ACE 4710 not responding
Hi,
We have to ACE 4710 device in our network and we have facing device hung issue in our Primary ACE. We are not able to get management access or direct console access to the device when the issue is happened and also we are not able to reach the vlan interface IP or/VIP. Please find the below output we got through monitor that we are connected to the ACE.
Booting localboot(c4710ace-t1k9-mz.A5_1_2.bin)
kernel=(hd0,1)/c4710ace-t1k9-mz.A5_1_2.bin ro root=LABEL=/ auto console=ttyS0,9
600n8 quiet bigphysarea=32768
[Linux-bzImage,setup=0x1400,size=0xe75a16c]
Uncompressing linux Ok, booting the kernal.
Issue is resolved after we manually rebooted the ACE. We have collected the sh tech after the reboot.
Software version : A5 1.2
Kindly suggest what may cause this issue.
Thanks in Adavance.
Regards,
Ranjith
Hi,
We have collected the console logs while we done the reboot. Please find the below output.
------------------------------------------------ Boot log -----------------------------------------------------------------------------
ÐS ÀS AMIBIOS(C)2005 American Megatrends, Inc. BIOS Date: 08/25/09 09:37:25 Ver: 08.00.11 CPU : Intel(R) Pentium(R) 4 CPU 3.40GHz Speed : 3.40 GHz Broadcom NetXtreme Ethernet Boot Agent v8.1.53 Copyright (C) 2000-2005 Broadcom Corporation All rights reserved. Press Ctrl-S to Enter Configuration Menu ... Broadcom NetXtreme Ethernet Boot Agent v8.1.53 AMIBIOS(C)2005 American Megatrends, Inc. BIOS Date: 08/25/09 09:37:25 Ver: 08.00.11 CPU : Intel(R) Pentium(R) 4 CPU 3.40GHz Speed : 3.40 GHz Press F2 to run Setup Press F12 for BBS POPUP DDR2 Frequency:667 MHz, ECC Support in Dual-Channel Interleaved Mode Initializing USB Controllers .. Done. 6144MB OK USB Device(s): 1 Keyboard Auto-Detecting Pri Slave...IDE Hard Disk Pri Slave : 1GB CompactFlash Card CF B612J GRUB Loading stage2........ GNU GRUB version 0.95.1 (639K lower / 3144640K upper memory) *************************************************************************** * localboot(ACE_APPLIANCE_RECOVERY_IMAGE.bin) * * localboot(c4710ace-t1k9-mz.A5_1_2.bin) * * localboot(c4710ace-t1k9-mz.A4_2_0.bin) * * * * * * * * * * * * * * * * * * * *************************************************************************** Use the * and * keys to select which entry is highlighted. Press enter to boot the selected OS, 'e' to edit the commands before booting, or 'c' for a command-line. The highlighted entry will be booted automatically in 1 seconds. kernel=(hd0,1)/c4710ace-t1k9-mz.A5_1_2.bin ro root=LABEL=/ auto console=ttyS0,9 600n8 quiet bigphysarea=32768 [Linux-bzImage, setup=0x1400, size=0xe75a16c] INIT: version 2.85 booting
b4 lspci
1 Cavium device(s) found.
Bringing up NP 0
Downloading U-Boot to NP card 0
Downloading DP image to NP card 0
Starting DP image on NP card on all cores
DP image started on NP card
Setting up dynamic memory size
Initializing Shared Memory
INIT: Entering runlevel: 3
Testing PCI path for Octeon(0)....
This may take some time, Please wait ....
PCI test loop , count 0
PCI path is ready
Starting services...
Waiting for 3 seconds to enter setup mode...
Certificate & key are up to date
Installing MySQL
groupadd: group nobody exists
useradd: user nobody exists
MySQL Installed
Installing JRE
JRE Installed
Starting sysmgr processes.. Please wait...Done!!!
IDC4-INTR-ACE-01 login: admin
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2012 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
We have not found any error related to flash while booting ACE.
Regards,
Ranjith
Similar Messages
-
SSL Termination in ACE 4710 not working
Hi,
I have configured a new ACE 4710 with only a sinlge context to redirect https traffic to http real servers using SSL Termination. When I do a telnet on port 443 or 80 to the VIP it works fine but when I try to open the URL it prompts me for accepting the certificate then it tries to find and establish connection to the URL but eventually dies out giving a "Page cannot be displayed error". I have done some troubleshooting and found that the connection to the VIP on 443 port is Established but the out connection from the real server to the client remains in the INIT state. I am attaching the configs and all the troubleshooting data I have collected. Pls someone help.Yes the "server pkt count" for the "class: VIP_HTTPD_Redirect" is not incrementing and yes the servers do not have the default gateway towards the ACE.So as suggested I have configured default route in the servers towards the ACE interface vlan ip address. Still the server packet count is not incrementing. I am posting the updated configuration of the ACE as an attachment. Pls help.
-
ACE VIP not Responding to Ping and cant Connect
Hello All,
I recently deployed an ACE 4710 Appliance. Configs seems right but clients cant Ping the VIP and acnt also connect to the VIP. Also VIP Dosent show in 'sh arp'.
Pls HELP!!!
See the configs!!
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.10.11 10:48:14 =~=~=~=~=~=~=~=~=~=~=~=
sh runGenerating configuration....
boot system image:c4710ace-mz.A4_2_0.bin
hostname STERLING-ACE
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 10,200,205,210,215
no shutdown
--More--
access-list INBOUND line 10 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
access-list INBOUND line 24 extended permit icmp any any echo
probe http BANK-APP
interval 2
faildetect 2
passdetect interval 2
expect status 200 200
open 1
probe icmp PING
description ***simple ping monitor***
interval 10
passdetect interval 60
passdetect count 2
receive 1
probe tcp TCP80
interval 10
passdetect interval 10
passdetect count 2
--More--
receive 1
open 5
rserver host BANK-APP-SERVER1
description ***GUI SERVER 1***
ip address 172.20.1.50
probe PING
inservice
rserver host BANK-APP-SERVER2
description ***GUI SERVER 2***
ip address 172.20.1.51
probe PING
inservice
rserver host BANK-APP-SERVER3
description ***GUI SERVER 3***
ip address 172.20.1.52
probe PING
inservice
rserver host BANK-APP-SERVER4
description ***GUI SERVER 4***
ip address 172.20.1.53
probe PING
--More--
inservice
rserver host THIN-CLIENT1
description ***CLI SERVER 1***
ip address 172.20.1.34
probe PING
inservice
rserver host THIN-CLIENT2
description ***CLI SERVER 2***
ip address 172.20.1.35
probe PING
inservice
rserver host THIN-CLIENT3
description ***CLI SERVER 3***
ip address 172.20.1.36
probe PING
inservice
rserver host THIN-CLIENT4
description ***CLI SERVER 4***
ip address 172.20.1.37
probe PING
inservice
--More--
serverfarm host CLI-GROUP
predictor leastconns
probe TCP80
rserver THIN-CLIENT1
inservice
rserver THIN-CLIENT2
inservice
rserver THIN-CLIENT3
inservice
rserver THIN-CLIENT4
inservice
serverfarm host GUI-GROUP
predictor leastconns
probe TCP80
rserver BANK-APP-SERVER1
inservice
rserver BANK-APP-SERVER2
inservice
rserver BANK-APP-SERVER3
inservice
rserver BANK-APP-SERVER4
inservice
--More--
parameter-map type connection TCP-PARAM-MAP
set timeout inactivity 360000
class-map type management match-any REMOTEACCESS
description remote access traffic match
2 match protocol ssh any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol xml-https any
6 match protocol http any
7 match protocol https any
class-map match-all TCP-CLASS
description TCP CONNECTION TIMER
2 match any
class-map match-all VS_WEB1
2 match virtual-address 10.0.0.115 any
class-map match-all VS_WEB2
2 match virtual-address 10.0.0.113 any
policy-map type management first-match REMOTEPOLICY
--More--
class REMOTEACCESS
permit
policy-map type loadbalance first-match HTTP_LB1
class class-default
serverfarm CLI-GROUP
policy-map type loadbalance first-match HTTP_LB2
class class-default
serverfarm GUI-GROUP
policy-map multi-match HTTP_MULTI_MATCH1
class VS_WEB1
loadbalance vip inservice
loadbalance policy HTTP_LB1
loadbalance vip icmp-reply
policy-map multi-match HTTP_MULTI_MATCH2
class VS_WEB2
loadbalance vip inservice
loadbalance policy HTTP_LB2
loadbalance vip icmp-reply
policy-map multi-match TCPIP-POLICY
class TCP-CLASS
connection advanced-options TCP-PARAM-MAP
service-policy input REMOTEPOLICY
service-policy input TCPIP-POLICY
interface vlan 10
description ***LAN LEG***
ip address 10.0.0.66 255.255.255.0
no icmp-guard
access-group input INBOUND
no shutdown
interface vlan 200
description ***THIN CLIENT VLAN****
ip address 172.20.1.33 255.255.255.240
no icmp-guard
access-group input INBOUND
service-policy input HTTP_MULTI_MATCH1
no shutdown
interface vlan 210
description ***BANK APP SERVER VLAN****
ip address 172.20.1.49 255.255.255.240
no icmp-guard
--More--
access-group input INBOUND
service-policy input HTTP_MULTI_MATCH2
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.0.200
username admin password 5 $1$ouG5.Okh$jwBoWkMiWstoTPwb9K9ku1 role Admin domain
default-domain
username www password 5 $1$M31zwdiF$iY8Y5e9nV2sMM2HxwrQI7/ role Admin domain de
fault-domain
STERLING-ACE/Admin#
Thanks!!Hi Joshua,
class-map match-all VS_WEB1
2 match virtual-address 10.0.0.115 any
class-map match-all VS_WEB2
2 match virtual-address 10.0.0.113 any
You have applied
"service-policy input HTTP_MULTI_MATCH1" in VLAN 200 and 210 but as per the config I believe it should be applied to VLAN10.
interface vlan 10
description ***LAN LEG***
ip address 10.0.0.66 255.255.255.0
no icmp-guard
access-group input INBOUND
no shutdown
Can you apply the service policy in VLAN 10 and let me know the result. -
Cisco ACE VIP not responding to Pings
I've searched..... I cannot figure out why my VIPs do not ping. I have two vlans that both replay to a ping on the interface IPs. And I'm new at this, thanks in advace.
GKEL2-ACE1/35568059-Axia# show run
Generating configuration....
no ft auto-sync startup-config
logging enable
logging timestamp
logging trap 5
logging host 10.85.242.100 udp/514
login timeout 60
crypto chaingroup walnut-wcrt100
cert .dom.cer
cert wcrt100.pem
crypto chaingroup .dom-wcrt100
cert .dom.cer
cert wcrt100.pem
crypto csr-params .dom
country CA
state AB
organization-unit IT
common-name .dom
serial-number 1000
email support
crypto csr-params .dom
country CA
state AB
organization-unit IT
common-name .dom
serial-number 1001
email support
access-list ANYONE line 10 extended permit ip any any
access-list ANYONE line 20 extended permit icmp any any
access-list All line 1 extended permit ip any any
probe http HTTP1025
port 1025
interval 2
faildetect 2
passdetect interval 2
request method get url /Login.css
open 1
probe icmp PING
interval 2
faildetect 2
passdetect interval 60
probe tcp PROBE-TCP
interval 2
faildetect 2
passdetect interval 10
passdetect count 2
open 1
rserver redirect REDIRECT-HTTPS
webhost-redirection https://%h%p 302
inservice
rserver host WL1
ip address 10.205.70.100
inservice
rserver host WL2
ip address 10.205.70.101
inservice
rserver host WLDev1
ip address 10.205.71.202
inservice
rserver host WLDev2
ip address 10.205.71.203
inservice
rserver host WLTest1
ip address 10.205.71.150
inservice
rserver host WLTest2
ip address 10.205.71.151
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-HTTPS
inservice
serverfarm host WEBLOGIC-7433
predictor leastconns
probe PING
rserver WL1 7433
inservice
rserver WL2 7433
inservice
serverfarm host WEBLOGIC-PROD
predictor leastconns
probe PING
rserver WL1 1025
inservice
rserver WL2 1026
inservice
serverfarm host WEBLOGIC-TEST-SSH
predictor leastconns
rserver WLTest1 22
inservice
rserver WLTest2 22
inservice
sticky http-cookie acecookie STICKY-INSERT-COOKIE
cookie insert
serverfarm WEBLOGIC-PROD
action-list type modify http REWRITE
header insert response Via header-value "1.1 web:%ps (ace10-8/a2)value"
header insert request Via header-value "1.1 web:%ps (ace10-8/a2)value"
header insert request X-Forwarded-Proto header-value "%pd"
ssl url rewrite location "*.*"
ssl header-insert session Id
ssl-proxy service ssl-client
ssl-proxy service ssl-proxy
key netcracker.cal.dom.key
cert netcracker.cal.dom.cer
chaingroup netcracker.cal.dom-wcrt100
class-map match-any L4VIPCLASS
2 match virtual-address 10.205.70.80 any
class-map type http loadbalance match-any L7-URL
2 match http url /*.*
class-map type http loadbalance match-all L7SLBCLASS
2 match http url /*
class-map type management match-any REMOTE-MANAGEMENT
2 match protocol telnet any
3 match protocol icmp any
4 match protocol ssh any
5 match protocol snmp any
6 match protocol http any
7 match protocol https any
class-map match-any SSH_Test
2 match virtual-address 10.205.71.80 tcp eq 22
class-map match-any weblogic-7433
2 match virtual-address 10.205.70.80 tcp eq 7433
class-map match-any weblogic-http
2 match virtual-address 10.205.70.80 tcp eq www
class-map match-any weblogic-https
2 match virtual-address 10.205.70.80 tcp eq https
policy-map type management first-match REMOTE-MANAGEMENT
class REMOTE-MANAGEMENT
permit
policy-map type loadbalance first-match L7SLBPOLICY
class L7SLBCLASS
ssl-proxy client ssl-client
policy-map type loadbalance first-match SSH_Test_Policy
class class-default
serverfarm WEBLOGIC-TEST-SSH
policy-map type loadbalance first-match weblogic-7433-policy
class class-default
serverfarm WEBLOGIC-7433
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-http-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-https-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE
class class-default
serverfarm WEBLOGIC-PROD
action REWRITE
ssl-proxy client ssl-proxy
policy-map multi-match L4LSBPOLICY
class L4VIPCLASS
loadbalance policy L7SLBPOLICY
policy-map multi-match LB-VIP
class weblogic-http
loadbalance vip inservice
loadbalance policy weblogic-http-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
class weblogic-https
loadbalance vip inservice
loadbalance policy weblogic-https-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
class weblogic-7433
loadbalance vip inservice
loadbalance policy weblogic-7433-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
policy-map multi-match LB-VIP-Test
class SSH_Test
loadbalance vip inservice
loadbalance policy SSH_Test_Policy
loadbalance vip icmp-reply
interface vlan 3440
description Internal Production
ip address 10.205.70.250 255.255.255.0
access-group input All
access-group output All
nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP
service-policy input L4LSBPOLICY
no shutdown
interface vlan 3516
description Internal Test/Dev
ip address 10.205.71.250 255.255.255.0
access-group input All
access-group output All
nat-pool 2 10.205.71.249 10.205.71.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP-Test
no shutdown
interface vlan 3520
description LB
ip address 10.205.72.1 255.255.255.0
access-group input All
access-group output All
no shutdown
ip route 0.0.0.0 0.0.0.0 10.205.70.253
username admin password 5 $1$r2r0NmEH$z8S0RxYdhwOE4RGXQ41 role Admin domain default-domain
username cust_admin password 5 $1$/tOIIfUK$yigE519cqLq1IFgX. role Admin domain default-domainI have removed that service policy completely. It was from some knowledgebase article when I was trying to get http redirection working.
There is no more L4LSBPOLICY nor L4VIPCLASS, Thanks a lot for looking at this...
GKEL2-ACE1/35568059-Axia# show service-policy summary
service-policy: LB-VIP
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
weblogic-http 10.205.70.80 tcp eq 80 1,3440 IN-SRVC 0 50773 53
weblogic-https 10.205.70.80 tcp eq 443 1,3440 IN-SRVC 0 7406 112
weblogic-7433 10.205.70.80 tcp eq 7433 1,3440 IN-SRVC 0 145321 30
service-policy: LB-VIP-Dev
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
weblogic-http-dev 10.205.71.90 tcp eq 80 1,3516 IN-SRVC 0 0 0
weblogic-https-dev 10.205.71.90 tcp eq 443 1,3516 IN-SRVC 0 0 0
weblogic-7433-dev 10.205.71.90 tcp eq 7433 1,3516 IN-SRVC 0 0 0
service-policy: LB-VIP-Test
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
SSH_Test 10.205.71.80 tcp eq 22 1,3516 IN-SRVC 0 29 24
weblogic-http-test 10.205.71.80 tcp eq 80 1,3516 IN-SRVC 0 117 40
weblogic-https-test 10.205.71.80 tcp eq 443 1,3516 IN-SRVC 0 161 61
weblogic-7433-test 10.205.71.80 tcp eq 7433 1,3516 IN-SRVC 0 27 11
class-map type http loadbalance match-any L7-URL
2 match http url /*.*
class-map type http loadbalance match-all L7SLBCLASS
2 match http url /*
class-map type management match-any REMOTE-MANAGEMENT
2 match protocol telnet any
3 match protocol icmp any
4 match protocol ssh any
5 match protocol snmp any
6 match protocol http any
7 match protocol https any
class-map match-any SSH_Test
2 match virtual-address 10.205.71.80 tcp eq 22
class-map match-any weblogic-7433
2 match virtual-address 10.205.70.80 tcp eq 7433
class-map match-any weblogic-7433-dev
2 match virtual-address 10.205.71.90 tcp eq 7433
class-map match-any weblogic-7433-test
2 match virtual-address 10.205.71.80 tcp eq 7433
class-map match-any weblogic-http
2 match virtual-address 10.205.70.80 tcp eq www
class-map match-any weblogic-http-dev
2 match virtual-address 10.205.71.90 tcp eq www
class-map match-any weblogic-http-test
2 match virtual-address 10.205.71.80 tcp eq www
class-map match-any weblogic-https
2 match virtual-address 10.205.70.80 tcp eq https
class-map match-any weblogic-https-dev
2 match virtual-address 10.205.71.90 tcp eq https
class-map match-any weblogic-https-test
2 match virtual-address 10.205.71.80 tcp eq https
policy-map type management first-match REMOTE-MANAGEMENT
class REMOTE-MANAGEMENT
permit
policy-map type loadbalance first-match L7SLBPOLICY
class L7SLBCLASS
ssl-proxy client ssl-client
policy-map type loadbalance first-match SSH_Test_Policy
class class-default
serverfarm WEBLOGIC-TEST-SSH
policy-map type loadbalance first-match weblogic-7433-dev-policy
class class-default
serverfarm WEBLOGIC-7433-Dev
policy-map type loadbalance first-match weblogic-7433-policy
class class-default
serverfarm WEBLOGIC-7433
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-7433-test-policy
class class-default
serverfarm WEBLOGIC-7433-Test
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-http-dev-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-http-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-http-test-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-https-dev-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE-DEV
class class-default
serverfarm WEBLOGIC-DEV
action REWRITE
policy-map type loadbalance first-match weblogic-https-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE
class class-default
serverfarm WEBLOGIC-PROD
action REWRITE
ssl-proxy client ssl-proxy
policy-map type loadbalance first-match weblogic-https-test-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE-TEST
class class-default
serverfarm WEBLOGIC-TEST
action REWRITE
ssl-proxy client ssl-proxy-nctest
policy-map multi-match LB-VIP
class weblogic-http
loadbalance vip inservice
loadbalance policy weblogic-http-policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 3440
class weblogic-https
loadbalance vip inservice
loadbalance policy weblogic-https-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
class weblogic-7433
loadbalance vip inservice
loadbalance policy weblogic-7433-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
policy-map multi-match LB-VIP-Dev
class weblogic-http-dev
loadbalance vip inservice
loadbalance policy weblogic-http-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-https-dev
loadbalance vip inservice
loadbalance policy weblogic-https-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-7433-dev
loadbalance vip inservice
loadbalance policy weblogic-7433-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
policy-map multi-match LB-VIP-Test
class SSH_Test
loadbalance vip inservice
loadbalance policy SSH_Test_Policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-http-test
loadbalance vip inservice
loadbalance policy weblogic-http-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-https-test
loadbalance vip inservice
loadbalance policy weblogic-https-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
ssl-proxy server ssl-proxy-nctest
class weblogic-7433-test
loadbalance vip inservice
loadbalance policy weblogic-7433-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
ssl-proxy server ssl-proxy-nctest
interface vlan 3440
description Internal Production
ip address 10.205.70.250 255.255.255.0
mac-sticky enable
access-group input All
access-group output All
nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP
no shutdown
interface vlan 3516
description Internal Test/Dev
ip address 10.205.71.250 255.255.255.0
mac-sticky enable
access-group input All
access-group output All
nat-pool 1 10.205.71.240 10.205.71.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP-Test
service-policy input LB-VIP-Dev
no shutdown
interface vlan 3520
description LB
ip address 10.205.72.1 255.255.255.0
access-group input All
access-group output All
no shutdown
ip route 0.0.0.0 0.0.0.0 10.205.70.253 -
ACE 4710 in bridge mode not working
I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router (vlan 13: IP 172.16.11.254)
|
ACE (int gig1/2)
|
L2 Switch
|
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
inservice
rserver srv2
inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
permit
policy-map type loadbalance first-match slb
class class-default
sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan" I tried trunk port also but it got disabled" <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles. -
Hi All,
I am not able to connect to a virtual IP address of ACE 4710 and either i am able to ping it. Kindly let me know if anything wrong here.
Regards,
Neha.Hi Yahb/Neha,
Please try and confirm this:-
1) See if you have permited the traffic:-
access-list ALL line 8 extended permit ip any any
class-map match-all L4_VIP_ADDRESS_CLASS
2 match virtual-address 1.1.1.1 any
class-map type management match-any REMOTE_ACCESS
201 match protocol ssh any
202 match protocol icmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY
class class-default
serverfarm SFARM1
policy-map multi-match L4_LB_VIP_POLICY
class L4_VIP_ADDRESS_CLASS
loadbalance vip inservice
loadbalance policy L7_VIP_LB_ORDER_POLICY
loadbalance vip icmp-reply
2)
Apply the ACL on to the correct vlan:-
interface vlan 20
description Server-side Interface
ip address 2.2.2.2 255.255.255.0
access-group input ALL --->make sure you have applied the ACL.
service-policy input L4_LB_VIP_POLICY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface vlan 30
description Client side connectivity
ip address 3.3.3.3. 255.255.255.0
access-group input ALL
service-policy input L4_LB_VIP_POLICY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 x.x.x.x
Let us know if you have done this.
Regards
Shariff -
Hi. I'm working on the Cisco ACE 4710 to be able to load balance web Traffic between several web servers. but despite following the steps mentioned on the Cisco configuration guide (specially this link and related docs: http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Creating_a_Virtual_Context) we did not managed to make it. we tested both the "bridged scenario" and "routed scenario" but none of them is working. specifically "configuring Nat" in the above link is very confusing and is not clear; because it's not the same as Cisco IOS, which we used to implement it that way.
Routed Scenario:
==========================================
probe http Http_Probe
description Server Healty Check
port 80
request method head url /index.htm
probe icmp ICMP_Check
interval 10
passdetect interval 5
rserver host NetCad_Server_1
ip address 172.16.1.100
probe ICMP_Check
inservice
rserver host NetCad_Server_2
ip address 172.16.1.101
probe ICMP_Check
inservice
rserver host NetCad_Server_3
ip address 172.16.1.102
probe ICMP_Check
inservice
serverfarm host NetCad_Servers
probe Http_Probe
rserver NetCad_Server_1 80
inservice
rserver NetCad_Server_2 80
inservice
rserver NetCad_Server_3 80
inservice
sticky http-cookie Cookie1 1
serverfarm NetCad_Servers
class-map match-all VS_NetCad
2 match virtual-address 192.168.13.162 255.255.252.0 tcp any
policy-map type management first-match mgmt-pm
class class-default
permit
policy-map type loadbalance first-match VS_NetCad-l7slb
class class-default
serverfarm NetCad_Servers
policy-map multi-match int40
class VS_NetCad
loadbalance vip inservice
loadbalance policy VS_NetCad-l7slb
loadbalance vip icmp-reply
interface vlan 40
description Client Side
ip address 192.168.13.161 255.255.252.0
ip options allow
no normalization
no icmp-guard
access-group input Permit_ALL
service-policy input mgmt-pm
service-policy input int40
no shutdown
interface vlan 41
description Server Side
ip address 172.16.1.1 255.255.255.0
ip options allow
no normalization
no icmp-guard
access-group input Permit_ALL
nat-pool 1 172.16.1.110 172.16.1.110 netmask 255.255.255.255 pat
service-policy input mgmt-pm
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.12.1
==========================================Hi,
Let me explain you.
Assuming client IP as 1.1.1.1, VIP as 2.2.2.2 and Real Server as 3.3.3.3
Consider the simple situation where client needs to access an application hosted on 3.3.3.3. Client sends a request which comes to VIP.
src 1.1.1.1----->dst------->2.2.2.2. ACE after matching conditions and taking LB decision decides to send it to 3.3.3.3 real server. Performs destination NAT and forwards the client request to 3.3.3.3. So the above packet L3 header will now look like:
src 1.1.1.1 dst 3.3.3.3. When reply comes from server, ACE will change src 3.3.3.3 back to 2.2.2.2 and forwards the request to client 1.1.1.1. SIMPLE LB.
Now comes a situation where let's say you want to hide the client IP from server or let's say server's default GW is not ACE or client and server are in same subnet but need to communicate through VIP on ACE etc.
Src 1.1.1.1 dst 2.2.2.2
After LB ace decides to send it to 3.3.3.3 but also policy multi match has nat rule (nat dynamic 1 vlan x). But packet would be forwarded from server vlan where you have NAT pool defined. So let's say pool IP is 3.3.3.4. So ACE will perform both destination as well as src NAT here before forwarding the packet to server and packet L3 header will look like:
src 3.3.3.4 ----->dst 3.3.3.3
Now when 3.3.3.3 has to send packet back, ACE will answer ARP for 3.3.3.3 and hence packet will come back to ACE which will again change the L3 header IP's and send it out the client VLAN towards client.
So NAT is always applied to server side vlan and that's why pool is chosen from server side subnet.
Let me know if you have any questions.
Regards,
Kanwal -
Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710
One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
Traffic flow as follows
===============
ACE 4710 FWSM (Firewall static NAT) Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)
VIP
Rserver 1 - 10.1.104.80 10.1.246.32 10.1.246.32 < - > 2.2.2.2 1.1.1.1
Rserver 2 - 10.1.104.81c
----------------------------------------------------------> -------------------------------> - traffic flow from server to the device when we send msg
Configs:
======
rserver host server1
ip address 10.1.104.80
inservice
rserver host server2
ip address 10.1.104.81
inservice
serverfarm host SFARM
failaction purge
probe ICMP
rserver server1
inservice
rserver server2
inservice
access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
parameter-map type connection UDP_TIMEOUT
set timeout inactivity 3600
sticky ip-netmask 255.255.255.255 address source STKY-SFARM
serverfarm SFARM
timeout 180
replicate sticky
class-map match-all CLS-SFARM
2 match virtual-address 10.1.246.32 udp eq 1120
class-map match-all SERVERNAT
2 match access-list TEST-1120
policy-map type loadbalance first-match POL-SFARM
class class-default
sticky-serverfarm STKY-SFARM
policy-map multi-match POL-LB
class CLS-SFARM
loadbalance vip inservice
loadbalance policy POL-SFARM
loadbalance vip icmp-reply active
connection advanced-options UDP_TIMEOUT
class SERVERNAT
nat dynamic 1 vlan 244
int vlan 244
ip address 10.1.246.2 255.255.255.0
service-policy input POL-LB
nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
mac-sticky enable
no icmp-guard
no shut
interface vlan 2506
ip address 10.1.104.2 255.255.255.0
service-policy input POL-LB
mac-sticky enable
no icmp-guard
no shutI see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
portmap disable in ACE 4710
Disabling Port Mapping
By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services, -
ACE 4710 responds very slow to CLI commands
I am expericing delayed responses to my CLI commands on the ACE 4710. The delays occur sporadically. I have check the cpu and memory and neither one appeared to show any abnormal behaviour. Has anybody else experienced unsual delay with your CLI commands? If so, where you able to isolate and correct the problem? If not, any suggestions on where and how to look for the problem?
I am experiencing the same exact problem. CLI commands are very slow. Although, i dont get any performance issues for my application when i issue the "show run" or "wr mem" commands at CLI i wait for over 1 minute to receive any output, commands like "show serverfarm" ,"show rserver" "show stats" are working fine. my resource usage is ok and cpu has no problems. The problem exists in all contexts of the specific ACE. I did a test by forcing the standby ace to become active and while the standby ACE had no problem in executing the command when it becomes the active one the problem shows up. is there a way to troubleshoot this?
Thank you in advance -
ACE 4710 Can not confirm http cookie sticky connections
We are using a ACE 4710 with A3(2.6) software release.
I had to change our sticky load balancing method for HTTPS to cookie based.
However while connections appear to work if I look at the sho sticky database table I can not see or confirm sticky entries for the cookie based connections.
Here or config snippets to show the config
sticky http-cookie ghh-www scook-ghh
cookie insert browser-expire
serverfarm ghh-www-443
class-map match-all ghh-www-443_CLASS
2 match virtual-address 172.16.1.21 tcp eq https
class-map type http loadbalance match-any ghh-www-443_CLASSURL
2 match http url [.]*
policy-map type loadbalance first-match ghh-sticky-443_POLICY
class class-default
sticky-serverfarm scook-ghh
policy-map multi-match POLICY
class ghh-www-443_CLASS
loadbalance vip inservice
loadbalance policy ghh-sticky-443_POLICY
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAMAnother point: please check whether your servers are listening only for HTTPS traffic or also for HTTP traffic:
in the first case the ACE will have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and then re-encrypt it and send it to the server
in the second case the ACE would have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and send it out as it is unencrypted to the server
the second solution would have the benefit of being easier to configure and to require less resoucerces both on the ACE (only decryption to be performed) and on the servers (no need for SSL operations at all there) but it might be that your company or business sector have requirements for which this traffic should never flow unencrypted, in which case you would have to go for the first solution.
Here you have a config example for the first solution:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
I would not expect you to have to pay extra for importing the cert and kepair into the ace, it would be just a copy, however as Alex said that may still depend on the license agreement with the CA.
Cheers,
Francesco -
Need help to Configure Cisco ACE 4710 Cluster Deployment
Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver ebsapp2 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
serverfarm ebsppsvrfarm
class class-default
compress default-method deflate
sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
loadbalance vip inservice
loadbalance policy ebsapp-vip-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal- -
ACE 4710 - show stats connection questions
Hi,
I have three questions regarding the "show stats connection" command in the ACE 4710:
1. What is the criteria for a connection to be added to the "Total Connections Failed" counter?
2. What is the criteria for a connection to be added to the "Total Connections Timed-out" counter?
3. Is there a command to get more information why the connection was failed or timed-out (e.g. to/from which IP, url accessed etc.)?
Thanks in advance for your help!
Best regards,
HarryHarry,
a connection failed if the server did not respond or resonded with a RST.
As long as the connection gets establised, it is counted as a success.
The connection timeout counter is incremented when the connection is idle for the configured timeout value or for L7 connections if it does not complete the 3-way handshale within the embryonic timeout interval.
Since this is clear why those counters are incrementing, the only way to get more information is to capture a sniffer trace to verify if the conditions above are met.
Gilles. -
ACE VIPs not advertising or visible
Hi,
The VIPs on my ACE configuration are not advertising themselves. They don't show up in the ARP table in the upstream router/firewall.
The VIPs are configured to be "Inservice". I have probes that are successful. I can access the real servers behind the ACE successfully via pings, ssh, http, etc.
Here's part of my config:
policy-map multi-match int204-n2
class SMTP_Inbound_LB
loadbalance vip inservice
loadbalance policy SMTP_Inbound_LB-l7slb
loadbalance vip icmp-reply active
Is there anything else I need to add? The VIPs aren't responding to pings. The VIPs aren't showing up in the arp table of the upstream router/firewall.
I know there used to be a "loadbalance vip advertise" command, but that command is no longer valid or available.
I am running code version A1.8(0) on the ACE 4710 appliance.
I have this ACE also configured as a bridge. Is there something special I need to add to make the VIPs advertise themselves, respond to pings, etc.?
Any help would be appreciated.
Thank you.Hi Gilles,
Yes, the policy is assigned to both VLAN interfaces of the bridge-group.
Yes, all VIPs show INSERVICE when I run the command "show service-policy int204-n2"
None of the VIPs are responding to pings or showing up in arp table of the upstream router/firewall.
The VIPs are part of the local subnet. I can't ping the local interface (BVI interface) of the bridge-group from the upstream firewall/router.
Yes, the ACE has an arp entry for the upstream router/firewall. The upstream firewall is also the ACE's default-gateway for this context.
Thanks,
Herman -
Cannot Telnet to ACE 4710 after upgrade to A4(2.3)
I have a pair of ACE 4710s with 12 contexts sharing the load, running A4(2.1). Yesterday I upgraded one of them to A4(2.3)
now I cannot telnet to the Admin context.Pings ok. I can telnet to other contexts on the box and everything seems to be working ok
when i do a " sh telnet"
comes back with
No Session Information is available
sh telnet maxsessions
telnet maxsessions 16
Can anybody help?further this post, it was not a resource problem as had allocated 5% for the Admin context.
I up graded IOS Saturday evening, could not Telnet in, tried again on Sunday same result,
though this morning (Monday) Can now telnet in ok very strange
I was connecting via the AUX line of a 2851 router to the console port.
whe I disconnected this morning I saw the following message
INIT: id "T0" respawning too fast : disabled for 5 minutes
not sure if this is a 2851 message or an ACE message, but after getting that message is when I was able to Telnet in
was it a coincidence
anybody any ideas -
ACE 4710: Possible to allow a user to clear counters but nothing else?
Hello all,
Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc. We would also like to allow this user to clear the interface error counters as well, but nothing else. Is this possible?
Thanks!Hello Brandon-
Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats. You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
i.e.
ACE# conif t
ACE(config)# role MyRole
ACE(config-role)# rule 1 permit modify feature ?
AAA AAA related commands
access-list ACL related commands
connection TCP/UDP related commands
fault-tolerant Fault tolerance related commands
inspect Appln inspection related commands
interface Interface related commands
loadbalance Loadbalancing policy and class commands
pki PKI related commands
probe Health probe related commands
rserver Real server related commands
serverfarm Serverfarm related commands
ssl SSL related commands
sticky Sticky related commands
vip Virtual server related commands
You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
Domains allow you to create containers for objects. You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
Regards,
Chris Higgins
Maybe you are looking for
-
How do I use the VIs for the Fluke Hydra Series 2620a multimeter?
This message refers to the VIs found at this link: http://sine.ni.com/apps/we/niid_web_display.download_page?p_id_guid=E3B19B3E9468659CE034080020E74861 How do I use the VIs for the Fluke Hydra Series 2620a multimeter? I am conducting a Senior Design
-
I cant connect to creative cloud and download my apps
Yesterday I bought the teachers edition CC, I logged in and connected to Behance. Then i wanted to download some apps and it let me download CCdesktop first. I run it and logged in and synced to Behance. But when i wanted to click the apps tab for do
-
Indesign crashes exporting to pdf after upgrading to windows 7
I recently upgraded to windows 7. Indesign cs4 worked fine...until i tried to export my 16-page document to a pdf. I got the message: Adobe Indesign CS4 has stopped working. A problem caused the program to stop working correclty. Windows will close t
-
Hi all, please can anyone provide me with actual practical interview questions related to reporting. my email: <removed> thanks, sam
-
Problems with the Contacts app
Hi everyone, I seem to have a problem with my iPhone 4 16 gb, I can't see my contacts anymore! I didn't do anything (I sware xD) one day I just unlocked my phone and all the contacts were gone! I tried updating to iOs 7 but nothing.. I can't even add