ACE 4710 same real servers, different ports.

Similar Messages

• Multiple servers with same IP but different ports - problem listing in ARD

  Hi - I have no problem connecting to multiple Macs behind a single IP (router) using different ports, port forwarding, dyndns, etc., etc.
  The problem I'm having is that in the list of computers in ARD, it won't let you have more than one with the same IP address. When you create the second with the same IP, it clears the first one, giving it an IP of 0.0.0.0. They are on different ports, but that's not counted as part of the IP, so it still gets cleared. I use different dyndns domain names, but ARD instantly converts them to an IP when creating the entry, so that doesn't help either.
  Are there any workarounds?

  And it's still impossible if they all have the same external IP. The whole stroy? See http://discussions.apple.com/thread.jspa?threadID=1321008&tstart=0
  On option is to setup a VPN(=Virtual Private Network) as described in the thread I mentioned

• ARD won't save multiple computers with same IP and different port!

  I'm trying to access multiple computers over the internet behind a firewall with port forwarding.
  I can access each computer, but ARD won't save the IP address and port (in IP Address column of ARD 3.1) of multiple computers with the same IP address. It will only save ONE. I've tried 'add by address', adding a list for each computer or adding a list for all those computers. Nothing has worked. ARD will actually change the first computer's IP address to 0.0.0.0
  Example: Static IP address
  Computer 1 xx.xxx.xxx.xxx:51 (public port 51 is forwarded to port 5900 on computer 1)
  Computer 2 xx.xxx.xxx.xxx:52 (public port 52 is forwarded to port 5900 on computer 2)
  Computer 3 xx.xxx.xxx.xxx:53 (public port 53 is forwarded to port 5900 on computer 3)
  Has Apple really overlooked this or am I missing something? Isn't this how most people would remotely manage multiple Macs offsite?
  Thanks

  ARD cannot do this as you're asking. If your
  workstations get their addresses from an NAT device
  rather than being "real", the ports also need to be
  forwarded in the router to the workstation's internal
  IP address. ARD uses port 3283 for the reporting and
  updating function, so if your Macs are getting their
  IP addresses through NAT, since you can only forward
  a port to a single workstation, you can only get
  reports, push package/files to etc. for a single
  workstation.
  ARD uses the VNC protocol for observation and
  control, though, and there are a range of IP
  addresses for that protocol, starting with 5900. ARD
  uses 5900 by default, so that port would be forwarded
  to the first workstation. You would, I believe, need
  to install VNC servers on the systems (since the ARD
  client cannot listen on any port other than 5900
  while VNC servers can be set for other ports such as
  5901, 5902, etc. You would then forward 5901 to the
  second workstation (and on to 5902, 5903, etc.). You
  can then use the following information:
  Remote Desktop 2: How to specify a port number
  for a VNC client
  to connect.
  The only other options are: 1) to run the ARD
  administrator on a workstation on the network, and
  then take control of that system from outside, either
  via VNC or another copy of ARD, or 2) set up a
  virtual private network (VPN) so that when you
  connect from outside, your admin system is officially
  part of the local network.
  Hope this helps.
  That definitely helps. I have ARD installed on my MBP and on a workstation on the LAN. I have used ARD from the MBP to control ARD on a workstation on the local network, but it can get a little tricky. I already have VNC setup on all the workstations. I used to use COTVNC prior to purchasing ARD 3.1.
  I guess what I'm really asking is...
  How do I add a list of workstations and save the settings (same IP address for each workstation with different ports?) to control/VNC via ARD?
  I simply want a list that shows each workstation, so I can control/VNC them using ARD offsite.
  Name: Computer 1 IP Address: 123.123.123.123:5901
  Name: Computer 2 IP Address: 123.123.123.123:5902
  Name: Computer 3 IP Address: 123.123.123.123:5903
  I don't want to have to manually type in the IP address into ARD every time.
  Will ARD simply not add another computer to the list if it has the same IP address but different port number as a computer already on the list? I haven't been able to find a way to make ARD do this.

• Real Servers not connected to ACE VLAN and Real Servers are clients accessing the VIP

  Hi,
  I have a very strange set up and need some help to get my config working
  I have a ASA firewall with three VLANs
  VLAN 1 = Internet
  VLAN 2 = DMZ
  VLAN 3 = Goes to ACE
  On the ACE I have four VLANs
  VLAN 3 = Goes to ASA
  VALN 4 = Web Server Tier
  VALN 5 = DB Tier
  VALN 6 = VIPs
  Our Application team have asked us to create a New VIP on the ACE with real servers in DMZ (Server A and Server B)
  And they have told us that the cleints accessing the VIP will be Server A and Server B
  I have always created VIPs with real servers directly connected to the ACE but not connected elsewhere.
  I belive I have a big challenge of opening ports on the firewall etc to get this set up working. Also, should i use some sort of NAT / SNAT? 
  Could anyone guide me on this setup please?
  Raj

  Hi Raj,
  First of all it is possible to add servers in ACE which are HOP away from ACE interfaces. Here servers are HOP away but there VIP is part of ACE interface subnet. The only need is that servers return traffic towards client should be passed through ACE (so that ACE can manitain states and chage the source IP of the reply packet from server IP to VIP on which client has requested the connection).
  When servers are HOP away and ACE do not come in path between server and client then we have to to do SNAT for intial client request. This configuration will force the return traffic from server to ACE (as server will NAT IP as client IP).
  In your case DMZ-VIP which is created for two real servers A and B, will be accesses by these servers only. So it is a situation of server accessing there own VIP. For this scenario to work we have to have SNAT (no matter whether servers are directly connected or HOP away). So best solution here is VIP in VLAN 3, Rserevrs for this VIP in DMZ, and SNAT client request, using free IP in VLAN 3.
  Also you have to open ports on firewall for both "real server Probes" and actual application ports, moreover policies modification on firewall for allowing traffic from DMZ to ACE VIP, DMZ to NAT IP and there vice versa traffic.

• Ace 4710 - same context routed and load-sharing

  Hi All
  Can an ACE 4710 have , in the same context - servers which are
  a. just being routed to
  b. a set of load-shared servers
  I have been told you may not be able to do this on this version
  Does anyone know if this is correct
  Thanks
  Steve

  Hi Boris
  I have been on the ACE course and before we install the 4700 box i have been
  asked to set up a test setup.
  This would involve have a context which would have one ip address range and
  a few pcs (pretending to be servers ) and one which would be just routed.
  A colleague of mine seemed to think that something had been said on the course
  to the effect that if the ACE was deployed  in line the you couldnt have some
  of your servers in load-sharing and some just routed on the same subnet and
  in the same context.
  Steve

• ACE keep probing real servers using "https get 302"

  Hi all,
  I got one problem with cisco ACE in my company. Currently, two ACE appliances are working as HA redundancy. Previously I enabled some https and http probing using get 302 for some servers and services. But then I was told to remove all https or http probing, and instead use tcp port 443 and 80. After that, one of the serverfarm (server groups) is receiving https get 302 and I already checked in the monitoring and see whether there's any https probing regarding the respected real servers. But I could not find any. Even I disable all probing to that serverfarm, all the server members still receiving https get 302. Is this behavior a bug?
  The ACE version is A3(2.1). And the HA status is on standby cold. Can standby cold cause this kind of trouble?

  Hi Daniel,
  I just corrected the cert problem and made the state peer into standby hot. But still it still keep probing the get 302. And then I tried to restart both ACEs. The first step is to restart the second ACE (standby) and then switched over all context to the second one. The problem is that when I made the second one to be active, some services were not working, especially the ones with ssl terminated in ACE. I'm pretty sure that both ACEs were in sync.
  Any idea what is the problem?

• Exposing same webservices through different ports

  I want to expose the same web services enclosed in EAR files through different port numbers.
  I have tried doing the same by configuring managed server as well as cluster but not able to invoke the services using different port numbers.
  I am using Weblogic server 8.1 sp4 and I have evaluation version of the server.
  Can I do this?
  If yes how?
  Thanks,
  Nitin

  With that combination of requirements, you might consider the following elements:
  Two managed servers, each having their own port (of course). The EAR would be deployed to each server, but you would only activate one of the web modules on each server. This could be controlled with a WLST script, or even a separate application whose only purpose is to prepare or unprepare each web module in the main application (there's an API for this).

• ACE 4710 - Monitoring Real Server Showing N/A

  I recently installed a Cisco ACE 4710 version A4(2.0) into our test network. Load balancing across a number of web servers appears to be working ok and serving pages to users. However, when i tried to check the real time stats via device manager (Monitor> virtual contexts> context > Real servers) a number of fields specifically "current connections", "total conns", "failed conns" etc were showing N/A. Do I need to enable this somehow i.e. polling, if so how?

  Hello Samson,
  You may try to reboot the entire ACE 4710, probably during a maintenance window, some java process might have gotten stuck.
  If the issue persists then open a TAC case since there are some software defects related to this behavior.
  Jorge

• Multiple entries in ARD with same ip, but different ports?

  I always learn so much from these forums...thanks to all of you who take the time to answer.
  I established 5900/3283 for my primary mac (mac 1) behind my router at home and then configured port forwarding to have a public port of 15900 mapped to the secondary machine (mac 2) at 5900. I have dyndns set up in my router and when connecting from the outside with ARD to the dns name without specifying the port, it connects to mac 1 without problem and reports mac 1 as the name in ARD. Great, no problem.
  When I add the 15900 port to the dns name, ARD still shows the mac 1 as the name, but connects to mac 2. Can I fix this to correctly reflect the name of Mac 2? Also, it does not seem possible to have two clients in the ARD list with the same ip address, but different ports. Can this be fixed? Lastly, how do I connect 15900 and 13283 ports in one listing for the port forwarded mac, i.e. how do I enter xxx.xxx.xxx.xxx:15900 and xxx.xxx.xxx.xxx:13283?
  Thanks,
  ed

  And it's still impossible if they all have the same external IP. The whole stroy? See http://discussions.apple.com/thread.jspa?threadID=1321008&tstart=0
  On option is to setup a VPN(=Virtual Private Network) as described in the thread I mentioned

• Manage site with same IP but different port

  My computer was updated from Windows XP to Windows 7 and I'm still using CS6.  I can not manage two different sites with the same IP address but one has a different port number.
  I have it set on Docuemnt Root but apparently it doesn't matter because I'm having the same issue if I change it to site root.
  This is what I get to preview:
  file:///B:/Admin/facility-management-leasing/facility-management/forms.shtml  instead of
  http://168.40.15.60:81/Admin/facility-management-leasing/facility-management/forms.shtml
  I have the same IP address with out a port to another location
  I'm getting file:///W:/news/Announcements.html instead of http://168.40.15.60//news/Announcements.html
  Please help this is past frustrating!!!!!
  Debby

  Make two different site definitions.

• CSS - 2 VIPs - one SNAT, one NOT - same real servers

  I have a group of 4 servers that service requests from servers in the same subnet, so they and their VIP are in a group configuration causing Source NAT.
  <br />
  <br />Now, I want Internet traffic to hit those same 4 servers, but not source NAT. I plan this with a new VIP that will not be in a 'group' configuration.
  <br />
  <br />Can I re-use the same 'service' definitions even though they are referenced with the other VIP in the 'group' section?

  You can use ACLs to restrict traffic that needs to use the source group.For e.g
  Assumption: Your non-Internet traffic is coming from 10.10.0.0/16 network
  acl 1
  clause 254 permit any any destination any
  clause 100 permit any 10.10.0.0 255.255.0.0 destination content/ sourcegroup
  Above ACL applied to client VLAN will make CSS use source group for only 10.10.0.0/16 network.
  HTH
  Syed Iftekhar Ahmed

• ACE 4710 Operations Virtual Servers showing Oper State as N/A

  Hi All,
  Just wondering if anyone has come across the following issue before:
  We currently have a pair of ACE4710 in HA running A3(2.7) and when we have added new virtual servers any new ones show up under the Operations - Virtual Servers window as showing their Oper State as N/A. as follows:
  However, clicking on the N/A brings up a window showing that the virtual server is Active and inservice and handling traffic. This doesn't appear to be affect the services using the VIPs that have N/A against them as all appears to be fine.
  Just wonder if anyone had seen this before and if there is a reason for it.
  Thanks for you help in advance.
  Ryan

  Thanks for you reply bhartsfield. I mostly work from the CLI as the network engineer but we have server engineers who use the GUI to take things in and out of service if they are conductinh maintenence on the servers. So along with the N/A status it also is missing the current connection count which is also used by the server guys.
  The last time I created a VIP I did it via the GUI to see if it was a GUI issue not syncing with the CLI. I have also forced the DM to sync with CLI, but it still has the same results.
  Thanks again for your reply, at least I know I am not alone in seeing this behaviour
  Regards
  Ryan

• ACE 4710

  i need the best practice of ACE 4710 for loadbalance webserver , application  server and database server

  i need the best practice of ACE 4710 for loadbalance webserver , application  server and database server
  Hi,
  Check out the belowlink for configuration of ACE 4710 for loadbalancing servers
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/device_manager/guide/UG_lb.html#wp1044682
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/device_manager/guide/UG_lb.html#wp1044806
  Hope to help !!
  If helpful do rate the post
  Ganesh.H

• [ACE] Real servers and VIP in the same VLAN

  Hello.
  I´m facing an issue because the real servers and the VIP address are in the same VLAN, when a request comes from an external client to the VIP (crossing an ASA firewall) , the ACK gets back using the IP of one of the real servers instead of the VIP so this traffic is blocked by our WAN firewall probably due the inspection rules.
  My question is if there is some way make the VIP the address who ACK´s that requests? Creating a new VLAN would be complicated because there are other services already running on those real servers.
  Thanks a lot,
  Miquel

  Hi Miquel,
  Please do source nat on ACE so that return traffic gets sent to ACE and not FW. Pasting an example for you.
       ==========================================================================
       One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
       ==========================================================================
  login timeout 0
  access-list ANYONE line 10 extended permit ip any any
  rserver host SERVER_01
    ip address 192.168.1.11
    inservice
  rserver host SERVER_02
    ip address 192.168.1.12
    inservice
  rserver host SERVER_03
    ip address 192.168.1.13
    inservice
  serverfarm host REAL_SERVERS
    rserver SERVER_01
      inservice
    rserver SERVER_02
      inservice
    rserver SERVER_03
      inservice
  class-map match-all VIP-30
    2 match virtual-address 192.168.1.30 tcp eq www
  class-map type management match-any REMOTE_ACCESS
    description remote-access-traffic-match
    2 match protocol telnet any
    3 match protocol ssh any
    4 match protocol icmp any
  policy-map type management first-match REMOTE_MGT
    class REMOTE_ACCESS
      permit
  policy-map type loadbalance first-match SLB_LOGIC
    class class-default
      serverfarm REAL_SERVERS
  policy-map multi-match CLIENT_VIPS
    class VIP-30
      loadbalance vip inservice
      loadbalance policy SLB_LOGIC
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 451
  interface vlan 451
    description Servers vlan
    ip address 192.168.1.2 255.255.255.0
    access-group input ANYONE
    service-policy input CLIENT_VIPS
    nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.1.1
  Let me know if you have any question.
  Regards,
  Kanwal

• ACE module client and real servers on same subnet

  I am working on a ACE load balancing implementation,which has following requirement? Can someone let me know if this can be implemented and how?
  Configuration
  test context
  real server vlan 233
  real server subnet - 167.6.233.x
  VIP vlan - 539
  VIP subnet - 167.6.238.128/25
  production context
  real server vlan 232
  real server subnet - 167.6.232.x
  VIP vlan - 538
  VIP subnet - 167.6.238.0/25
  Load balancing is coinfigured in routed mode with ACE as gateway for test and prod real sever subnets (233 and 232 subnets).
  Test and production servers are mixed in these subnets. So we need to configure source NAT to access the test servers in the production subnet (232) and vis versa.
  Here are the scenarios and questions
  1. clients need to access the real servers in prod subnet (232) through VIP configured in test context (vlan 539) - this is done by SNAT at vlan 539 and working.
  2. real servers in test subnet (233) needs to access real servers in same subnet (233) through VIP configured in test context (vlan 539) - this is done by SNAT at vlan 233 and working
  3. real servers in prod subnet (232) need to access the real servers in test subnet (233) through VIP configured in test context (vlan 539) - this appears to be working fine without any additional configuration
  4. real servers in test subnet (233) needs to access another real servers in prod subnet (232) through VIP configured in test context (539)  - this is not working
  5. real servers in test subnet (233) needs to access another real server which is not on one of the subnet (167.6.56.x) behind ace - this is not working.
  Can we implement the scenarios 4 and 5?

  Hi Suresh,
  I see it's a bit complex and we do not have the config at hand.
  However for the scenario 4 if you apply the policy already applied on vlan 539 on the interface vlan233 then the ACE should catch the packets and apply the policy (i.e. forward the packets to the serverfarm you want)
  Alessandro
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.