ACE ACL issue
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:Standardowy;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
Hello
I am trying to allow access to one of the ace contexts from out-of-band network. I'd like to secure it so nothing from the ace side should be able to connect to the OOB network, and some particular hosts should have access to the ace context by ssh.
I have already configured the appropriate management class-map that secure the SSH access to the ace, but I have a problem with securing the opposite way. I've configured the ACL that deny all ip and icmp traffic and I applied it to the outside direction of the management vlan.
Unfortunately I can still ping and access some resources in the OOB network from the ACE context.
Do you know what else should I do to make it works ?
Thanks in advance for any help.
Regards
Lucas
Hello
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:Standardowy;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
Thanks. I've check it from different vlan and in fact the ACL does not allow the traffic to pass through the ACE. I also observed that modification made in the ACL do not impact the already established sessions.
Do you know any recommendation regarding the management access design in the ACE environment? I am wondering if it is more recommended to implement one mgmt vlan for all the ACE contexts or one mgmt vlan per context.
Thank you for the answer.
Ragards
Lucas
Similar Messages
-
We would like to configure on ace like below:
the virtual ip address and port like this
: 10.10.10.10:8000,this ip address will be use to outside user request servie
and we have to configure server farm like below
real server 10.10.10.1:8001, 10.10.10.1:8002, 10.10.10.1:8003 ...
the ip address is same on 10.10.10.10:8000's serverfarm, but real server service is different, and this port should be loadbalanced and healchecked.
Is it possible solution? F5 big ip , Nortal is possible, but I don't know on ACE above issue.
If you ok. could you give me a sample configuration?page 2....
Also i forget to tell you to
8.create resourse-class
9. create context othr then admin context if you need multiple contexts:
(inside context add resource class)
10 class map type management (for remote access)
as follows:
Kindly find some config sample as follows:
ACE/Admin# sh run
Generating configuration....
resource-class ABCD_Resource
limit-resource all minimum 5.00 maximum unlimited
limit-resource sticky minimum 5.00 maximum unlimited
boot system image:c4710ace-mz.A3_2_1.bin
hostname ACE
context Admin
member ABCD_Resource
access-list everyone line 10 extended permit icmp any any
access-list everyone line 20 extended permit ip any any
access-list for-cap line 8 extended permit ip any any
probe http HTTP-Probe
port 8000
interval 2
faildetect 2
passdetect interval 15
request method head
probe icmp ICMP-Probe
interval 2
faildetect 2
passdetect interval 60
probe tcp TCP-8000
port 8000
interval 2
faildetect 2
passdetect interval 15
passdetect count 2
open 1
rserver host A
ip address 10.10.10.1
inservice
rserver host B
ip address 10.10.10.2
inservice
rserver host C
ip address 10.10.10.3
inservice
rserver host D
ip address 10.10.10.4
inservice
serverfarm host SF-8000-1
probe ICMP-Probe
probe TCP-8000
rserver A 8000
inservice
rserver B 8000
inservice
serverfarm host SF-8000-2
probe HTTP-Probe
probe ICMP-Probe
probe TCP-8000
rserver C 8000
inservice
rserver D 8000
inservice
class-map match-all L4-CLASS-REDIRECT-1
2 match virtual-address 10.10.60.10 tcp eq www
class-map match-all VIP-PORT-8000-1
2 match virtual-address 10.10.60.10 tcp eq https
class-map match-all VIP-PORT-8000-2
2 match virtual-address 10.10.60.12 tcp eq https
class-map type management match-any remote-mgmt
10 match protocol ssh any
20 match protocol telnet any
30 match protocol icmp any
40 match protocol http any
50 match protocol https any
class-map match-any server-initiated
3 match source-address 10.10.10.4 255.255.255.255
4 match source-address 10.10.10.3 255.255.255.255
policy-map type management first-match remote-access
class remote-mgmt
permit
policy-map type loadbalance first-match VIP-POLICY-8000-1
class class-default
policy-map multi-match Service-Policy-8000-1
class VIP-PORT-8000-1
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-1
loadbalance vip icmp-reply
nat dynamic 1 vlan 60
class L4-CLASS-REDIRECT-1
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-1
policy-map multi-match Service-Policy-8000-2
class VIP-PORT-8000-2
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-2
loadbalance vip icmp-reply
nat dynamic 1 vlan 60
ssl-proxy server SSL-Offload-Proxy-2
policy-map multi-match server-side
class server-initiated
nat dynamic 1 vlan 60
interface vlan 10
description APPPROD-Client-Vlan
bridge-group 10
mtu 1500
access-group input everyone
access-group output everyone
service-policy input remote-access
no shutdown
interface vlan 30
description management-vlan-interface
ip address 10.10.30.22 255.255.255.0
access-group input everyone
access-group output everyone
service-policy input remote-access
no shutdown
continued page 3...... -
Standby cisco ACE loadbalancer issues (network connectivity)
Hi ALL,
We are having issues with the secondary (standby) load balancer ACE module on a 6500 switch. We see that the loadblanacer is not able to get onto the network which leads to problem with fault tolerance as well. Following is the ft status found on the load balancer for one of the contexts (this is the same pattern seen on all the contexts).
switch/Admin# sh ft group status
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
Peer State : FSM_FT_STATE_UNKNOWN
Peer Id : 1
No. of Contexts : 1
Sh arp on all the contexts shows the gateway/rserver to be unreachable. Please find the screenshot below for one of the contexts (the same pattern is seen on the LB for all other contexts)
switch/1_Context# sh arp
Context CSD_Context
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
172.21.128.97 00.00.00.00.00.00 vlan942 GATEWAY - dn
172.21.128.103 00.0b.fc.fe.1b.09 vlan942 ALIAS LOCAL _ up
172.21.128.105 00.12.43.dc.93.23 vlan942 INTERFACE LOCAL _ up
7.0.0.4 00.0b.fc.fe.1b.09 vlan943 NAT LOCAL _ up
- 7.0.0.6
172.21.147.196 00.0b.fc.fe.1b.09 vlan943 ALIAS LOCAL _ up
172.21.147.198 00.12.43.dc.93.24 vlan943 INTERFACE LOCAL _ up
172.21.147.200 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
172.21.147.202 00.00.00.00.00.00 vlan943 RSERVER - * 2 req dn
172.21.147.204 00.00.00.00.00.00 vlan943 RSERVER - dn
172.21.147.206 00.00.00.00.00.00 vlan943 RSERVER - dn
172.21.147.208 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
172.21.147.210 00.00.00.00.00.00 vlan943 RSERVER - * 2 req dn
172.21.147.212 00.00.00.00.00.00 vlan943 RSERVER - * 1 req dn
172.21.147.214 00.00.00.00.00.00 vlan943 RSERVER - * 1 req dn
172.21.147.216 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
7.0.0.1 00.0b.fc.fe.1b.09 vlan943 NAT LOCAL _ up
- 7.0.0.3
The problem is that we see the problem only on the secondary loadbalancer. primary is just running file
also i can see some traffic denial in admin context for resource usage
switch/Admin# sh resource usage
Allocation
Resource Current Peak Min Max Denied
Context: Admin
conc-connections 9 9 160000 6560000 0
mgmt-connections 0 46 2000 82000 0
proxy-connections 0 4 20972 859830 0
xlates 0 0 20972 859830 0
bandwidth 0 17715713 10000000 535000000 5799749
throughput 0 17710993 10000000 410000000 5799749
mgmt-traffic rate 0 4720 0 125000000 0
connection rate 0 43 20000 820000 0
ssl-connections rate 0 0 100 4100 0
mac-miss rate 0 1 40 1640 0
inspect-conn rate 0 0 120 4920 0
acl-memory 56336 56336 1570072 64460552 6
sticky 0 0 83886 0 0
regexp 0 0 20972 859832 0
syslog buffer 82944 82944 82944 3447808 0
syslog rate 0 44 2000 82000 25
Context: INTEGRATION_Context
conc-connections 0 3934 160000 0 0
mgmt-connections 0 98 2000 0 0
proxy-connections 0 33 20972 0 0
xlates 0 0 20972 0 0
bandwidth 0 10019910 10000000 125000000 40857
throughput 0 10000000 10000000 0 40857
mgmt-traffic rate 0 19910 0 125000000 0
connection rate 0 49 20000 0 0
ssl-connections rate 0 0 100 0 0
mac-miss rate 0 32 40 0 0
inspect-conn rate 0 58 120 0 0
acl-memory 11920 11920 1570072 0 0
sticky 0 1 83886 0 0
regexp 0 0 20972 0 0
syslog buffer 0 82944 82944 3447808 0
syslog rate 0 312 2000 0 0
these above 2 contexts are the only one which has bandwidth resource usage exceeding the limit. but i somehow am not sure if this is the issue. as there is just no traffic on the secondary .. then how can the bandwidth reach the threshold? can anyone throw some light on the below issue?
thanks and regards
kiranvlan on Standby_ACE switch
svclc multiple-vlan-interfaces
svclc module 1 vlan-group 1,4,12,13,
svclc vlan-group 1 968
svclc vlan-group 12 132
svclc vlan-group 13 367-372,374,375,379,380,538,805,807,808,818,913,915
svclc vlan-group 13 917-920,922-924,933,934,937,938,942-949,972,976-979,983
svclc vlan-group 13 984
ip subnet-zero
no ip source-route
vlans on standby ACE
switch/Admin# sh vlans
Vlans configured on SUP for this module
vlan132 vlan360 vlan367-375 vlan379-380 vlan538 vlan805 vlan807-808 vlan818 vlan913 vlan91
5 vlan917-920 vlan922-924 vlan930 vlan933-934 vlan937-938 vlan942-949 vlan968 vlan971-972 v
lan976-979 vlan983-984
switch/Admin#
Active_LB_host_switch is the switch hosting the active ACE thats connected on ten7/4 and 8/4 which is bundeled and made into
port-channel (po72)
CDP neighbor hosting the active ACE
Active_LB_host_switch
Ten 7/4 148 R S I WS-C6513 Ten 7/4
Active_LB_host_switch
Ten 8/4 156 R S I WS-C6513 Ten 8/4
Po72 allows all the vlans which is the configured for ACE modules.
Port Vlans allowed on trunk
Po72 132,140,181,359-383,538,668,702,805-808,815-816,818-820,836,907,909-920,922-925,
929-935,937-949,967-973,976-984,987,3212
vlan 968 is the FT vlan and the same hass been allowed on the trunk port.
everything looks good to me but still not sure why isnt the ACE module not coming to the network. it was working fine
a few months back but all of a sudden it lost the network connectivity. i am not even able to ping the physical ip of the
ACE module.
thanks and regards
kiran -
Hi All,
I am configuring PLM Business package/ Web UI in portal. Version EHP4. (PLM Web UI)
Every screen (Material, BOM) giving me error "Authorizations are missing" . I know this trusted user issue.
I provided the role "SAP_PLMWUI_TRUSTED_USER_ALL" in ECC System.
How I can fix the problem? Which roles I need to assign to resolve the problem. FYI, Document are working fine. Because documents are not the part of ACM
2. I am looking in to SAP Help for authorizations but there are not detailed steps to set up these ACM/ACL .
3. How I can generate Root Context. There is a program we can run in SE38. But before that I need to assign Context Admin role to in IMG. Which role I need to assign as Context Admin.
I appreciate your help. Thanks in Advance.
Regards
Markadministrator can set up the whitelist in Customizing for SAP NetWeaver under SAP
Web Application Server Web Dynpro ABAP Set-Up Active Controls Whitelist .
o The whitelist has to be named DEFAULT.
o File Extension
All files of this type can be executed in an external program by using the
Customizing option %auto%. For more information see Customizing for Logistics
General under Product Lifecycle Management PLM Web User Interface
Objects Document in PLM Web UI Define Workstation Application
o Application
Enter applications to be used for viewing or editing a file.
o Download
Enter at least one directory and one server. The system opens the directory and
all subdirectories for the download.
o Upload
Enter at least one directory and one server. The system opens the directory and
all subdirectories for the upload.
Make an entry for each option (File Extension, Application, Download,
Upload).
o Find the correct server name for upload and download
Working with a local whitelist in a SAP system requires a certificate for the system used.
The administrator must download the certificate using transaction WDR_ACF_GEN_CERT.
Alternatively, the administrator can create the new certificate in Customizing for SAP
NetWeaver under Application Server Web Dynpro ABAP Generate Certificate for
Whitelist
3. Each user has to install the certifcate using transaction ACF_WHITELIST_SETUP.
Alternatively, the user can install the certificate via Customizing for SAP NetWeaver
under Application Server Web Dynpro ABAP Activate Active Controls Whitelist .
o The provided list of whitelists is only for display reasons. The certificate is always
installed for the DEFAULT whitelist.
o You have to install the certificate after each change of the DEFAULT whitelist -
ACE FTP issues with "inspect ftp"
Hello.
My clients want to access an FTP server, via ACE, and I am having some issues. They can login and issue only one command... the second command will not be accepted an after a few seconds the prompt shows the message "connection closed by remote host".
I have sniffed traffic and I see that the connection between the client and the ACE has a strange behaviour because ACE open connection to data using an source port of 1039 (it should be 20, since we are usind an active mode client); between the ACE and the real server runs in active mode (I see normal ftp-data packets).
Other strange thing is that I have FWSM and they let traffic pass from ACE to client (they should expect traffic comming from port 20 and not 1039)
I am doing source NAT and ACE is doing all the necessary changes on source IP adresses.
Anyone has seen similar behaviour?
Any help would be appreciated.
In attach I send my config and traffic sniffing.
Thanks in advance.
Joao Ribau
P.S. - client is 10.1.44.98; VIP is 10.1.9.150; real server 10.1.36.124Hello.
I didn´t mentioned this before but the gateway of all my networks is an ACE that is loadbalancing traffic to two firewall clusters. I think this is not important because I have a "catch all" VIP in all my interfaces; I assume that ACE forwards traffic with no restrictions or inspections leaving the inspection job to the firewalls and to the ACE that I use to load balance services.
Don´t think this could be the problem but just to make sure I decided to post it.
Best regards,
Joao Ribau.
P.S. - my configs on the ACE that loadbalance traffic to the firewalls are very straightforward. Serverfarms (interfaces of the firewalls), a class-map with a "catch-all" VIP, policy-map to for the serverfarm, a policy-map to tie the class to the serverfarm and finally a service-policy apllied to each interface. -
Hi,
ACE Reconciliation Task scheduler is not creating events on OIM and we could see that Users are being pulled in from ACE Servers (through RM logs) also the task status remains as Running forever.
Can some one please suggest or recommend a way to debug this issue?
ThanksHave you tried increasing the logging level to debug and checked the logs?
-
HI
I hope might be a number of issues has reported like this, I am gettnig confused about the direction of an acl, when it is on a router's physical interface and when it is on a Layer Switch SVI interface, I think my understanidng about acl needs to get cleared, need your kind input please.
I have a L3 switch with 3 vlans
Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)
Vlan 10 - Server-Vlan - 172.16.10.1/24
Vlan 11 - User-Vlan - 172.16.11.1/24
I want to allow only specific network to come inside to my network to access all the subnets, other all must be blocked.
I want all in my network to access any thing outside the network.
i tried to configure acl as below-
access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255
int vlan 1
ip add 172.16.1.1 255.255.255.0
ip access-group 101 in
When i am trying from outisde (172.16.100.1) -
Ping 172.16.10.1 - Good (expected)
Ping 172.16.11.1 - NOT (expected)
When I am trying to ping from inside Server-Vlan (172.16.10.1)
Ping 172.16.100.1 - Good
The problem -
When i am trying to ping from inside User-Vlan (172.16.11.1) to go outside to 172.16.100.1 am not getting reply
what is wrong happening here in this scenario?
regards
SunnyHi Jon,
I was working on the ACL for the above issue. i have found the below thigs-
int vlan 1
des Routing vlan
ip 172.16.1.1 255.255.255.0
ip access-group 110 in
int vlan 10
des server vlan
ip 172.16.10.1 255.255.255.0
int vlan 11
des Users
ip add 172.16.11.1 255.255.255.0
ip access-group 100 in
acl applied on vlan 10 and and 11 are inbound in direction so as like we have mentioned before, the traffic coming from each vlan (172.16.10.x OR 172.16.11.x) can be filtered at the SVI itself. infact i need to put below statement in bold to ping its own gateway.
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.11.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.100.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.101.0 0.0.0.255
And for filtering the traffic coming from outside, i had to put the acl on interface vlan 1 and called in INBOUND direction.
access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.10.0 .0.0.0.255
access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.11.0 .0.0.0.255
access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.10.0 .0.0.0.255
access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.11.0 .0.0.0.255
what i understood,
for vlan 10 or 11 - if i call outbound means the traffic coming from outside and destined to inside of that vlan.
for vlan 10 or 11 - if i call inbound means the traffic coming from inside of that vlan and destined to outside.
But for Vlan 1, which is the routing vlan,connecting to the other network the behaviour is just reverse-
If i call inbound means the traffic coming in to that vlan initerface from Outside
If i call outbound means the traffic that going out through that interface.
so i ddint call any acl in outbound direction as of now.
Dear Jon, thanks for taking time to describing the scenario in detail before.
please check this and let me know that my conclusion is correct or is there anything left to be in the loop again...!!!
Thanks and Regards
Suuny -
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hi,
This is with regards to my customer who is facing the following problem with Maxconns – “we are using TCP probes and MaxConn and MinConn are used to determine when a server is busy or not.
If the MaxConn is exceeded then busy server trips in and stops when the number of TCP sessions drop below MinConn.
However, we have a situation where if MaxConn is exceeded counting of TCP connections stops and the connections never come down.”
Customer has A2(1.4a) currently deployed in its network. On perusing the release notes I came across this bug CSCsy30440/CSCsy04371 - ACE: rservers may not accept conns even though they are out of maxconns. I am wondering if this is the issue that they might be facing currently.
Will this issue be resolved for them if I recommend that they move to A2(1.6a) or A2(2.3) release ?
Is there a workaround for this other than configuring a backup serverfarm which my customer already has configured? Would it make a difference if they used HTTP probes instead of TCP probes?
Also is there a way to simulate the connection count behavior using HTTP probes?
Would really appreciate some help with this issue.
Thanks & Regards
Vidhya NairVidhya,
you have to open a tac service request so that we can collect the necessary information with the lbinspect tool.
If you don't want to do any troubleshooting, simply upgrade to the latest version and see if that helps.
Gilles. -
Hi,
I have question in regards to Deploying configurations to ACE with ANM. I presume it should deploy it in few seconds but for me it takes 8 to 10 minutes. Can anyone suggest why is this taking so much time????
Thanks in advance.Do you have a large config? How many contexts?
Is there an issue with the connection between the ANM server and the ACE (low bandwidth,...)
Did you install the ANM on an approved server (meets the min requirements?)
ACE is well discovered by ANM?
Keep us posted. -
Hi,
The Sticky function of the ACE is not working. There were no changes been made on the device it was working fine before but not now,.
We have 2 ACE one is Active(ACE1) and Second one is Standby (ACE2).
Testing done till now:-
================
Done the Failover from Active(ACE1) to Standby (ACE2).
When ACE2 was Active the Sticky started working fine without any issues.
2) when I did the failover again back from ACE2 to ACE1 the problem arrise Sticky doesnt work any more.
Any suggestion about this strange behaviour?
Thanks in advance.
Regards
Alex.What version do you run ?
What type of sticky method ?
Could you get a
- show np 1 me-stats "-slb"
and a
- show np 2 me-stats "-slb"
Possibly get 2 occurences one before and one after a test.
Thanks,
Gilles. -
Hi all,
I implemented an ACE for "ACCOUNTCRM" and event background job is triggered to update the trace table whenever an account is created. However, I notice that the results return is incorrect due to some buffer issue which i suspect.
My scenario is agent in group A is only allowed to see accounts in group A (based on certain criteria). If the agent created an account in WebUI which does not meet the ACE rule, this new account should not appear in all account searching result list. But in my implementation, the new account is shown in the result list and which is wrong.
I tried to trace using the ACE simulator and I got correct result list. And If I launch a webUI to do the account creation, then log off or using another session to do searching, correct result list is displayed. However, if I create the account, followed by searching for the account at the same WebUI session, then the result list is wrong.
Anyone encountered such problem?
cheers,
ginniesolved by adding ACE general parameter.
cheers,
ginnie -
I am having an odd issue with a clients GSS/ACE setup. They have two data centers. Each has two ACE appliances running in active standby and one GSS. The GSS appliances are in an active standby set up as well. When they run on the primary GSS and ACE in their one data center, all the sites respond and work properly. However, when we tell the GSS to use the other ACE appliances, everything works except their main website. The main website uses kal-ap by VIP for the keepalive method. When I look at the GSS monitoring, it says the 'offline (load: 255)'. I have looked through the configuration the GSS for the Answers to both locations there aren't any differences. Secure kal-ap is configured on the ACE appliances at both locations and it looks like it is communicating with the GSS without any issues.
Here is something else I noticed. I checked the GSS while writing this post and noticed the primary GSS is showing offline (load: 255) for the main site for this client. However, the standby GSS is showing online for this site.
I am really not sure where to go with this issue, so any suggestions are appreciated.
TIA,
DanI am having an odd issue with a clients GSS/ACE setup. They have two data centers. Each has two ACE appliances running in active standby and one GSS. The GSS appliances are in an active standby set up as well. When they run on the primary GSS and ACE in their one data center, all the sites respond and work properly. However, when we tell the GSS to use the other ACE appliances, everything works except their main website. The main website uses kal-ap by VIP for the keepalive method. When I look at the GSS monitoring, it says the 'offline (load: 255)'. I have looked through the configuration the GSS for the Answers to both locations there aren't any differences. Secure kal-ap is configured on the ACE appliances at both locations and it looks like it is communicating with the GSS without any issues.
Here is something else I noticed. I checked the GSS while writing this post and noticed the primary GSS is showing offline (load: 255) for the main site for this client. However, the standby GSS is showing online for this site.
I am really not sure where to go with this issue, so any suggestions are appreciated.
TIA,
Dan -
Hello,
I am trying to copy a folder from one server to another using Robocopy in Windows 2008. The security permissions on the folder (ACLs) are not copying properly.
Folder Details:
Folder #1 on Server A has the following ACLs: Domain Admin -> Full Control, UserX -> Full Control
When I use robocopy with the /copyall parameter and copy Folder #1 from Server A to Server B it is missing the "UserX" permission under the security tab. The parent folder on Server B does not have inheritance turned on and its security is set to Domain Admin -> Full Control. Why aren't my security/ACLs (namely the permissions ofr USERX) copying properly?
Thanks in advance,
DI came across this thread because I have been researching the very same issue. Likewise I am running Windows Server 2008 X64 SP2 on both servers.
Be wary of those who throw out suggestions to check your syntax, yet are not intimately familiar with this issue. Many people making such suggestions often do not know what the different versions of Robocopy are, what limitations each version has, how to get each version or what has changed syntax-wise from version to version. Yet they talk with authority. This has always been and will always be part of open public forums. Of course we should always look at our syntax. However this seems to be an issue with the new version of Robocopy.
I haven't hammered the solution down yet, but here are some things to try:
1) Note that many people on other forums are saying that if the source has inheritance turned on, then Robocopy will not copy the permissions over, especially those at the root of a drive. Others have suggested turning off inheritance on the source. I don't like that solution. I turn on inheritance for a reason.
2) I have tried copying one level down from the root with some success. For example, instead of this:
Robocopy.exe \\server1\e$ e: /TEE /S /E /COPY:DATS /PURGE /R:1 /W:1 (or whatever your parameters are...)
try going down one level...
Robocopy.exe \\server1\e$\folder1 e:\folder1 /TEE /S /E /COPY:DATS /PURGE /R:1 /W:1
I don't like this solution either. It is so much simpler to copy from the root of one drive to the root of another drive on another server. I don't want to have to do extra scripting to gather the names of the folders one level below the root and then add For Loops to my script.
3) In some forums people are suggesting to use Robocopy to copy data and icacls.exe to handle the permisssions, at least on the root. I plan to explore this option next. Once again, I don't like the solution. I expect Robocopy to be able to handle this.
Of course I'll eat my shoe if it turns out that Robocopy works just fine and I simply don't have the right syntax. -
ACE slowness issue when one server goes down
Hi,
We are having two application servers.Both are load balanced using ACE.
When we bring down one server, we find that when we upload some files into the second application server, its too slow.
But when primary server comes up again the performance increases.This issue happens only when we bring the primary server down.
We are using cookie based stickiness.Any ideas where we can look into.
Rgds.,
SachinDepending on the load-balancing algorithm or predictor that you configure, the ACE performs a series of checks and calculations to determine which server can best service each client request. The ACE bases server selection on several factors including the source or destination address, cookies, URLs, HTTP headers, or the server with the fewest connections with respect to load.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/slb/guide/classlb.html -
Hi,we have our main website https://abc.com and it provides links to users for various applications.If i go to https://abc.com and click the link xyz on it, i get back to main page again and current connections drops to 0. here my browser should be redirected to https://abc.com/xyz which is not happening. Traffic is getting tunnnled to https://abc.com as seen in logs in http catcher.
But if i type in https://abc.com/xyz in browser, i go to correct page.
below is my configuration. please let me know if any other configuration is needed, Below config is with 2 links but actual production has many links.
I have similar issue for another application where links on main page can not be accessed. that application works on http instead of https.
rserver redirect xyz
inservice
webhost-redirection "https://abc.com/xyz"
rserver redirect uvw
inservice
webhost-redirection "https://abc.com/uvw"
rserver host abc
ip address 1.1.1.1
inservice
serverfarm redirect xyz
rserver xyz
inservice
parameter-map type http case_param
case-insensitive
no persistence-rebalance (i also tried enabling it)
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
parameter-map type ssl abc
cipher RSA_WITH_3DES_EDE_CBC_SHA
ssl-proxy service abc
key abc
cert abc
ssl advanced-options abc
serverfarm redirect uvw
rserver uvw
inservice
serverfarm host abc
rserver abc
inservice
class-map type http loadbalance match-any map1
match http url /xyz.*
class-map type http loadbalance match-any map1
match http url /uvw.*
policy-map type loadbalance first-match ssl-abc
class map1
serverfarm xyz
class map2
serverfarm uvw
class class-default
serverfarm abc
class ssl-intranet
loadbalance vip inservice
loadbalance policy ssl-abc
loadbalance vip icmp-reply active
nat dynamic 1 vlan 368
appl-parameter http advanced-options case_param
ssl-proxy server abc
the IP address mentioned for abc.com (1.1.1.1) is on cisco CSS (VIP for www.abc.com for internal users) which is serving my internal clients. The CSS then points to actual server hosting abc.com. The ACE is serving clients coming from Internet and CSS is serving my internal clients which connect with http. Is this problem because of communication issue between ACE and CSS?
Can anybody suggest?class-map match-all intranet
2 match virtual-address 198.184.231.7 tcp eq www
class-map match-all ssl-intranet
2 match virtual-address 198.184.231.7 tcp eq https
I have 2 different policy maps .........intranet map redirects to ssl-intranet map which then makes redirection to individual applications.
policy-map multi-match external-lb
class extranet
loadbalance vip inservice
loadbalance policy extranet
loadbalance vip icmp-reply active
nat dynamic 1 vlan 368
appl-parameter http advanced-options case_param
class ssl-extranet
loadbalance vip inservice
loadbalance policy ssl-extranet
loadbalance vip icmp-reply active
nat dynamic 1 vlan 368
appl-parameter http advanced-options case_param
Maybe you are looking for
-
I have two separate iCloud accounts. How do I merge them?
I have two separate iCloud accounts, one at mac.com and one at me.com. But I only want to have one iCloud account. How do I merge the two into one keeping all the data in each?
-
2009 iMac 24" GeForce 120 problems after 10.6.7 upgrade
Hi all, I've read a lot of threads about iMac graphic problems on these boards, but I haven't really found anything here that sounds like my problem. Several weeks ago, I upgraded my early 2009 iMac to 10.6.7. Up until this point, I have had zero pro
-
ICal server and external invitations via 3rd party mail server
Hi everyone, OS 10.6.5 Server: Services running AFP DNS iCal Open Directory Push Notification We are currently testing iCal server and have configured it to send out invites via our mail server (which is running on a different server) by creating the
-
How to prevent playing video to ignore screensaver policy
Our company policy is to make the screensaver (with password) active after 5 minutes. This works fine. But some employes found out to bypass the policy by playing a video in a loop. How can we deal with these retards?
-
How to Transfer Objects from one Package to another?
Hi, I have Objects(Form Layouts,ABAP Programs....ect) in Package. Is there a particular Transaction that could be used to move these objects to another Package. Thanks Kishan