Ace appliance connectivity design

Similar Messages

• Cisco ACE Appliance showing error while boot

  Hello Everyone,
  I intend to Configure two ACE appliance in one arm mode, Post configuration I have tried to test the functionalities of the same.
  Below are the queries which I am having now.
  >Post reboot of the appliance it popped with the error ,pls clarify .
       Starting sysmgr processes.. Please wait...tg3: tg3_reset_hw timed out for eth1, firmware will not restart magic=4b657654
  tg3: tg3_reset_hw timed out for eth1, firmware will not restart magic=4b657654
  Done!!!
  > Please confirm whether SNAT is compusory for one-arm mode setup . as our requirement is to loadbalance only the requests from the clients .
       the reply from server should go back to the client directly .
  > How can I achieve the HA config with out dedicated port . as I have configured port channel for all the 4 ports . I am not interested to provide the seperate port for HA.
  Thanks in advance

  Hi,
  > Please confirm whether SNAT is compusory for one-arm mode setup .  as our requirement is to loadbalance only the requests from the clients  .
       the reply from server should go back to the client directly .
  **Mos of the times SNAT is require but is not must.  For example, you can have the servers connected to a L2 Switch, using the ACE as DG and you probably don't need SNAT.
  The important is to have the response of the server going back to the ACE with or without NAT
  > How can I achieve the HA config with out dedicated port . as I have  configured port channel for all the 4 ports . I am not interested to  provide the seperate port for HA.
  ***Configure in the portchannel the ft-port vlan command.  Remember that the FT vlan should be L2, no L3 devices in between the ACEs
  Cesar R
  ANS Team

• ACE Module vs ACE Appliance

  Hello,
  What is the difference between ACE Module and ACE Appliance? why the ACE Module is better? or ACE Appliance, what is the advantage between Module and Appliance.
  anyone can explain me?
  Best Regards

  In the past Cisco has been shipping two line of Loadbalancing products
  First line ( modules dedicated for 6500/7600 chassis ) includes CSM & CSM-S & SSLSM (for ssl offloading)
  The other line comprises of appliance based CSS series products.
  ACE module is a next generation module replacing CSM modules that fits into 6500/7600 chassis.
  It gives you upto 16Gbps throughput (versus CSM's 4Gbps throughput).
  ACE appliance is a next gen replacement of CSS line of appliance based products.
  CSS appliances were used to come in different Hardware models with varied
  performance capacities. ACE appliance is a single hardware with various licenses
  used to scale the performance/features.Ace appliance supports upto 4Gbps of throughput.
  Previously CSS & CSM code terminologies & command set was different. For example a real server
  was termed as "service" in CSS & was called "real" in CSM . Similarly "probe" in CSM was "keepalive"
  in CSS.
  With ACE line of products you get the same terminologies & command sets for both
  modules & Appliances.
  ACE Appliance & ACE modules are functionality vise coming closer with every new release but
  still there are some differences.
  For example following ACE appliance features are not available in ACE module:
  Appl optimization (flash forward, Delta Encoding)
  Embedded Device manager
  Http compression
  Which one is better than the other really depends on your requirement
  From Performance perspective Module give you much higher performance then Appliance.
  SO if performance is your criteria the ACE module is better than ACE appliance.(Some performance metrics at the end of the post).
  If you are looking for Application optimization & HTTP compression along with Loadbalancing
  then it can only be achieved with ACE appliance.
  If you are not using 6500/7600 series chassis in your environment then you can only use ACE appliance
  (unless you are open to buy module+chassis due to performance requirement).
  Some performance metrics
  Ace Appliance supports 1 Million concurrent connections where as Ace Module supports 4 Million.
  Ace Appliance supports 120K L4 conn/sec where as Ace Module supports 380K L4 conn/sec.
  Ace Appliance supports 40K L7 conn/sec where as Ace Module supports 133K L7 conn/sec.
  Ace Appliance supports upto 4Gbps throughput where as Ace Module supports 16Gbps throughput .
  HTH
  Syed Iftekhar Ahmed

• CSS and ACE appliance SSL TPS

  Hi,
  Can someone explain how are SSL Transactions per second calculated on CSS and ACE?
  We need to select appropriate SSL license needed for future ACE appliance, wich is defined in terms of TPS.
  We also currently have CSS device with SSL module. Is there any way to find current SSL TPS info on a CSS device?
  Thank you and regards,
  Jasmina

  What is the method used to calculate SSL TPS requirement.
  example,
  Current: Peak SSL Transactions  6,000
  If I expect a peak concurrent connection of 200,000 what would be the methodology for calculating SSL TPS needs. (Some sample calculation steps would be appreciated.)
  Can I interpret the licensing as follows,
  SSL TPS: SSL Transactions per second: Number of NEW transactions that can be setup by ACE per second. (Does this mean established SSL transactions are not counted by the license, though each of the packets in established transactions require SSL termination!)
  Thanks
  Sri

• Difference between ACE module and ACE appliance

  Hi All,
  Can someone help to understand the difference between ACE module and ACE appliance, as i am observing ACE module is providing more throughput when compared the ACE appliance, Is the only advantage we getting with contexts ....
  thanks inadvance,
  Narayana Mallidi

  Hi Narayan,
  Apart from providing throughput, ACE module has more to offer ,
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_ACE_Resource_Limits
  The above link will provide a comparision of ACE module and Ace appliance interms of scalability. Apart from that legacy modules wont support compression, but ACE 30 module can support compression.
  The major advantage of ACE 30 module is with resepct to SSL throughput, SSL TPS, L4 & L7 CPS, & Concurent Connections per second, apart from the increased contexts
  ACE 4710 Data Sheet :
  http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps7027/Data_Sheet_Cisco_ACE_4710.html
  ACE20 Data Sheet
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/product_data_sheet0900aecd8045861b.html
  ACE 30 Data Sheet
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/data_sheet_c78_632383.html
  Regards
  Abijith

• Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

  Hi,
  I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
  ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
  Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
  I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
  tacacs-server key 7 "xxxxxxxxxxxxx"
  aaa group server tacacs+ tac_admin
    server xx.xx.xx.xx
  aaa authentication login default group tac_admin local
  aaa authentication login console group tac_admin local
  aaa accounting default group tac_admin

  Hi,
  Since the ACS is receiving the request.
  Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+  tac_admin
     server x.x.x.x
  aaa authentication login default group  tac_admin local
  aaa authentication login console group  tac_admin local 
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
  1. Shell  (exec) enable
  2. Privilege level 15
  3. Custom attributes:
             shell:Admin*Admin default-domain
      if you have additional  context add next line
            shell:mycontext*Admin  default-domain
  After  loging to ACE and issuing sh users command you should see following
  User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

• ACE 4710 Connectivity ?

  Can the ACE be setup with only one interface configured and not having to place the servers on another interface?
  Some of the "lesser" loadbalancers have a "Direct Server Return" mode. Where requests come in one interface and out the same interface to the server. This way you dont have to place servers inline with the LB.
  Any way to do this with the ACE?

  Yes.
  Both ACE module and ACE appliance can be configured in one arm mode.
  For One arm mode you will have to configure source NAT to ensure the server responses are routed via ACE.
  Direct server return is also possible with ACE.
  HTH
  Syed Iftekhar Ahmed

• Logging user commands in Cisco ACE appliance

  Good afternoon gentlemen
  I need to configure the same as shown below in Cisco ACE Appliance. The requirement is logging all user access login (whether failed or succeeded) and also logging all commands that users issue.
  #IOS commands
  no logging console
  logging buffered 307200 informational
  service timestamps log datetime localtime show-timezone
  logging trap debugging
  login on-failure log
  login on-success log
  archive
     log config
        logging enable
        logging size 500
        hidekeys
        notify syslog contenttype plaintext
  If you guys have an idea please answear
  Regards
  Christian

  Hello Arun,
  we saw before the message you report, it's probably a symptom of:
  CSCtx03563
  or
  CSCue38032
  I would suggest opening a TAC case to get this properly investigated.
  Kind Regards,
  Francesco

• How to monitor memory on Cisco ACE Appliance 4710?

  I'm trying to monitor the memory usage in balancers Cisco ACE Appliance 4710 with version A3 (2.2), but the OIDs cpmCPUMemoryUsed (.1.3.6.1.4.1.9.9.109.1.1.1.1.12) and cpmCPUMemoryFree (.1.3.6.1.4.1.9.9. 109.1.1.1.1.13) not work.
  What the right OID to monitor memory usage in balancers Cisco ACE 4710 Appliance?

  HI,
  You need to use  CISCO-ENHANCED-SLB-MIB .
  cpmProcExtMemAllocatedRev .1.3.6.1.4.1.9.9.109.1.2.3.1.1 (this gives the memory allocated to each process)
  You can also read up on the mib
  Hope this helps
  Venky

• ACL's on ACE Appliance

  Hi,
  In the ACE Appliance management remote access examples there is an ACL which has "permit ip any any" but in my test configurations it works fine without this. For example, icmp is controlled by whether or not there is a matching class-map entry in the management class and this works whether the ACL is present or not.
  What's the purpose of the "permit ip any any" ACL?
  thanks,
  Andrew.

  I think there is a difference between traffic to the interface and traffic over the interface.
  You can have a working management policy for ssh access and ICMP to the interface but to make sure traffic flows from the client side to the server side you need to allow it.
  So that is where the permit IP any any access-list is necessary to make sure traffic flows through the ACE. IIRC there will be no traffic flowing through the appliance if you don't have the permit ip any access-list on the according interfaces.
  The closest thing to this might be on a PIX or ASA. You have the ICMP traffic through the interface controlled by the ACL statements and ICMP traffic towards the interface controlled by the ICMP statement itself.
  I hope that explains if i didn't get you wrong.
  If am writing total BS i probably get corrected soon. :)
  Roble

• Cisco ACE Appliance Redundant configuration

  How cisco ACE appliance changes its Ip address and MAC address after failover???

  Hi Birendra,
  Could you please elaborate more on your question?
  FT mac's depend upon FT group that you have configured and they remain same. They will not change after failover.
  Here's a document at the link which explains in details about different MAC addresses in ACE:
  https://supportforums.cisco.com/docs/DOC-8723
  Let me know if you have any questions.
  Regards,
  Kanwal

• ACE appliance - XML

  Good Day,
  I have an ACE appliance, but i have not license of ACE XML GATEWAY. I want to balance traffic XML, and I want to acelerate this traffic, is it posible without license GATEWAY XML? if the answer is not .... I can balance traffic XML with CSS 11501?

  Hi,
  The cisco ACE XML Gateway is not a license for the ace appliance but a different box see this video: http://www.cisco.com/cdc_content_elements/flash/dataCenter/acexml/index.html
  And yes you can loadbalance xml with the ace appliance as you could in css and yes the ace appliance will accelerate traffic.
  But the ACE XML GATEWAY will be better in security & acceleration.
  Dimitri

• Cisco ACE Issue accessing SAP applications through ACE appliance

  Hi,
  I have website whose VIP resides on my ACE appliance. That site has many links on it which are SAP applications.
  For one link, when i click it first time, user is asked for authentication which is not  actually required and get blank page.
  When I click back (go to main site again) and again click the same link, it opens normally without any authentication prompt.
  Rest all links on the site have no issues and open normally.
  I had same issue with acceptance for same application and below parameter map resolved the issue
  parameter-map type http case_param
    case-insensitive
    persistence-rebalance
    set header-maxparse-length 65535
    set content-maxparse-length 65535
    length-exceed continue
  I tried using same parameter map with persistance rebalance disbaled but still it does not work.
  What could be the issue in this case?

  Hi,
  The SAP has front end server to which ACE is sending traffic dstined to particular VIP. front end server then communicates with backend server for all date related to all applications. When client is using different applications, url in browser remains the same. All applications are working fine except this single application.
  same setup is working fine with cisco CSS and even the accepatnce is working fine for same set of applications.
  I am getting bad tcp checksum messges in capture output.
  10.38.199.196 is client IP....10.36.64.40 is VIP and , 10.36.64.86 is nat ip  and 10.36.32.55 is front end server which is user interface to various applications

• Design question: ACE module connected to 2 different L3 engine while in bridge mode

  fellow engineers,
  i have been working on a design model , where the ACE mldule will provide SLB for both virtual and real servers. we have been deploying several UCS systems and the customer would like to use the ACE as our Enterprise SLB layer
  configured in bridcge mode.
  the msfc within the 6509 provide the L3 routing. however we may extends multiple vlans (v160-v163) via nexus switch layer (7k,5k,2k) to a FW appliance which now is the svi interface for the extended vlans. these vlans will be configured on a dedicated context.
  the extension is based on the bridge mode operation as follow:
  need help with the following:
  1) if i have 4 bvi's configured, do i need to have default route configured?
  2) my total count for vlans are: v160-v163 for server vlans, and v101 is the management vlan. the svi for this vlan is on the msfc card. the server GW are pointing to each dedicated svi's on  the  FW+L3 apliance.
  3) if my default route on the context is pointing to the v160 svi on the FW+L3 engine, will that prevent the return traffic for other vlans ( v161-v163) from the ace toward the client?
  4) is default route neccessary if you hae the ace in bridge mode.
  it was brought to my attention that if you have multiple vlans configured in bridge mode pointing to another L3 engine, then each vlan would have to be configured on seperate context since you can only have one default route per context.
  i appreciate any feedback on this inquiry. if you need additional information please le me know.
  thanks and best regards,
  raman azizian

  Hi Raman,
  You can have up to eight default routes in one context. What the ACE is doing with the entries is to create a ARP-entry with the name GATEWAY. If you need more then eight entries, just declare gateway as rservers. In that case the ARP-entry is stored as RSERVER instead of GATEWAY. The trick is to tell ACE to learn the MAC-address for the IP-address and store it int the ARP-table. The ACE never learn for itself a MAC-address. Don't forget mac-sticky enable on vlan's facing gateway.
  I'm running one context in bridge mode and have 18 bvi's with FW and Router 6509 as gateways.
  Exampel:
  Interface to ROUTER 6509
  interface vlan 300
    bridge-group 300
    no normalization
    mac-sticky enable
    access-group input BPDU
    access-group input alla
    access-group output alla
    service-policy input lb-int-vlan300
    no shutdown
  rserver host 300GATEWAY
    ip address 164.135.121.47
    inservice
  A#1/prod1# sho arp | i 164.135.121.47
  164.135.121.47  00.08.e3.ff.fc.14  vlan300   RSERVER    4775   239 sec      up
  A#1/prod1#
  Interface to FIREWALL
  interface vlan 802      
    bridge-group 802
    no normalization
    mac-sticky enable
    access-group input BPDU
    access-group input alla
    access-group output alla
    service-policy input lb-int-vlan802
    no shutdown
  rserver host 802GATEWAY
    ip address 192.168.137.1
    inservice
  192.168.137.1   00.23.33.6a.bf.80  vlan802   RSERVER    4785   5 sec        up
  Regards
  Mats

• Need ACES attention - connection pooling in oracle 10g rel 1

  I am using TOMCAT 5.0.19 Webserver and ORACLE 10g REL 1 as the database server. I have to restart the TOMCAT Webserver in order to establish connection atleast twice or thrice in a weak. Why I am unable to see the connection pooling in oracle 10g rel 1. How to revive or establish the setup. My objective is to have a centralised oracle 10g rel 1 database server and the applications of java are run thru centralised Webserver Tomcat 5.0.19.
  Can anyone please help me out optimizing the design setup.
  Regards
  Vijay Kumar

  by putting 'Need ACES' in your post title, you might have actually reduced the number of people reading your post, in other words someone >who might have suggested Thanks John for your reply. I changed the subject of the thread after not getting any reply for past 10 days. Last two days I have been updating with plea for attention to my problem. Finally I thought pulling attention of ACES, then only I edited the subject.
  Now, problem I am facing is not in oracle database but in application server. Actually we are running web applications thru Tomcat accessing Oracle 10g rel 1. I am often losing connection with web server. The users are unable to login in the web application. I was told to check oracle database server. I just checked alert log and found no errors. I just asked them to shutdown and restart the web server Tomcat 5.0. It then worked fine. This is temporary. I need to ensure where the problem is. Could you please guide me in checking various parameters or files to be checked to optimise connection pooling.
  Regards
  Vijay Kumar