ACE & ACE application Firewall
Hi,
What is the difference between ACE appliance and the new ACE web based application firewall appliance? Is it different appliances? Also what is the best scenario to combine the two appliances in the same network?
Thanks
Cisco ACE Web Application Firewall is a new member of Cisco Application Control Engine (ACE) family of products.The Cisco ACE Web Application Firewall is a reverse proxy that protects important backend resources from security threats or misuse.
For more information about ACE refer the url below:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_bulletin0900aecd8045859e.html
For information related to ACE Web Application Firewall refer the following url:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_waf/v60/user/guide/waf_ug_intro.html
Similar Messages
-
Which Application Firewall ports are open?
I understand the Application Firewall in OS X (10.5.5) is no longer based on ipfw. Is there a firewall rules list somewhere in the system (similar to the old ipfw list) that reflects the Sharing and Application Firewall options selected, but which shows exactly which ports are open or closed? Is it accessible through Terminal or some other means?
The ipfw firewall is still there, but Leopard's application firewall isn't a port firewall.
-
I am confused by the new Application Firewall.
1. Why would I want to block only specific programs from accessing the web? What about the OS itself? Does this mean that someone can not gain access via a program, though the ports are still open?
2. I am not sure which programs I should and should not allow to access the web. Does this mean if a program is set to not access the web, it will not be able to detect updates, register, download updates, etc.?I read that and I am still confused.
Without explicitly detailing what you're confused about, no one's going to be able to point the clarity spotlight on your issues. Since you're profile's out of date, update it and include your configuration information. -
Guys,
If I have servers protected behind a firewall and I need to load balance some servers , where should I place the ACE?
Sent from Cisco Technical Support iPad AppHi,
With one-arm i believe the question is where you want to place the firwall. As long as the client is able to reach the VIP and server replies back to ACE i dont see any problem with this design.
Firewall ---------Switch ---------------- Load Balancer ---
As you know with one-arm requires a source NAT and might not be a good fit for application that are using the source IP address to track client usage patterns. PBR avoids this problem but adds other considerations, such as routing complexity, asymmetrical routing for non-load-balanced flows, and VRF support; PBR is not available on VRFs.
Regards,
Siva -
ACE: as firewall and NAT. inbound and outbound originals
Hi Team,
This time no load balancing is required.
Two servers inside (with private IP) need to communicate with clients and servers on the internet. ie, internet client originate inbound traffic to our servers, and also our servers originate connections to some internet servers.
Both of our servers will work indipendently for this purpose.
I have a few ideas to mix and match configs in the ACE. (This was originally working with FWSM setup). I would like to hear some sound ideas to acheive this using ACE only as firewall/router. No plan to load balance at present.
Regards to all
SSGilles,
Inbound traffic and the related reply traffic can be handled with normal class-map by defining a VIP with public IP.
The above real server with private IP is now going to make a different connection to the internet. ie,
outbound traffic and related reply traffic need handling. (no load balancing planned).
Detination NAT, Static NAT sounds interesting
Source NAT, Static NAT sounds interesting. Mixing these sound very interesting!! I'm looking for sample configs please.
SS -
ARDAgent - Application Firewall: allow incoming connections alert won't stop
Hello,
after having updated Remote Desktop Client from 3.8 to 3.8.2, users have to allow (or deny) incoming connections within the Firewall settings
WHENEVER starting the /System/Library/CoreServices/RemoteManagement/ARDAgent.app, especially when logging in or starting the /Applications/Remote\ Desktop.app (Admin)
ALTHOUGH
/System/Library/CoreServices/RemoteManagement/ARDAgent.app is locked in the Firewall Settings AND/or
"Automatically allow signed Software to receive incoming connections" is checked (enabled)
When switching to a standard user (not an admin), he also can/must allow or deny - and the Firewall Settings are modified correspondingly.
My questions are so far:
Why the existing Firewall Setting does not affect when (re-)starting the ARDagent.app-deamon?
Is the ARDagent.app (since Version 3.8.2) not a signed software?
This kind of attitude occurs for OS X 10.10.1 _and_ OS X 10.10.2.
Many thanks for any approach to overcome the problem and kind regards from Munich (GER).I was fighting with this 'till now.
This is what I did:
Remove ARDagent.app from /System/Library/CoreServices/RemoteManagement
Remove it from the list in Firewall preferences.
Disable Firewall.
Reboot.
Install OSX 10.10.2 combo-update.
Reboot.
Add manually the ARDagent.app to the Allowed Rules in Firewall from /System/Library/CoreServices/RemoteManagement
Enable Firewall.
Update to ARD Client v3.8.2 v1.1 from the App Store.
Reboot.
Here, the annoying firewall message has gone. I hope it will work for you too.
I know it's a bit raw and it can be done in a more sophisticated way... But I have no time to deal with this kind of sh*t!
Cheers. -
Application Firewall settings and OSX 10.5.2 Server
I recently upgraded our servers at work to 10.5 and then performed the upgrade to 10.5.2. Now I have a service that's having issues connecting to another computer and my thought is that it might be the new firewall that's causing the issue. However, when I went go change to the settings, I can't find the control for it as described.
I'm looking for it at System Preferences -> Security. I'm only seeing two tabs on this page, General and FileVault. I do not see a tab for Firewall anywhere.
Help would be appreciated.
ThanksHi Ian,
Go to http://www.apple.com/server/documentation/ and download the NetworkServices_Adminv10.5.pdf manual. Information on the Firewall and its configuration are in there. Most everything you need to know about running Leopard OS X Server is on that page. The rest is in these forums and at http://www.afp548.com and http://osx.topicdesk.com for starters.
Good luck with your new server software.
Larry -
With Ajay Kumar and Telmo Pereira
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) load balancer with Cisco expert Ajay Kumar and Telmo Pereira. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module: Helps ensure business continuity by increasing application availability Improves business productivity by accelerating application and server performance Reduces data center power, space, and cooling needs through a virtualized architecture Helps lower operational costs associated with application provisioning and scaling
Ajay Kumar is a customer support engineer in the Cisco Technical Assistance Center in Brussels, covering content delivery network technologies including Cisco Application Control Engine, Cisco Wide Area Application Services, Cisco Content Switching Module, Cisco Content Services Switches, and others. He has been with Cisco for more than four years, working with major customers to help resolve their issues related to content products. He holds DCASI and VCP certifications.
Telmo Pereira is a customer support engineer in the Cisco Technical Assistance Center in Brussels, where he covers all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), and Digital Media Suite. He has worked with multiple customers around the globe, helping them solve interesting and often highly complex issues. Pereira has worked in the networking field for more than 7 years. He holds a computer science degree as well as multiple certifications including CCNP, DCASI, DCUCI, and VCP
Remember to use the rating system to let Ajay know if you have received an adequate response.
Ajay and Telmo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum Application Networking shortly after the event.
This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.Hello Krzysztof,
Another set of good/interesting questions posted. Thanks!
I will try to clarify your doubts.
In the output below both resources (proxy-connections and ssl-connections rate) are configured with a min percentage of resources (column Min), while 'Max' is set to equal to the min.
ACE/Context# show resource usage
Allocation
Resource Current Peak Min Max Denied
-- outputs omitted for brevity --
proxy-connections 0 16358 16358 16358 17872
ssl-connections rate 0 626 626 626 23204
Most columns are self explanatory, 'Current' is current usage, 'Peak' is the maximum value reached, and the most important counter to monitor 'Denied' represents the amount of packets denied/dropped due to exceeding the configured limits.
On the resources themselves, Proxy-connections is simply the amount of proxied connections, in other words all connections handled at layer 7 (SSL connections are proxied, as are any connections with layer 7 load balance policies, or inspection).
So in this particular case for the proxy-connections we see that Peak is equal to the Max allocated, and as we have denies we can conclude that you have surpassed the limits for this resource. We see there were 17872 connections dropped due to that.
ssl-connections rate should be read in the same manner, however all values for this resource are in bytes/s, except for Denied counter, that is simply the amount of packets that were dropped due to exceeding this resource.
For your particular tests you have allocated a min percentage and set max equal to min, this way you make sure that this context will not use any other additional resources.
If you had set the max to unlimited during resource allocation, ACE would be allowed to use additional resources on top of those guaranteed, if those resources were available.
This might sound a great idea, but resource planning on ACE should be done carefully to avoid any sort of oversubscription, specially if you have business critical contexts.
We have a good reference for ACE resource planning that contains also description of all resources (this will help to understand the output better):
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/config.html#wp1008224
1) When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. In other words, the action is to Drop. ACE should in theory silently drop (No RST is sent back to the client). So unless we changed something on the code, this is what you should see.
To give more context, seeing resets with SSL connections is not necessarily synonym of drops. As it is usual to see them during normal transactions.
For instance Microsoft servers are usually ungracefully terminating SSL connections with RESET. Also when there is renegotiation during an SSL transaction you may see RESETS, but this will pass unnoticed for end users.
2) ACE will simply drop/ignore new connections when we reach the maximum amount of proxied connections for that context. Exisiting connections will continue there.
As ACE doesn't respond back, client would simply retransmit, and if he is lucky maybe in the next attempt he will be able to establish the connection.
To overcome the denies, you will definitely have to increase the resource allocation. This of course, assuming you are not reaching any physical limit of the box.
As mentioned setting max as unlimited might work for you, assuming there are a lot of unused resources on the box.
3) If a new connection comes in with a sticky value, that matches the sticky entry of a real server, which is already in MAXCONNS state, then both the ACE module/appliance should reject the connection and that sticky entry would be removed.
The client would at that point reestablish a new connection and ACE would associate a new sticky entry with the flow for a new RSERVER after the loadbalancing decision.
I hope this makes things clearer! Uff...
Regards,
Telmo -
ACE - Balance HTTP and sticky only SSL/TLS
Hi there,
I have a situation that I am trying to solve. We have lot of services trough ACE, but now I have to modify one of them, PROXY servers.
I have six (6) servers working with Sticky, but with a MASK 255.255.255.0, which produce an unbalanced situation some times, and that affect some servers on depending of how many users connected to that server. We have between 40K and 50K conns in that serverfarm, but in Sticky terms we have arround 700 /24 subnets.
I want to modify the configuration, specificaly the MASK to 255.255.255.255, which is going to increase a lot Sticky resources. But thinking in optimize Sticky resources, I want to know if there is a way to select only e-commerce, Home Banking or other kind of SSL/TSL traffic (always using port 80 trough proxy servers), so I could use Sticky only for connections that need it, and leave other HTTP traffic without this feature.
I´m sorry, may be I'm doing a silly question, but don´t have the experience to make this configuration, and I will apreciate your help.
Here is the actual configuration:
probe tcp HTTP
description Keepalive web servers
interval 20
passdetect interval 30
rserver host Server1
ip address 10.1.1.1
inservice
rserver host Server2
ip address 10.1.1.2
inservice
rserver host Server3
ip address 10.1.1.3
inservice
rserver host Server4
ip address 10.1.1.4
inservice
rserver host Server5
ip address 10.1.1.5
inservice
rserver host Server6
ip address 10.1.1.6
inservice
serverfarm host PRX
failaction purge
predictor leastconns
probe HTTP
rserver Server1
inservice
rserver Server2
inservice
rserver Server3
inservice
rserver Server4
inservice
rserver Server5
inservice
rserver Server6
inservice
sticky ip-netmask 255.255.255.0 address source sticky-PRX
timeout 60
serverfarm PRX
class-map match-any VIP-PRX
2 match virtual-address 10.10.10.101 tcp eq www
policy-map type loadbalance first-match POLICY-L7-PRX
class class-default
sticky-serverfarm sticky-PRX
policy-map multi-match PRX-Balance
class VIP-PRX
loadbalance vip inservice
loadbalance policy POLICY-L7-PRX
loadbalance vip icmp-reply
interface vlan 100
ip address 10.10.10.11 255.255.255.0
alias 10.10.10.10 255.255.255.0
peer ip address 10.10.10.12 255.255.255.0
no normalization
access-group output SOLO-SLB
service-policy input PRX-Balance
Thanks
AlexisYou might want to check out this new product called ITD.
Simple and faster solution:
ITD provides :
ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
IP-stickiness
Resilient (like resilient ECMP)
VIP based L4 load-balancing
NAT (available for EFT/PoC). Allows non-DSR deployments.
Weighted load-balancing
Load-balances to large number of devices/servers
ACL along with redirection and load balancing simultaneously.
Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
The servers/appliances don’t have to be directly connected to N7k
Monitoring the health of servers/appliances.
N + M redundancy.
Automatic failure handling of servers/appliances.
VRF support, vPC support, VDC support
Supported on both Nexus 7000 and Nexus 7700 series.
Supports both IPv4 and IPv6
N5k / N6k support : coming soon
Blog
At a glance
ITD config guide
Email Query or feedback:[email protected] -
ACE 4710, reverse proxy?
Hello All,
Please forgive my ignorance but can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time. Thanks for your input.Hi Mate,
The reverse proxy servers can perform many tasks, like:
Note: this info from Wikipedia: http://en.wikipedia.org/wiki/Reverse_proxy
Reverse proxies can hide the existence and characteristics of the origin server(s), The ACE will do that.
Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult, The ACE has some built-in security features, you can refer to this document for full detail:
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/security/guide/securgd.html
In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead offloaded to a reverse proxy that may be equipped with SSL acceleration hardware. The ACE can do this:
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/ssl/guide/sslgd.html
A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource. The ACE can do that perfectly.
A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator. A reverse proxy can optimize content by compressing it in order to speed up loading times. Please check this link for more detail about ACE Application Acceleration and Optimization:
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/app_acc_and_opt/guide/appaccoptgd.html
Best regards,
Ahmad -
Hi,
I'd like to solve the problem which occurs when our client communicates with http server through ACE SM. See picture attached.
The problem is, that http response from server (200 OK) is divided into two packets. Both packets are sent by backend http server in rapid succession.
ACE forwards the first packet, but then waits for ACK from client. Only then it sends the second one. It takes about 200ms until client sends ACK.
One transaction consists of hunderds such http requests. It means that whole transaction takes approx. 25 seconds when is balanced by ACE. When I connect dirrectly to backend server the transaction takes approx. 5 seconds.
I'm quite sure the problem is not related to TCP window.
Is there any parameter on ACE which should affect this behaviour (waiting for the ACK before second packet is sent)?
PetrHi Petr,
Since your issue is solved now, You might want to check out this new product called ITD.
Simple and faster solution:
ITD provides :
ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
IP-stickiness
Resilient (like resilient ECMP)
VIP based L4 load-balancing
NAT (available for EFT/PoC). Allows non-DSR deployments.
Weighted load-balancing
Load-balances to large number of devices/servers
ACL along with redirection and load balancing simultaneously.
Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
The servers/appliances don’t have to be directly connected to N7k
Monitoring the health of servers/appliances.
N + M redundancy.
Automatic failure handling of servers/appliances.
VRF support, vPC support, VDC support
Supported on both Nexus 7000 and Nexus 7700 series.
Supports both IPv4 and IPv6
N5k / N6k support : coming soon
Blog
At a glance
ITD config guide
Email Query or feedback:[email protected] -
Can ACE function as reverse proxy without the ACE Web application Firewall?
Hi,
If you configure source NAT on all of the client traffic, the ACE will act more or less like a reverse proxy requesting the data from the server using the configured NAT IP instead of the client original one.
Just keep in mind that the ACE won't ever do any caching whatsoever so you can forget about it if this is what you are looking for.
Regards,
Nicolas -
ACE Load balancing FTP connections.
I have my ACE blade (running A1(4d) ) currently set-up to static nat to an FTP server.
I have tried setting up a sticky SLB VIP for FTP across this server and an additional box but firewall in front of the ACE throws the connections.
It appears that the servers are responding directly to the clients when in SLB and so the control connection has the wrong IP (real vs. VIP)
How do I set this up so that it works?Here's the relevant config, IPs change to protect the innocent.
probe ftp FTP_DL
description FTP Probe
expect status 220 220
rserver host HTTPDL_01
ip address 10.2.200.21
inservice
rserver host HTTPDL_02
ip address 10.2.200.22
inservice
serverfarm host Download_FTP
probe FTP_DL
rserver HTTPDL_01
inservice
rserver HTTPDL_02
inservice
sticky ip-netmask 255.255.255.255 address both FTP_DL
timeout 10
replicate sticky
serverfarm Download_FTP
class-map match-any FTP_DL
3 match virtual-address A.A.A.A any
policy-map type loadbalance first-match FTP_DL
class class-default
sticky-serverfarm FTP_DL
policy-map multi-match FTP_Download
class FTP_DL
loadbalance vip inservice
loadbalance policy FTP_DL
interface vlan 200
description Back End Connection
ip address 10.2.200.2 255.255.255.0
alias 10.2.200.1 255.255.255.0
peer ip address 10.2.200.3 255.255.255.0
no normalization
service-policy input ICMP_ALLOW_POLICY
no shutdown
interface vlan 300
description ACE to Firewall
ip address 10.3.100.252 255.255.255.0
alias 10.3.100.254 255.255.255.0
peer ip address 10.3.100.253 255.255.255.0
no normalization
service-policy input FTP_Download
no shutdown
There is an active/passive cluster of firewalls in front of the ACE and all the VIPs are Public IPs from our class C range which are routed through from the firewalls.
The vlan300 interface on the ACE is in a transport VLAN with the back end FW interfaces. The vlan200 interface is on the same VLAN as the rservers.
If I change the Class map to
match virtual address A.A.A.A tcp eq ftp
I see the data connections being bounced on the inside interface on the firewall as they are not matched to the VIP. -
Hello, I need some assistance in upgrading a 4710. This is a brand new ACE out of the box and I have tried to upgrade a couple of times but get the same error... Here are the details:
switch/Admin# copy ftp://10.0.0.1/c4710ace-t1k9-mz.A5_2_2.bin image:
Enter the destination filename[]? [c4710ace-t1k9-mz.A5_2_2.bin]
File already exists, do you want to overwrite?[y/n]: [y] y
Enter username[]? ace
Enter the file transfer mode[bin/ascii]: [bin]
Enable Passive mode[Yes/No]: [Yes]
Password:
Passive mode on.EXT3-fs error (device hdb2): ext3_new_block:
Hash mark prinAllocating block in system zone - block = 163843ting on (1024 by
Aborting journal on device hdb2.
ext3_abort called.
EXT3-fs error (device hdb2): ext3_journal_start_sb: Detected aborted journal
Remoulocal: /mnt/cf/cn4710ace-t1k9-mz.tA5_2_2.bin: Readi-only file systenm
g filesystem read-only
switch/Admin# al has aborted in __ext3_journal_get_write_access<2>EXT3-fs error (device hdb2) in ext3_reserve_inode_write: Journal has aborted
ext3_abort called.
EXT3-fs error (device hdb2): ext3_journal_start_sb: Detected aborted journal
Remounting filesystem read-only
EXT3-fs error (device hdb2) in ext3_ordered_commit_write: Journal has aborted
Buffer I/O error on device loop3, logical block 1238
Buffer I/O error on device loop3, logical block 745
Aborting journal on device loop3.
journal commit I/O error
ext3_abort called.
EXT3-fs error (device loop3): ext3_journal_start_sb: Detected aborted journal
Remounting filesystem read-only
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
And it keeps going on with this message.
I also tried tftp and I get the same thing:
switch/Admin#
switch/Admin# show ver
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2012 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 0.95.1
system: Version A5(1.2) [build 3.0(0)A5(1.2) adbuild_19:38:58-2012/01/17_/a
uto/adbure_nightly4/renumber/rel_a5_1_2_throttle/REL_3_0_0_A5_1_2]
system image file: (hd0,1)/c4710ace-t1k9-mz.A5_1_2.bin
Device Manager version 5.1 (0) 20111215:1009
installed license: no feature license is installed
Hardware
cpu info:
Motherboard:
number of cpu(s): 2
Daughtercard:
number of cpu(s): 16
memory info:
total: 6225528 kB, free: 4270140 kB
shared: 0 kB, buffers: 10864 kB, cached 0 kB
cf info:
filesystem: /dev/hdb2
total: 861668 kB, used: 621592 kB, available: 196304 kB
last boot reason: Unknown
configuration register: 0x1
switch kernel uptime is 0 days 15 hours 1 minute(s) 1 second(s)
switch/Admin#
switch/Admin#
switch/Admin# copy tftp: image:
Enter source filename[]? c4710ace-t1k9-mz.A5_2_2.bin
Enter the destination filename[]? [c4710ace-t1k9-mz.A5_2_2.bin]
File already exists, do you want to overwrite?[y/n]: [y] y
Address of remote host[]? 10.0.0.1
Trying to connecEXT3-fs error (device hdb2): ext3_free_blocks_sb: t to tftp serverbit already cleared for block 6144......
Aborting journal on device hdb2.
ext3_abort called.
EXT3-fs error (device hdb2): ext3_journal_start_sb: <2>EXT3-fs error
TFTP get oper(ation failed:Readd-only file systeem
vice hdb2): ext3_free_blocks_sb: bit already cleared for block 6145
switch/Admin# ready cleared for block 6146cks_sb: bit al
EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6147
EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6148
EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6149
EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6150
EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6151
EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6152
EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6153
EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6154
EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6155
ext3_reserve_inode_write: aborting transaction: Journal has aborted in __ext3_journal_get_write_access<2>EXT3-fs error (device hdb2) in ext3_reserve_inode_write: Journal has aborted
EXT3-fs error (device hdb2) in ext3_truncate: Journal has aborted
ext3_reserve_inode_write: aborting transaction: Journal has aborted in __ext3_journal_get_write_access<2>EXT3-fs error (device hdb2) in ext3_reserve_inode_write: Journal has aborted
EXT3-fs error (device hdb2) in ext3_orphan_del: Journal has aborted
ext3_reserve_inode_write: aborting transaction: Journal has aborted in __ext3_journal_get_write_access<2>EXT3-fs error (device hdb2) in ext3_reserve_inode_write: Journal has aborted
EXT3-fs error (device hdb2) in ext3_delete_inode: Journal has aborted
ext3_abort called.
EXT3-fs error (device hdb2): ext3_journal_start_sb: Detected aborted journal
Remounting filesystem read-only
Buffer I/O error on device loop3, logical block 1238
Buffer I/O error on device loop3, logical block 749
Aborting journal on device loop3.
journal commit I/O error
ext3_abort called.
EXT3-fs error (device loop3): ext3_journal_start_sb: Detected aborted journal
Remounting filesystem read-only
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
EXT3-fs error (device loop3) in start_transaction: Journal has aborted
What am I doing wrong... Any help is much appreciated.
Please rate useful posts and remember to mark any solved questions as answered. Thank you.Hi Bilal,
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/administration/guide/managesw.pdf
read section
Reformatting the ACE Appliance Flash Memory
After you reformat the Flash memory, perform the following actions:
• Reinstall the ACE appliance software image by using the copy image: command (see the Release
Note, Cisco ACE 4700 Series Application Control Engine Appliance).
• Reinstall the ACE appliance license by using the license install command (see Chapter 4, Managing
ACE Software Licenses).
• Import the startup and running-configuration files into the associated context by using the copy
command (see the “Copying Configuration Files from a Remote Server” section).
• Import SSL certificate files and key pair files into the associated context using by the crypto import
command (see the SSL Guide, Cisco ACE Application Control Engine)
Hope that helps.
regards
Ajay Kumar -
Hi,
I have two questions about TCP scripts on ACE :
1. TCP source code
How can I browse the TCL source code of predefined probe scripts on the ACE (for instance HTTPCONTENT_PROBE) '
2. Script parameters
How do I retrieve in the TCL script the parameters passed to the script in the command < script script_name [script_arguments] > ?
Thank you,
YvesYves,
you can download all the scripts from the download software page.
http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=A2%283.2%29&mdfid=280557289&sftType=Application+Control+Software+Scripts&optPlat=&nodecount=2&edesignator=null&modelName=Cisco+ACE+Application+Control+Engine+Module&treeMdfId=268437639&treeName=Application+Networking+Services&modifmdfid=null&imname=&hybrid=Y&imst=N&lr=Y
# Copyright (c) 2005-2008 by Cisco Systems, Inc.
# debug procedure
# set the EXIT_MSG environment variable to help debug
# also print the debug message when debug flag is on
proc set_exit_msg { msg } {
global debug ip port EXIT_MSG
set EXIT_MSG $msg
if { [ info exists ip ] && [ info exists port ] } {
set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
if { [ info exists debug ] && $debug } {
puts $EXIT_MSG
# main
# Parse cmd line args and initialize variables
set_exit_msg "initializing variable"
if { $argc < 2 } {
set_exit_msg "[ info script ] parameters :
exit 30002
set ip $scriptprobe_env(realIP)
set port $scriptprobe_env(realPort)
# If port is zero then use well known HTTP port 80
if { $port == 0} {
set port 80
set requestHeader [ lindex $argv 0 ]
set expectFileType [ lindex $argv 1 ]
set debug [ lindex $argv 2 ]
if { $debug == "" } {
set debug 0
# Open connection
set_exit_msg "opening socket"
set sock [ socket $ip $port ]
# Send HTTP request to server
set_exit_msg "sending request : $requestHeader"
puts -nonewline $sock "$requestHeader\n\n"
flush $sock
# Read string back from server
set_exit_msg "receiving response"
set lines [ read $sock ]
# Close connection
set_exit_msg "closing socket"
close $sock
# Parse the HTTP response
# All the following conditions cause probe failure, returning exit code 30002
# Unable to recognize the HTTP response
if { ![ regexp -nocase "^HTTP/1\.\[0-9\] (\[0-9\]\[0-9\]\[0-9\])" $lines match s
tatuscode ] } {
set_exit_msg "probe fail : can't find status code"
exit 30002
# HTTP response is not 200 OK
if { $statuscode != "200" } {
set_exit_msg "probe fail : status code is $statuscode"
exit 30002
# Unable to find Content-type header
if { ![ regexp -nocase "Content-Type *:(.*)\n" $lines match foundContentType]
set_exit_msg "probe fail : can't find \'Content-Type\' header"
exit 30002
# Content-type value does not contain the requested string
if { ![ regexp "$expectFileType" $foundContentType] } {
set_exit_msg "probe fail : expect content-type \'$expectFileType\', but got
\'$foundContentType\'"
exit 30002
# Indicate probe success with exit code 30001
set_exit_msg "probe success"
exit 30001
Maybe you are looking for
-
How to enter text in table using pages on iPad?
using my IPad I'm trying to enter text in a table. put the curser in a cell but keyboard doesn't appear. Tried copying and pasting. that doesn't work either.any ideas?
-
Creating Logical hostname in sun cluster
Can someone tell me, what exactly logical hostname in sun cluster mean? For registering logical hostname resource in failoover group, what exactly i need to specify for example, i have two nodes in sun cluster , How to create or configure a logical h
-
Opening Captivate 7 file in Captivate 5
Hi, I need help with my projects made in Adobe Captivate 7. Im having problems opening the project in AC 5. Is this because Im opening them in older version? I know Captivate 7 isnt backward compatible, but I dont need to edit them, I just need to o
-
I allowed someone to use my 2010 MBP and later found out she was a thief and steals info. I AM NOT COMPUTER SAVVY, however I was looking at my sync logs and found erver|Warning| Refreshing watchdog because of a calendar time change alert. 2014-06-11
-
Using older Extreme as a wifi extender with new tower extreme
Howdy. Trying to set up extended WiFi and having a terrible time. Have new extreme tower as base station as plugged in to cable modem. Trying to use Los Extreme as extender. Took both to Apple store and asked for help. Tech guy said no problem a