ACE & ACE application Firewall

Similar Messages

• Which Application Firewall ports are open?

  I understand the Application Firewall in OS X (10.5.5) is no longer based on ipfw. Is there a firewall rules list somewhere in the system (similar to the old ipfw list) that reflects the Sharing and Application Firewall options selected, but which shows exactly which ports are open or closed? Is it accessible through Terminal or some other means?

  The ipfw firewall is still there, but Leopard's application firewall isn't a port firewall.

• Application Firewall

  I am confused by the new Application Firewall.
  1. Why would I want to block only specific programs from accessing the web? What about the OS itself? Does this mean that someone can not gain access via a program, though the ports are still open?
  2. I am not sure which programs I should and should not allow to access the web. Does this mean if a program is set to not access the web, it will not be able to detect updates, register, download updates, etc.?

  I read that and I am still confused.
  Without explicitly detailing what you're confused about, no one's going to be able to point the clarity spotlight on your issues. Since you're profile's out of date, update it and include your configuration information.

• Cisco ACE and firewall design

  Guys,
  If I have servers protected behind a firewall and I need to load balance some servers , where should I place the ACE?
  Sent from Cisco Technical Support iPad App

  Hi,
  With one-arm i believe the question is where you want to place the firwall. As long as the client is able to reach the VIP and server replies back to ACE i dont see any problem with this design.
  Firewall ---------Switch ---------------- Load Balancer ---
  As you know with one-arm requires a source NAT and might not be a good fit for application that are using the source IP address to track client usage patterns. PBR avoids this problem but adds other considerations, such as routing complexity, asymmetrical routing for non-load-balanced flows, and VRF support; PBR is not available on VRFs.
  Regards,
  Siva

• ACE: as firewall and NAT. inbound and outbound originals

  Hi Team,
  This time no load balancing is required.
  Two servers inside (with private IP) need to communicate with clients and servers on the internet. ie, internet client originate inbound traffic to our servers, and also our servers originate connections to some internet servers.
  Both of our servers will work indipendently for this purpose.
  I have a few ideas to mix and match configs in the ACE. (This was originally working with FWSM setup). I would like to hear some sound ideas to acheive this using ACE only as firewall/router. No plan to load balance at present.
  Regards to all
  SS

  Gilles,
  Inbound traffic and the related reply traffic can be handled with normal class-map by defining a VIP with public IP.
  The above real server with private IP is now going to make a different connection to the internet. ie,
  outbound traffic and related reply traffic need handling. (no load balancing planned).
  Detination NAT, Static NAT sounds interesting
  Source NAT, Static NAT sounds interesting. Mixing these sound very interesting!! I'm looking for sample configs please.
  SS

• ARDAgent - Application Firewall: allow incoming connections alert won't stop

  Hello,
  after having updated Remote Desktop Client from 3.8 to 3.8.2, users have to allow (or deny) incoming connections within the Firewall settings
  WHENEVER starting the /System/Library/CoreServices/RemoteManagement/ARDAgent.app, especially when logging in or starting the /Applications/Remote\ Desktop.app (Admin)
  ALTHOUGH
  /System/Library/CoreServices/RemoteManagement/ARDAgent.app is locked in the Firewall Settings AND/or
  "Automatically allow signed Software to receive incoming connections" is checked (enabled)
  When switching to a standard user (not an admin), he also can/must allow or deny - and the Firewall Settings are modified correspondingly.
  My questions are so far:
  Why the existing Firewall Setting does not affect when (re-)starting the ARDagent.app-deamon?
  Is the ARDagent.app (since Version 3.8.2) not a signed software?
  This kind of attitude occurs for OS X 10.10.1 _and_ OS X 10.10.2.
  Many thanks for any approach to overcome the problem and kind regards from Munich (GER).

  I was fighting with this 'till now.
  This is what I did:
  Remove ARDagent.app from /System/Library/CoreServices/RemoteManagement
  Remove it from the list in Firewall preferences.
  Disable Firewall.
  Reboot.
  Install OSX 10.10.2 combo-update.
  Reboot.
  Add manually the ARDagent.app to the Allowed Rules in Firewall from /System/Library/CoreServices/RemoteManagement
  Enable Firewall.
  Update to ARD Client v3.8.2 v1.1 from the App Store.
  Reboot.
  Here, the annoying firewall message has gone. I hope it will work for you too.
  I know it's a bit raw and it can be done in a more sophisticated way... But I have no time to deal with this kind of sh*t!
  Cheers.

• Application Firewall settings and OSX 10.5.2 Server

  I recently upgraded our servers at work to 10.5 and then performed the upgrade to 10.5.2. Now I have a service that's having issues connecting to another computer and my thought is that it might be the new firewall that's causing the issue. However, when I went go change to the settings, I can't find the control for it as described.
  I'm looking for it at System Preferences -> Security. I'm only seeing two tabs on this page, General and FileVault. I do not see a tab for Firewall anywhere.
  Help would be appreciated.
  Thanks

  Hi Ian,
  Go to http://www.apple.com/server/documentation/ and download the NetworkServices_Adminv10.5.pdf manual. Information on the Firewall and its configuration are in there. Most everything you need to know about running Leopard OS X Server is on that page. The rest is in these forums and at http://www.afp548.com and http://osx.topicdesk.com for starters.
  Good luck with your new server software.
  Larry

• Ask the Expert: Configuration and Troubleshooting the Cisco Application Control Engine (ACE) load balancer

  With Ajay Kumar and Telmo Pereira 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) load balancer with Cisco expert Ajay Kumar and Telmo Pereira. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module: Helps ensure business continuity by increasing application availability Improves business productivity by accelerating application and server performance Reduces data center power, space, and cooling needs through a virtualized architecture Helps lower operational costs associated with application provisioning and scaling
  Ajay Kumar  is a customer support engineer in the Cisco Technical Assistance Center in Brussels, covering content delivery network technologies including Cisco Application Control Engine, Cisco Wide Area Application Services, Cisco Content Switching Module, Cisco Content Services Switches, and others. He has been with Cisco for more than four years, working with major customers to help resolve their issues related to content products. He holds DCASI and VCP certifications. 
  Telmo Pereira is a customer support engineer in the Cisco Technical Assistance Center in Brussels, where he covers all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), and Digital Media Suite. He has worked with multiple customers around the globe, helping them solve interesting and often highly complex issues. Pereira has worked in the networking field for more than 7 years. He holds a computer science degree as well as multiple certifications including CCNP, DCASI, DCUCI, and VCP
  Remember to use the rating system to let Ajay know if you have received an adequate response.
  Ajay and Telmo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum Application Networking shortly after the event.
  This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hello Krzysztof,
  Another set of good/interesting questions posted. Thanks! 
  I will try to clarify your doubts.
  In the output below both resources (proxy-connections and ssl-connections rate) are configured with a min percentage of resources (column Min), while 'Max' is set to equal to the min.
  ACE/Context# show resource usage
                                                       Allocation
          Resource         Current       Peak        Min        Max       Denied
  -- outputs omitted for brevity --
    proxy-connections             0      16358      16358      16358      17872
    ssl-connections rate          0        626        626        626      23204
  Most columns are self explanatory, 'Current' is current usage, 'Peak' is the maximum value reached, and the most important counter to monitor 'Denied' represents the amount of packets denied/dropped due to exceeding the configured limits.
  On the resources themselves, Proxy-connections is simply the amount of proxied connections, in other words all connections handled at layer 7 (SSL connections are proxied, as are any connections with layer 7 load balance policies, or inspection).
  So in this particular case for the proxy-connections we see that Peak is equal to the Max allocated, and as we have denies we can conclude that you have surpassed the limits for this resource. We see there were 17872 connections dropped due to that.
  ssl-connections rate should be read in the same manner, however all values for this resource are in bytes/s, except for Denied counter, that is simply the amount of packets that were dropped due to exceeding this resource. 
  For your particular tests you have allocated a min percentage and set max equal to min, this way you make sure that this context will not use any other additional resources.
  If you had set the max to unlimited during resource allocation, ACE would be allowed to use additional resources on top of those guaranteed, if those resources were available.
  This might sound a great idea, but resource planning on ACE should be done carefully to avoid any sort of oversubscription, specially if you have business critical contexts.
  We have a good reference for ACE resource planning that contains also description of all resources (this will help to understand the output better):
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/config.html#wp1008224
  1) When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. In other words, the action is to Drop. ACE  should in theory silently drop (No RST is sent back to the client). So unless we changed something on the code, this is what you should see.
  To give more context, seeing resets with SSL connections is not necessarily synonym of drops. As it is usual to see them during normal transactions.
  For instance Microsoft servers are usually ungracefully terminating SSL connections with RESET. Also when there is renegotiation during an SSL transaction you may see RESETS, but this will pass unnoticed for end users. 
  2)  ACE will simply drop/ignore new connections when we reach the maximum amount of proxied connections for that context. Exisiting connections will continue there.
  As ACE doesn't respond back, client would simply retransmit, and if he is lucky maybe in the next attempt he will be able to establish the connection.
  To overcome the denies, you will definitely have to increase the resource allocation. This of course, assuming you are not reaching any physical limit of the box.
  As mentioned setting max as unlimited might work for you, assuming there are a lot of unused resources on the box.
  3)  If a new connection comes in with a sticky value, that matches the sticky entry of a real server, which is already in MAXCONNS state, then both the ACE module/appliance should reject the connection and that sticky entry would be removed.
  The client would at that point reestablish a new connection and ACE would associate a new sticky entry with the flow for a new RSERVER after the loadbalancing decision.
  I hope this makes things clearer! Uff...
  Regards,
  Telmo

• ACE - Balance HTTP and sticky only SSL/TLS

  Hi there,
  I have a situation that I am trying to solve. We have lot of services trough ACE, but now I have to modify one of them, PROXY servers. 
  I have six (6) servers working with Sticky, but with a MASK 255.255.255.0, which produce an unbalanced situation some times, and that affect some servers on depending of how many users connected to that server. We have between 40K and 50K conns in that serverfarm, but in Sticky terms we have arround 700 /24 subnets.
  I want to modify the configuration, specificaly the MASK to 255.255.255.255, which is going to increase a lot Sticky resources. But thinking in optimize Sticky resources, I want to know if there is a way to select only e-commerce, Home Banking or other kind of SSL/TSL traffic (always using port 80 trough proxy servers), so I could use Sticky only  for connections that need it, and leave other HTTP traffic without this feature.
  I´m sorry, may be I'm doing a silly question, but don´t have the experience to make this configuration, and I will apreciate your help.
  Here is the actual configuration:
  probe tcp HTTP
    description Keepalive web servers
    interval 20
    passdetect interval 30
  rserver host Server1
    ip address 10.1.1.1
    inservice
  rserver host Server2
    ip address 10.1.1.2
    inservice
  rserver host Server3
    ip address 10.1.1.3
    inservice
  rserver host Server4
    ip address 10.1.1.4
    inservice
  rserver host Server5
    ip address 10.1.1.5
    inservice
  rserver host Server6
    ip address 10.1.1.6
    inservice
  serverfarm host PRX
    failaction purge
    predictor leastconns
    probe HTTP
    rserver Server1
      inservice
    rserver Server2
       inservice
    rserver Server3
      inservice
    rserver Server4
      inservice
    rserver Server5
      inservice
    rserver Server6
      inservice
  sticky ip-netmask 255.255.255.0 address source sticky-PRX
    timeout 60
    serverfarm PRX
  class-map match-any VIP-PRX
    2 match virtual-address 10.10.10.101 tcp eq www
  policy-map type loadbalance first-match POLICY-L7-PRX
    class class-default
      sticky-serverfarm sticky-PRX
  policy-map multi-match PRX-Balance
    class VIP-PRX
      loadbalance vip inservice
      loadbalance policy POLICY-L7-PRX
      loadbalance vip icmp-reply
  interface vlan 100
    ip address 10.10.10.11 255.255.255.0
    alias 10.10.10.10 255.255.255.0
    peer ip address 10.10.10.12 255.255.255.0
    no normalization
    access-group output SOLO-SLB
    service-policy input PRX-Balance
  Thanks
  Alexis

  You might want to check out this new product called ITD.
  Simple and faster solution:
  ITD provides :
  ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
  No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
  Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
  Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
  IP-stickiness
  Resilient (like resilient ECMP)
  VIP based L4 load-balancing
  NAT (available for EFT/PoC). Allows non-DSR deployments.
  Weighted load-balancing
  Load-balances to large number of devices/servers
  ACL along with redirection and load balancing simultaneously.
  Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
  Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
  Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
  The servers/appliances don’t have to be directly connected to N7k
  Monitoring the health of servers/appliances.
  N + M redundancy.
  Automatic failure handling of servers/appliances.
  VRF support, vPC support, VDC support
  Supported on both Nexus 7000 and Nexus 7700 series.
  Supports both IPv4 and IPv6
  N5k / N6k support : coming soon
  Blog
  At a glance
  ITD config guide
  Email Query or feedback:[email protected]

• ACE 4710, reverse proxy?

  Hello All,
  Please forgive my ignorance but can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time. Thanks for your input.

  Hi Mate,
  The reverse proxy servers can perform many tasks, like:
  Note: this info from Wikipedia: http://en.wikipedia.org/wiki/Reverse_proxy
  Reverse proxies can hide the existence and characteristics of the origin server(s), The ACE will do that.
  Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult, The ACE has some built-in security features, you can refer to this document for full detail:
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/security/guide/securgd.html
  In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead offloaded to a reverse proxy that may be equipped with SSL acceleration hardware. The ACE can do this:
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/ssl/guide/sslgd.html
  A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource. The ACE can do that perfectly.
  A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator. A reverse proxy can optimize content by compressing it in order to speed up loading times. Please check this link for more detail about ACE Application Acceleration and Optimization:
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/app_acc_and_opt/guide/appaccoptgd.html
  Best regards,
  Ahmad

• ACE 30 waits for TCP ACK

  Hi,
  I'd like to solve the problem which occurs when our client communicates with http server through ACE SM. See picture attached.
  The problem is, that http response from server (200 OK) is divided into two packets. Both packets are sent by backend http server in rapid succession.
  ACE forwards the first packet, but then waits for ACK from client. Only then it sends the second one. It takes about 200ms until client sends ACK.
  One transaction consists of hunderds such http requests. It means that whole transaction takes approx. 25 seconds when is balanced by ACE. When I connect dirrectly to backend server the transaction takes approx. 5 seconds.
  I'm quite sure the problem is not related to TCP window.
  Is there any parameter on ACE which should affect this behaviour (waiting for the ACK before second packet is sent)? 
  Petr

  Hi Petr,
  Since your issue is solved now, You might want to check out this new product called ITD.
  Simple and faster solution:
  ITD provides :
  ASIC based multi-terabit/s L3/L4 load-balancing at line-rate
  No service module or external L3/L4 load-balancer needed. Every N7k port can be used as load-balancer.
  Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
  Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
  IP-stickiness
  Resilient (like resilient ECMP)
  VIP based L4 load-balancing
  NAT (available for EFT/PoC). Allows non-DSR deployments.
  Weighted load-balancing
  Load-balances to large number of devices/servers
  ACL along with redirection and load balancing simultaneously.
  Bi-directional flow-coherency. Traffic from A-->B and B-->A goes to same node.
  Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
  Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
  The servers/appliances don’t have to be directly connected to N7k
  Monitoring the health of servers/appliances.
  N + M redundancy.
  Automatic failure handling of servers/appliances.
  VRF support, vPC support, VDC support
  Supported on both Nexus 7000 and Nexus 7700 series.
  Supports both IPv4 and IPv6
  N5k / N6k support : coming soon
  Blog
  At a glance
  ITD config guide
  Email Query or feedback:[email protected]

• ACE as Reverse Proxy

  Can ACE function as reverse proxy without the ACE Web application Firewall?

  Hi,
  If you configure source NAT on all of the client traffic, the ACE will act more or less like a reverse proxy requesting the data from the server using the configured NAT IP instead of the client original one.
  Just keep in mind that the ACE won't ever do any caching whatsoever so you can forget about it if this is what you are looking for.
  Regards,
  Nicolas

• ACE Load balancing FTP connections.

  I have my ACE blade (running A1(4d) ) currently set-up to static nat to an FTP server.
  I have tried setting up a sticky SLB VIP for FTP across this server and an additional box but firewall in front of the ACE throws the connections.
  It appears that the servers are responding directly to the clients when in SLB and so the control connection has the wrong IP (real vs. VIP)
  How do I set this up so that it works?

  Here's the relevant config, IPs change to protect the innocent.
  probe ftp FTP_DL
  description FTP Probe
  expect status 220 220
  rserver host HTTPDL_01
  ip address 10.2.200.21
  inservice
  rserver host HTTPDL_02
  ip address 10.2.200.22
  inservice
  serverfarm host Download_FTP
  probe FTP_DL
  rserver HTTPDL_01
  inservice
  rserver HTTPDL_02
  inservice
  sticky ip-netmask 255.255.255.255 address both FTP_DL
  timeout 10
  replicate sticky
  serverfarm Download_FTP
  class-map match-any FTP_DL
  3 match virtual-address A.A.A.A any
  policy-map type loadbalance first-match FTP_DL
  class class-default
  sticky-serverfarm FTP_DL
  policy-map multi-match FTP_Download
  class FTP_DL
  loadbalance vip inservice
  loadbalance policy FTP_DL
  interface vlan 200
  description Back End Connection
  ip address 10.2.200.2 255.255.255.0
  alias 10.2.200.1 255.255.255.0
  peer ip address 10.2.200.3 255.255.255.0
  no normalization
  service-policy input ICMP_ALLOW_POLICY
  no shutdown
  interface vlan 300
  description ACE to Firewall
  ip address 10.3.100.252 255.255.255.0
  alias 10.3.100.254 255.255.255.0
  peer ip address 10.3.100.253 255.255.255.0
  no normalization
  service-policy input FTP_Download
  no shutdown
  There is an active/passive cluster of firewalls in front of the ACE and all the VIPs are Public IPs from our class C range which are routed through from the firewalls.
  The vlan300 interface on the ACE is in a transport VLAN with the back end FW interfaces. The vlan200 interface is on the same VLAN as the rservers.
  If I change the Class map to
  match virtual address A.A.A.A tcp eq ftp
  I see the data connections being bounced on the inside interface on the firewall as they are not matched to the VIP.

• Cant seem to upgrade ACE 4710

  Hello, I need some assistance in upgrading a 4710. This is a brand new ACE out of the box and I have tried to upgrade a couple of times but get the same error... Here are the details:
  switch/Admin# copy ftp://10.0.0.1/c4710ace-t1k9-mz.A5_2_2.bin image:
  Enter the destination filename[]? [c4710ace-t1k9-mz.A5_2_2.bin]
  File already exists, do you want to overwrite?[y/n]: [y] y
  Enter username[]? ace
  Enter the file transfer mode[bin/ascii]: [bin]
  Enable Passive mode[Yes/No]: [Yes]
  Password:
  Passive mode on.EXT3-fs error (device hdb2): ext3_new_block:
  Hash mark prinAllocating block in system zone - block = 163843ting on (1024 by
  Aborting journal on device hdb2.
  ext3_abort called.
  EXT3-fs error (device hdb2): ext3_journal_start_sb: Detected aborted journal
  Remoulocal: /mnt/cf/cn4710ace-t1k9-mz.tA5_2_2.bin: Readi-only file systenm
  g filesystem read-only
  switch/Admin# al has aborted in __ext3_journal_get_write_access<2>EXT3-fs error (device hdb2) in ext3_reserve_inode_write: Journal has aborted
  ext3_abort called.
  EXT3-fs error (device hdb2): ext3_journal_start_sb: Detected aborted journal
  Remounting filesystem read-only
  EXT3-fs error (device hdb2) in ext3_ordered_commit_write: Journal has aborted
  Buffer I/O error on device loop3, logical block 1238
  Buffer I/O error on device loop3, logical block 745
  Aborting journal on device loop3.
  journal commit I/O error
  ext3_abort called.
  EXT3-fs error (device loop3): ext3_journal_start_sb: Detected aborted journal
  Remounting filesystem read-only
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  And it keeps going on with this message.
  I also tried tftp and I get the same thing:
  switch/Admin#
  switch/Admin# show ver
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 1985-2012 by Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  Software
    loader:    Version 0.95.1
    system:    Version A5(1.2) [build 3.0(0)A5(1.2) adbuild_19:38:58-2012/01/17_/a
  uto/adbure_nightly4/renumber/rel_a5_1_2_throttle/REL_3_0_0_A5_1_2]
    system image file: (hd0,1)/c4710ace-t1k9-mz.A5_1_2.bin
    Device Manager version 5.1 (0) 20111215:1009
    installed license: no feature license is installed
  Hardware
    cpu info:
      Motherboard:
          number of cpu(s): 2
      Daughtercard:
          number of cpu(s): 16
    memory info:
      total: 6225528 kB, free: 4270140 kB
      shared: 0 kB, buffers: 10864 kB, cached 0 kB
    cf info:
      filesystem: /dev/hdb2
      total: 861668 kB, used: 621592 kB, available: 196304 kB
  last boot reason:  Unknown
  configuration register:  0x1
  switch kernel uptime is 0 days 15 hours 1 minute(s) 1 second(s)
  switch/Admin#
  switch/Admin#
  switch/Admin# copy tftp: image:
  Enter source filename[]? c4710ace-t1k9-mz.A5_2_2.bin
  Enter the destination filename[]? [c4710ace-t1k9-mz.A5_2_2.bin]
  File already exists, do you want to overwrite?[y/n]: [y] y
  Address of remote host[]? 10.0.0.1
  Trying to connecEXT3-fs error (device hdb2): ext3_free_blocks_sb: t to tftp serverbit already cleared for block 6144......
  Aborting journal on device hdb2.
  ext3_abort called.
  EXT3-fs error (device hdb2): ext3_journal_start_sb: <2>EXT3-fs error
  TFTP get oper(ation failed:Readd-only file systeem
  vice hdb2): ext3_free_blocks_sb: bit already cleared for block 6145
  switch/Admin# ready cleared for block 6146cks_sb: bit al
  EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6147
  EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6148
  EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6149
  EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6150
  EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6151
  EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6152
  EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6153
  EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6154
  EXT3-fs error (device hdb2): ext3_free_blocks_sb: bit already cleared for block 6155
  ext3_reserve_inode_write: aborting transaction: Journal has aborted in __ext3_journal_get_write_access<2>EXT3-fs error (device hdb2) in ext3_reserve_inode_write: Journal has aborted
  EXT3-fs error (device hdb2) in ext3_truncate: Journal has aborted
  ext3_reserve_inode_write: aborting transaction: Journal has aborted in __ext3_journal_get_write_access<2>EXT3-fs error (device hdb2) in ext3_reserve_inode_write: Journal has aborted
  EXT3-fs error (device hdb2) in ext3_orphan_del: Journal has aborted
  ext3_reserve_inode_write: aborting transaction: Journal has aborted in __ext3_journal_get_write_access<2>EXT3-fs error (device hdb2) in ext3_reserve_inode_write: Journal has aborted
  EXT3-fs error (device hdb2) in ext3_delete_inode: Journal has aborted
  ext3_abort called.
  EXT3-fs error (device hdb2): ext3_journal_start_sb: Detected aborted journal
  Remounting filesystem read-only
  Buffer I/O error on device loop3, logical block 1238
  Buffer I/O error on device loop3, logical block 749
  Aborting journal on device loop3.
  journal commit I/O error
  ext3_abort called.
  EXT3-fs error (device loop3): ext3_journal_start_sb: Detected aborted journal
  Remounting filesystem read-only
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  EXT3-fs error (device loop3) in start_transaction: Journal has aborted
  What am I doing wrong... Any help is much appreciated.
  Please rate useful posts and remember to mark any solved questions as answered. Thank you.       

  Hi Bilal,
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/administration/guide/managesw.pdf
  read section
  Reformatting the ACE Appliance Flash Memory
  After you reformat the Flash memory, perform the following actions:
  • Reinstall the ACE appliance software image by using the copy image: command (see the Release
  Note, Cisco ACE 4700 Series Application Control Engine Appliance).
  • Reinstall the ACE appliance license by using the license install command (see Chapter 4, Managing
  ACE Software Licenses).
  • Import the startup and running-configuration files into the associated context by using the copy
  command (see the “Copying Configuration Files from a Remote Server” section).
  • Import SSL certificate files and key pair files into the associated context using by the crypto import
  command (see the SSL Guide, Cisco ACE Application Control Engine)
  Hope that helps.
  regards
  Ajay Kumar

• TCL scripted probes on ACE

  Hi,
  I have two questions about TCP scripts on ACE :
  1. TCP source code
  How can I browse the TCL source code of predefined probe scripts on the ACE (for instance HTTPCONTENT_PROBE) '
  2. Script parameters
  How do I retrieve in the TCL script the parameters passed to the script in the command < script script_name [script_arguments] >  ?
  Thank you,
  Yves

  Yves,
  you can download all the scripts from the download software page.
  http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=A2%283.2%29&mdfid=280557289&sftType=Application+Control+Software+Scripts&optPlat=&nodecount=2&edesignator=null&modelName=Cisco+ACE+Application+Control+Engine+Module&treeMdfId=268437639&treeName=Application+Networking+Services&modifmdfid=null&imname=&hybrid=Y&imst=N&lr=Y
  # Copyright (c) 2005-2008 by Cisco Systems, Inc.
  # debug procedure
  # set the EXIT_MSG environment variable to help debug
  # also print the debug message when debug flag is on
  proc set_exit_msg { msg } {
      global debug ip port EXIT_MSG
      set EXIT_MSG $msg
      if { [ info exists ip ] && [ info exists port ] } {
          set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
      if { [ info exists debug ] && $debug } {
          puts $EXIT_MSG
  # main
  # Parse cmd line args and initialize variables
  set_exit_msg "initializing variable"
  if { $argc <  2 } {
      set_exit_msg "[ info script ] parameters :
      exit 30002
  set ip $scriptprobe_env(realIP)
  set port $scriptprobe_env(realPort)
  # If port is zero then use well known HTTP port 80
  if { $port == 0} {
      set port 80
  set requestHeader [ lindex $argv 0 ]
  set expectFileType [ lindex $argv 1 ]
  set debug [ lindex $argv 2 ]
  if { $debug == "" } {
      set debug 0
  # Open connection
  set_exit_msg "opening socket"
  set sock [ socket $ip $port ]
  # Send HTTP request to server
  set_exit_msg "sending request : $requestHeader"
  puts -nonewline $sock "$requestHeader\n\n"
  flush $sock
  # Read string back from server
  set_exit_msg "receiving response"
  set lines [ read $sock ]
  # Close connection
  set_exit_msg "closing socket"
  close $sock
  # Parse the HTTP response
  # All the following conditions cause probe failure, returning exit code 30002
  # Unable to recognize the HTTP response
  if { ![ regexp -nocase "^HTTP/1\.\[0-9\] (\[0-9\]\[0-9\]\[0-9\])" $lines match s
  tatuscode ] } {
      set_exit_msg "probe fail : can't find status code"
      exit 30002
  # HTTP response is not 200 OK
  if { $statuscode != "200" } {
      set_exit_msg "probe fail : status code is $statuscode"
      exit 30002
  # Unable to find Content-type header
  if { ![ regexp  -nocase  "Content-Type *:(.*)\n" $lines match foundContentType]
      set_exit_msg "probe fail : can't find \'Content-Type\' header"
      exit 30002
  # Content-type value does not contain the requested string
  if { ![ regexp "$expectFileType" $foundContentType]  } {
      set_exit_msg "probe fail : expect content-type \'$expectFileType\', but got
  \'$foundContentType\'"
      exit 30002
  # Indicate probe success with exit code 30001
  set_exit_msg "probe success"
  exit 30001