policy
    class class-default
      serverfarm REDIRECT-SERVERFARM
  policy-map type loadbalance first-match weblogic-https-dev-policy
    class L7-URL
      sticky-serverfarm STICKY-INSERT-COOKIE-DEV
    class class-default
      serverfarm WEBLOGIC-DEV
      action REWRITE
  policy-map type loadbalance first-match weblogic-https-policy
    class L7-URL
      sticky-serverfarm STICKY-INSERT-COOKIE
    class class-default
      serverfarm WEBLOGIC-PROD
      action REWRITE
      ssl-proxy client ssl-proxy
  policy-map type loadbalance first-match weblogic-https-test-policy
    class L7-URL
      sticky-serverfarm STICKY-INSERT-COOKIE-TEST
    class class-default
      serverfarm WEBLOGIC-TEST
      action REWRITE
      ssl-proxy client ssl-proxy-nctest
  policy-map multi-match LB-VIP
    class weblogic-http
      loadbalance vip inservice
      loadbalance policy weblogic-http-policy
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 3440
    class weblogic-https
      loadbalance vip inservice
      loadbalance policy weblogic-https-policy
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 3440
      ssl-proxy server ssl-proxy
    class weblogic-7433
      loadbalance vip inservice
      loadbalance policy weblogic-7433-policy
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 3440
      ssl-proxy server ssl-proxy
  policy-map multi-match LB-VIP-Dev
    class weblogic-http-dev
      loadbalance vip inservice
      loadbalance policy weblogic-http-dev-policy
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 3516
    class weblogic-https-dev
      loadbalance vip inservice
      loadbalance policy weblogic-https-dev-policy
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 3516
    class weblogic-7433-dev
      loadbalance vip inservice
      loadbalance policy weblogic-7433-dev-policy
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 3516
  policy-map multi-match LB-VIP-Test
    class SSH_Test
      loadbalance vip inservice
      loadbalance policy SSH_Test_Policy
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 3516
    class weblogic-http-test
      loadbalance vip inservice
      loadbalance policy weblogic-http-test-policy
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 3516
    class weblogic-https-test
      loadbalance vip inservice
      loadbalance policy weblogic-https-test-policy
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 3516
      ssl-proxy server ssl-proxy-nctest
    class weblogic-7433-test
      loadbalance vip inservice
      loadbalance policy weblogic-7433-test-policy
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 3516
      ssl-proxy server ssl-proxy-nctest
  interface vlan 3440
    description Internal Production
    ip address 10.205.70.250 255.255.255.0
    mac-sticky enable
    access-group input All
    access-group output All
    nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
    service-policy input REMOTE-MANAGEMENT
    service-policy input LB-VIP
    no shutdown
  interface vlan 3516
    description Internal Test/Dev
    ip address 10.205.71.250 255.255.255.0
    mac-sticky enable
    access-group input All
    access-group output All
    nat-pool 1 10.205.71.240 10.205.71.249 netmask 255.255.255.0 pat
    service-policy input REMOTE-MANAGEMENT
    service-policy input LB-VIP-Test
    service-policy input LB-VIP-Dev
    no shutdown
  interface vlan 3520
    description LB
    ip address 10.205.72.1 255.255.255.0
    access-group input All
    access-group output All
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.205.70.253

• ACE 4710 in bridge mode not working

  I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
  I am not able to ping servers as well as gateway. Below are the topology and context configuration:
  Router   (vlan 13: IP 172.16.11.254)
       |
  ACE     (int gig1/2)
       |
  L2 Switch
       |
  Servers (vlan 11: IP 172.16.11.1 and 11.2)
  Admin Context
  ===========
  resource-class rc1
    limit-resource all minimum 0.00 maximum unlimited
    limit-resource sticky minimum 0.20 maximum unlimited
  boot system image:c4710ace-mz.A3_2_4.bin
  interface gigabitEthernet 1/1
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    switchport trunk allowed vlan 11,13
    no shutdown
  interface gigabitEthernet 1/3
    shutdown
  interface gigabitEthernet 1/4
    shutdown
  access-list ALL line 8 extended permit ip any any
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  interface vlan 1000
    ip address 172.16.16.16 255.255.255.0
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.16.254
  context test
    allocate-interface vlan 11
    allocate-interface vlan 13
    member rc1
  test Context
  =========
  access-list bpdu-fixup ethertype permit bpdu
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 16 extended permit icmp any any
  rserver host srv1
    ip address 172.16.11.1
    inservice
  rserver host srv2
    ip address 172.16.11.2
    inservice
  serverfarm host srv
    rserver srv1
      inservice
    rserver srv2
      inservice
  sticky ip-netmask 255.255.255.255 address both SG1
    timeout 120
    serverfarm srv
  class-map type management match-any remote-mgmt
    201 match protocol snmp any
    202 match protocol ssh any
    203 match protocol icmp any
    204 match protocol http any
    205 match protocol https any
    206 match protocol xml-https any
  class-map match-all slb-vip
    2 match virtual-address 172.16.11.10 any
  policy-map type management first-match remote-mgmt
    class remote-mgmt
      permit
  policy-map type loadbalance first-match slb
    class class-default
      sticky-serverfarm SG1
  policy-map multi-match client-vips
    class slb-vip
      loadbalance vip inservice
      loadbalance policy slb
      loadbalance vip icmp-reply
  interface vlan 11
    bridge-group 1
    access-group input bpdu-fixup
    access-group input ALL
    access-group output ALL
    no shutdown
  interface vlan 13
    bridge-group 1
    access-group input bpdu-fixup
    access-group input ALL
    access-group output ALL
    service-policy input remote-mgmt
    service-policy input client-vips
    no shutdown
  interface bvi 1
    ip address 172.16.11.9 255.255.255.0
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.11.254
  Could you pls. suggest where I am doing wrong?
  Thanks,
  Pawan

  " I tried trunk port also but it got disabled"   <----- if your L2 config is not correct, nothing will work.
  What is the setup on the switch ? Trunk or access vlan ?
  What is the status of the interface ? up ? down ?
  Do you see something in your arp table ?
  Gilles.

• VIP not reachable on ACE 4710

  Hi All,
  I am not able to connect to a virtual IP address of ACE 4710 and either i am able to ping it. Kindly let me know if anything wrong here.
  Regards,
  Neha.

  Hi Yahb/Neha,
  Please try and confirm this:-
  1) See if you have permited the traffic:-
  access-list ALL line 8 extended permit ip any any
  class-map match-all L4_VIP_ADDRESS_CLASS
  2 match virtual-address 1.1.1.1 any
  class-map type management match-any REMOTE_ACCESS
  201 match protocol ssh any
  202 match protocol icmp any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
  permit
  policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY
  class class-default
  serverfarm SFARM1
  policy-map multi-match L4_LB_VIP_POLICY
  class L4_VIP_ADDRESS_CLASS
  loadbalance vip inservice
  loadbalance policy L7_VIP_LB_ORDER_POLICY
  loadbalance vip icmp-reply
  2)
  Apply the ACL on to the correct vlan:-
  interface vlan 20
  description Server-side Interface
  ip address 2.2.2.2 255.255.255.0
  access-group input ALL --->make sure you have applied the ACL.
  service-policy input L4_LB_VIP_POLICY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  interface vlan 30
  description Client side connectivity
  ip address 3.3.3.3. 255.255.255.0
  access-group input ALL
  service-policy input L4_LB_VIP_POLICY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  ip route 0.0.0.0 0.0.0.0 x.x.x.x
  Let us know if you have done this.
  Regards
  Shariff

• ACE 4710 is not working

  Hi. I'm working on the Cisco ACE 4710 to be able to load balance web Traffic between several web servers. but despite following the steps mentioned on the Cisco configuration guide (specially this link and related docs: http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Creating_a_Virtual_Context) we did not managed to make it. we tested both the "bridged scenario" and "routed scenario" but none of them is working. specifically "configuring Nat" in the above link is very confusing and is not clear; because it's not the same as Cisco IOS, which we used to implement it that way. 
  Routed Scenario:
  ==========================================
  probe http Http_Probe
    description Server Healty Check
    port 80
    request method head url /index.htm
  probe icmp ICMP_Check
    interval 10
    passdetect interval 5
  rserver host NetCad_Server_1
    ip address 172.16.1.100
    probe ICMP_Check
    inservice
  rserver host NetCad_Server_2
    ip address 172.16.1.101
    probe ICMP_Check
    inservice
  rserver host NetCad_Server_3
    ip address 172.16.1.102
    probe ICMP_Check
    inservice
  serverfarm host NetCad_Servers
    probe Http_Probe
    rserver NetCad_Server_1 80
      inservice
    rserver NetCad_Server_2 80
      inservice
    rserver NetCad_Server_3 80
      inservice
  sticky http-cookie Cookie1 1
    serverfarm NetCad_Servers
  class-map match-all VS_NetCad
    2 match virtual-address 192.168.13.162 255.255.252.0 tcp any
  policy-map type management first-match mgmt-pm
    class class-default
      permit
  policy-map type loadbalance first-match VS_NetCad-l7slb
    class class-default
      serverfarm NetCad_Servers
  policy-map multi-match int40
    class VS_NetCad
      loadbalance vip inservice
      loadbalance policy VS_NetCad-l7slb
      loadbalance vip icmp-reply
  interface vlan 40
    description Client Side
    ip address 192.168.13.161 255.255.252.0
    ip options allow
    no normalization
    no icmp-guard
    access-group input Permit_ALL
    service-policy input mgmt-pm
    service-policy input int40
    no shutdown
  interface vlan 41
    description Server Side
    ip address 172.16.1.1 255.255.255.0
    ip options allow
    no normalization
    no icmp-guard
    access-group input Permit_ALL
    nat-pool 1 172.16.1.110 172.16.1.110 netmask 255.255.255.255 pat
    service-policy input mgmt-pm
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.12.1
  ==========================================

  Hi,
  Let me explain you.
  Assuming client IP as 1.1.1.1, VIP as 2.2.2.2 and Real Server as 3.3.3.3
  Consider the simple situation where client needs to access an application hosted on 3.3.3.3. Client sends a request which comes to VIP.
  src 1.1.1.1----->dst------->2.2.2.2. ACE after matching conditions and taking LB decision decides to send  it to 3.3.3.3 real server. Performs destination NAT and forwards the client request to 3.3.3.3. So the above packet L3 header will now look like:
  src 1.1.1.1       dst 3.3.3.3. When reply comes from server, ACE will change src 3.3.3.3 back to 2.2.2.2 and forwards the request to client 1.1.1.1. SIMPLE LB.
  Now comes a situation where let's say you want to hide the client IP from server or let's say server's default GW is not ACE or client and server are in same subnet but need to communicate through VIP on ACE etc.
  Src 1.1.1.1 dst 2.2.2.2
  After LB ace decides to send it to 3.3.3.3 but also policy multi match has nat rule (nat dynamic 1 vlan x). But packet would be forwarded from server vlan where you have NAT pool defined. So let's say pool IP is 3.3.3.4. So ACE will perform both destination as well as src NAT here before forwarding the packet to server and packet L3 header will look like:
  src 3.3.3.4 ----->dst 3.3.3.3
  Now when 3.3.3.3 has to send packet back, ACE will answer ARP for 3.3.3.3 and hence packet will come back to ACE which will again change the L3 header IP's and send it out the client VLAN towards client.
  So NAT is always applied to server side vlan and  that's why pool is  chosen from server side subnet.
  Let me know if you have any questions.
  Regards,
  Kanwal

• Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710

  One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
  Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
  Traffic flow as follows
  ===============
  ACE 4710                                                       FWSM (Firewall static NAT)                    Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)
                                               VIP
  Rserver 1   - 10.1.104.80       10.1.246.32           10.1.246.32  < - > 2.2.2.2                              1.1.1.1
  Rserver 2   - 10.1.104.81c
  ---------------------------------------------------------->           ------------------------------->                      - traffic flow from server to the device when we send msg
  Configs:
  ======
  rserver host server1
    ip address 10.1.104.80
    inservice
  rserver host server2
    ip address 10.1.104.81
    inservice
  serverfarm host SFARM
    failaction purge
    probe ICMP
    rserver server1
      inservice
    rserver server2
      inservice
  access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
  access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
  parameter-map type connection UDP_TIMEOUT
    set timeout inactivity 3600
  sticky ip-netmask 255.255.255.255 address source STKY-SFARM
    serverfarm SFARM
    timeout 180
    replicate sticky
  class-map match-all CLS-SFARM
    2 match virtual-address 10.1.246.32 udp eq 1120
  class-map match-all SERVERNAT
    2 match access-list TEST-1120
  policy-map type loadbalance first-match POL-SFARM
    class class-default
      sticky-serverfarm STKY-SFARM
  policy-map multi-match POL-LB
  class CLS-SFARM
      loadbalance vip inservice
      loadbalance policy POL-SFARM
      loadbalance vip icmp-reply active
      connection advanced-options UDP_TIMEOUT
  class SERVERNAT
     nat dynamic 1 vlan 244
  int vlan 244
  ip address 10.1.246.2 255.255.255.0
  service-policy input POL-LB
  nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
    mac-sticky enable
    no icmp-guard
  no shut
  interface vlan 2506
  ip address 10.1.104.2 255.255.255.0
  service-policy input POL-LB
    mac-sticky enable
    no icmp-guard
  no shut

  I see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
  portmap disable in ACE 4710
  Disabling Port Mapping
  By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
  For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services,

• ACE 4710 responds very slow to CLI commands

  I am expericing delayed responses to my CLI commands on the ACE 4710. The delays occur sporadically. I have check the cpu and memory and neither one appeared to show any abnormal behaviour.  Has anybody else experienced unsual delay with your CLI commands? If so, where you able to isolate and correct the problem? If not, any suggestions on where and how to look for the problem?

  I am experiencing the same exact problem. CLI commands are very slow. Although, i dont get any performance issues for my application when i issue the "show run" or "wr mem" commands at CLI  i wait for over 1 minute to receive any output, commands like "show serverfarm" ,"show rserver" "show stats" are working fine. my resource usage is ok and cpu has no problems. The problem exists in all contexts of the specific ACE. I did a test by forcing the standby ace to become active and while the standby ACE had no problem in executing the command when it becomes the active one the problem shows up.  is there a way to troubleshoot this?
  Thank you in advance

• ACE 4710 Can not confirm http cookie sticky connections

  We are using a ACE 4710 with A3(2.6) software release.
  I had to change our sticky load balancing method for HTTPS to cookie based.
  However while connections appear to work if I look at the sho sticky database table I can not see or confirm sticky entries for the cookie based connections.
  Here or config snippets to show the config
  sticky http-cookie ghh-www scook-ghh
    cookie insert browser-expire
    serverfarm ghh-www-443
  class-map match-all ghh-www-443_CLASS
    2 match virtual-address 172.16.1.21 tcp eq https
  class-map type http loadbalance match-any ghh-www-443_CLASSURL
    2 match http url [.]*
  policy-map type loadbalance first-match ghh-sticky-443_POLICY
    class class-default
      sticky-serverfarm scook-ghh
  policy-map multi-match POLICY
  class ghh-www-443_CLASS
        loadbalance vip inservice
        loadbalance policy ghh-sticky-443_POLICY
        loadbalance vip icmp-reply active
        appl-parameter http advanced-options CASE_PARAM

  Another point: please check whether your servers are listening only for HTTPS traffic or also for HTTP traffic:
  in the first case the ACE will have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and then re-encrypt it and send it to the server
  in the second case the ACE would have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and send it out as it is unencrypted to the server
  the second solution would have the benefit of being easier to configure and to require less resoucerces both on the ACE (only decryption to be performed) and on the servers (no need for SSL operations at all there) but it might be that your company or business sector have requirements for which this traffic should never flow unencrypted, in which case you would have to go for the first solution.
  Here you have a config example for the first solution:
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
  I would not expect you to have to pay extra for importing the cert and kepair into the ace, it would be just a copy, however as Alex said that may still depend on the license agreement with the CA.
  Cheers,
  Francesco

• Need help to Configure Cisco ACE 4710 Cluster Deployment

  Dear Experts,
  I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between  two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
  http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
  This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
  This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
  My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
  Thanks....!
  -Amal-

  Dear Kanwal,
  I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
  Following detail required for configuring Oracle EBS Apps tier on HA:
  LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
  Suggested IP and Name for LBR:
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm detail for LBR Setup
  Following detail will be use for configuring the LBR:
  LBR IP and Name :
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm Detail for LBR setup:
  Server 1 (EBS App1 Node, ap1ebs):
  IP : 172.25.45.19
  Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Server 2 (EBS App2 Node, ap2ebs):
  IP : 172.25.45.20
  Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
  Following are my latest config :
  probe http Get-Method
    description Check to url access /OA_HTML/OAInfo.jsp
    interval 10
    faildetect 2
    passdetect interval 30
    request method get url /OA_HTML/OAInfo.jsp
    expect status 200 200
  probe udp http-8000-iRDMI
    description IRDMI (HTTP - 8000)
    port 8000
  probe http http-probe
    description HTTP Probes
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    request method get url /index.html
    expect status 200 200
  probe https https-probe
    description HTTPS traffic
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    ssl version all
    request method get url /index.html
  probe icmp icmp-probe
    description ICMP PROBE FOR TO CHECK ICMP SERVICE
  rserver host ebsapp1
    description ebsapp1.xxxx.lk
    ip address 172.25.45.19
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  rserver host ebsapp2
    description ebsapp2.xxxx.lk
    ip address 172.25.45.20
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  serverfarm host ebsppsvrfarm
    description ebsapp server farm
    failaction purge
    predictor response app-req-to-resp samples 4
    probe http-probe
    probe icmp-probe
    inband-health check log 5 reset 500
    retcode 404 404 check log 1 reset 3
    rserver ebsapp1 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
    rserver ebsapp2 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
  sticky http-cookie jsessionid HTTP-COOKIE
    cookie insert browser-expire
    replicate sticky
    serverfarm ebsppsvrfarm
  class-map type http loadbalance match-any default-compression-exclusion-mime-type
    description DM generated classmap for default LB compression exclusion mime types.
    2 match http url .*gif
    3 match http url .*css
    4 match http url .*js
    5 match http url .*class
    6 match http url .*jar
    7 match http url .*cab
    8 match http url .*txt
    9 match http url .*ps
    10 match http url .*vbs
    11 match http url .*xsl
    12 match http url .*xml
    13 match http url .*pdf
    14 match http url .*swf
    15 match http url .*jpg
    16 match http url .*jpeg
    17 match http url .*jpe
    18 match http url .*png
  class-map match-all ebsapp-vip
    2 match virtual-address 172.25.45.21 tcp eq www
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match ebsapp-vip-l7slb
    class default-compression-exclusion-mime-type
      serverfarm ebsppsvrfarm
    class class-default
      compress default-method deflate
      sticky-serverfarm HTTP-COOKIE
  policy-map multi-match int455
    class ebsapp-vip
      loadbalance vip inservice
      loadbalance policy ebsapp-vip-l7slb
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 455
  interface vlan 455
    ip address 172.25.45.36 255.255.255.0
    peer ip address 172.25.45.35 255.255.255.0
    access-group input ALL
    nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input int455
    no shutdown
  ft interface vlan 999
    ip address 10.1.1.1 255.255.255.0
    peer ip address 10.1.1.2 255.255.255.0
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 999
  ft group 1
    peer 1
    no preempt
    priority 110
    associate-context Admin
    inservice
  ip route 0.0.0.0 0.0.0.0 172.25.45.1
  Hope you will reply me soon
  Thanks....!
  -Amal-

• ACE 4710 - show stats connection questions

  Hi,
  I have three questions regarding the "show stats connection" command in the ACE 4710:
  1. What is the criteria for a connection to be added to the "Total Connections Failed" counter?
  2. What is the criteria for a connection to be added to the "Total Connections Timed-out" counter?
  3. Is there a command to get more information why the connection was failed or timed-out (e.g. to/from which IP, url accessed etc.)?
  Thanks in advance for your help!
  Best regards,
  Harry

  Harry,
  a connection failed if the server did not respond or resonded with a RST.
  As long as the connection gets establised, it is counted as a success.
  The connection timeout counter is incremented when the connection is idle for the configured timeout value or for L7 connections if it does not complete the 3-way handshale within the embryonic timeout interval.
  Since this is clear why those counters are incrementing, the only way to get more information is to capture a sniffer trace to verify if the conditions above are met.
  Gilles.

• ACE VIPs not advertising or visible

  Hi,
  The VIPs on my ACE configuration are not advertising themselves. They don't show up in the ARP table in the upstream router/firewall.
  The VIPs are configured to be "Inservice". I have probes that are successful. I can access the real servers behind the ACE successfully via pings, ssh, http, etc.
  Here's part of my config:
  policy-map multi-match int204-n2
  class SMTP_Inbound_LB
  loadbalance vip inservice
  loadbalance policy SMTP_Inbound_LB-l7slb
  loadbalance vip icmp-reply active
  Is there anything else I need to add? The VIPs aren't responding to pings. The VIPs aren't showing up in the arp table of the upstream router/firewall.
  I know there used to be a "loadbalance vip advertise" command, but that command is no longer valid or available.
  I am running code version A1.8(0) on the ACE 4710 appliance.
  I have this ACE also configured as a bridge. Is there something special I need to add to make the VIPs advertise themselves, respond to pings, etc.?
  Any help would be appreciated.
  Thank you.

  Hi Gilles,
  Yes, the policy is assigned to both VLAN interfaces of the bridge-group.
  Yes, all VIPs show INSERVICE when I run the command "show service-policy int204-n2"
  None of the VIPs are responding to pings or showing up in arp table of the upstream router/firewall.
  The VIPs are part of the local subnet. I can't ping the local interface (BVI interface) of the bridge-group from the upstream firewall/router.
  Yes, the ACE has an arp entry for the upstream router/firewall. The upstream firewall is also the ACE's default-gateway for this context.
  Thanks,
  Herman

• Cannot Telnet to ACE 4710 after upgrade to A4(2.3)

           I have a pair of ACE 4710s with 12 contexts sharing the load, running A4(2.1). Yesterday I upgraded one of them to A4(2.3)
  now I cannot telnet to the Admin context.Pings ok. I can telnet to other contexts on the box and everything seems to be working ok   
  when i do a " sh telnet"
  comes back with
  No Session Information is available
  sh telnet maxsessions
  telnet maxsessions 16
  Can anybody help?

  further this post, it was not a resource problem as had allocated 5% for the Admin context.
  I up graded IOS Saturday evening, could not Telnet in, tried again on Sunday same result,
  though this morning (Monday) Can now telnet in ok very strange
  I was connecting via the AUX line of a 2851 router to the console port.
  whe I disconnected this morning I saw the following message
  INIT: id "T0" respawning too fast : disabled for  5 minutes
  not sure if this is a 2851 message or an ACE message, but after getting that message is when I was able to Telnet in
  was it a coincidence
  anybody any ideas

• ACE 4710: Possible to allow a user to clear counters but nothing else?

  Hello all,
  Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc.  We would also like to allow this user to clear the interface error counters as well, but nothing else.  Is this possible?
  Thanks!

  Hello Brandon-
  Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats.  You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
  i.e.
  ACE# conif t
  ACE(config)# role MyRole
  ACE(config-role)# rule 1 permit modify feature ?
    AAA             AAA related commands
    access-list     ACL related commands
    connection      TCP/UDP related commands
    fault-tolerant  Fault tolerance related commands
    inspect         Appln inspection related commands
    interface       Interface related commands
    loadbalance     Loadbalancing policy and class commands
    pki             PKI related commands
    probe           Health probe related commands
    rserver         Real server related commands
    serverfarm      Serverfarm related commands
    ssl             SSL related commands
    sticky          Sticky related commands
    vip             Virtual server related commands
  You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
  Domains allow you to create containers for objects.  You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
  Regards,
  Chris Higgins