ACE Configuration

Hi,
I need some configuration to provide site stickiness with the Help of ACE running in two different sites.
DNS functionality is handovered to the GSS
For example
Once a DNS A record is given back to the user for www.company.com and the request is made to the ACE, the ACE will send a http redirect back to the user for a new domain name of www1.company.com or www2.company.com for the respective
sites, the user was initial sent to via the DNS response. This insures that the user will alwaysreturn to the same site.

Gilles,
Thanks for your response.
I am after HTTP/HTTPS redirects in the ACE for site stickiness
Example
Two sites site1 and site 2
GSS configuration with 3 DNS Rules
RULE1 - WWW.MYCOMPANY.COM - 1.1.1.1,1.1.1.2
RULE2 - WWW1.MYCOMPANY.COM -1.1.1.1(SITE1)
RULE3 - WWW2.MYCOMPANY.COM - 1.1.1.2(SITE2)
clinet to the GSS ---> www.mycompany.com hits the Site A (1.1.1.1) the ACE shall redirect the client request to WWW1.MYCOMPANY.COM and further request from the client should stick to the same site till it completes the session i.e www1.mycompany.com.
Thanks in Advance

Similar Messages

ACE Configuration (urgent)

I am facing problem with ACE configuration. I want to redirect 443 traffic to my Proxy Server.
But I am not able to do this. I want to redirect only subnet 192.168.80.0/24
I have the following configuration
access-list BC line 8 extended permit tcp host 192.168.80.89 any eq https
access-list BC line 16 extended permit tcp host 192.168.80.62 any eq https
probe tcp PROBE_TCP_443
port 443
interval 15
passdetect interval 60
open 1
serverfarm host SF_BCPR_https
transparent
probe PROBE_TCP_443
rserver RS_BCPR01
    inservice
rserver RS_BCPR02
    inservice
sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE-HTTPS
replicate sticky
serverfarm SF_BCPR_https
class-map match-all CM_SF_BCPR_HTTPS
2 match access-list BC
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
class class-default
    sticky-serverfarm STICKY-SOURCE-HTTPS
==================================================================================
policy-map multi-match PM_MAIN_BCPROXY
    class CM_SF_BCPR_HTTPS
    loadbalance vip inservice
    loadbalance policy PM_LB_SF_BCPROXY_https
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options PARAMAP_CASE
==================================================================================
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
no normalization
mac-address autogenerate
no icmp-guard
access-group input acl-in
access-list BC line 8 extended permit tcp host 192.168.80.89 any eq https
access-list BC line 16 extended permit tcp host 192.168.80.62 any eq https
service-policy input PM_MAIN_BCPROXY
no shutdown
I am getting error.
DC-ACE01/Rack1(config-cmap)# 10 match access-list BC
Error: Class-map is being used for virtual server definition
=======================================================================
Only if I am putting
class-map match-all CM_SF_BCPR_HTTPS
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq https
Then only it is working but I dont have to have this policy to be applied on all the users only one subnet I want to have under HTTPS policy.
Please let me know how can I apply the policy only on specific subnet so that port 443 traffic can be redirect and rest of all subnets can go direclty to Internet.
Waiting for reply.
Thanks in Advance.

Hi, if this is your current configuration in last message - it's wrong, should be :
class-map match-all CM_SF_BCPR_HTTPS
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq https
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
match IT source-address 192.168.80.0 255.255.255.0 <----- If you want to redirect 192.168.80.0/24
    sticky-serverfarm STICKY-SOURCE-HTTPS
And then in Layer 4 (multi-match policy)
policy-map multi-match PM_MAIN_BCPROXY
    class CM_SF_BCPR_HTTPS
    loadbalance vip inservice
    loadbalance policy PM_LB_SF_BCPROXY_https
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options PARAMAP_CASE
However you need to be aware - with such configuration all other traffic to port 443 will be dropped.
The one of the options can be to add forward action to class default in Layer 7 map , like this :
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY_https
match IT source-address 192.168.80.0 255.255.255.0 <----- If you want to redirect 192.168.80.0/24
    sticky-serverfarm STICKY-SOURCE-HTTPS
class class-default <--- additional configuration
forward
In this case traffic to port 443 from other than 192.168.80.0/24 sources won't be dropped but will be just forwarded to destination.

L7 ace configuration replace Apache AJP

Hi team
i am trying to use teh ACE to replace an apache based load balancer in an jboss application cluster. I am using L7 loadbalancing to load balance between multiple components. the way these jboss application servers work with apache is that ---
When the jboss application starts up on the on application cluster, it issues a GET opencase/webservices/config-service?wsdl to the loadbalancer IP
The apache based LB in turn talks to the same box on port 8009 via ajp retrieves the configuration file and provides it back to the application on port 80
And after 2 has completed the Jboss application comes up. Basically to start the application the Apache loadbalacer will accept requests from the its target list and load balance the request back to them itself
Not sure how i can use the ACE to accomplish this.
attached are my topology (logical) and the ace configuration. from my topology file -- the net-cms-1 will issue a get request to teh VIP (on the ace), the ACE accepts the connection but soon resets it.
Can anyone please help.
Thanks in advance

I don't know if the problem I had will help see the link below
https://supportforums.cisco.com/thread/2149204?tstart=90

ACE - configuring script probes (tclsh)

Hey guys
I'm looking for exampels about writing script probes for the ACE module.
In the cisco's ACE configuration guide i already found one, but i'd be happy to have a few more. Does anybody knows where i can get some other examples?
cheers
patrick

Tach auch and Hello!
If you check the software section for the ACE Module you will find some ace scripts you can download.
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/lan/catalyst/6500/ace/ace_scripts.tgz&app=Tablebuild&status=showC2A
Viel Erfolg
Roble

ACE Configuration Issue.

We would like to configure on ace like below:
the virtual ip address and port like this
: 10.10.10.10:8000,this ip address will be use to outside user request servie
and we have to configure server farm like below
real server 10.10.10.1:8001, 10.10.10.1:8002, 10.10.10.1:8003 ...
the ip address is same on 10.10.10.10:8000's serverfarm, but real server service is different, and this port should be loadbalanced and healchecked.
Is it possible solution? F5 big ip , Nortal is possible, but I don't know on ACE above issue.
If you ok. could you give me a sample configuration?

page 2....
Also i forget to tell you to
8.create resourse-class
9. create context othr then admin context if you need multiple contexts:
(inside context add resource class)
10 class map type management (for remote access)
as follows:
Kindly find some config sample as follows:
ACE/Admin# sh run
Generating configuration....
resource-class ABCD_Resource
limit-resource all minimum 5.00 maximum unlimited
limit-resource sticky minimum 5.00 maximum unlimited
boot system image:c4710ace-mz.A3_2_1.bin
hostname ACE
context Admin
member ABCD_Resource
access-list everyone line 10 extended permit icmp any any
access-list everyone line 20 extended permit ip any any
access-list for-cap line 8 extended permit ip any any
probe http HTTP-Probe
port 8000
interval 2
faildetect 2
passdetect interval 15
request method head
probe icmp ICMP-Probe
interval 2
faildetect 2
passdetect interval 60
probe tcp TCP-8000
port 8000
interval 2
faildetect 2
passdetect interval 15
passdetect count 2
open 1
rserver host A
ip address 10.10.10.1
inservice
rserver host B
ip address 10.10.10.2
inservice
rserver host C
ip address 10.10.10.3
inservice
rserver host D
ip address 10.10.10.4
inservice
serverfarm host SF-8000-1
probe ICMP-Probe
probe TCP-8000
rserver A 8000
inservice
rserver B 8000
inservice
serverfarm host SF-8000-2
probe HTTP-Probe
probe ICMP-Probe
probe TCP-8000
rserver C 8000
inservice
rserver D 8000
inservice
class-map match-all L4-CLASS-REDIRECT-1
2 match virtual-address 10.10.60.10 tcp eq www
class-map match-all VIP-PORT-8000-1
2 match virtual-address 10.10.60.10 tcp eq https
class-map match-all VIP-PORT-8000-2
2 match virtual-address 10.10.60.12 tcp eq https
class-map type management match-any remote-mgmt
10 match protocol ssh any
20 match protocol telnet any
30 match protocol icmp any
40 match protocol http any
50 match protocol https any
class-map match-any server-initiated
3 match source-address 10.10.10.4 255.255.255.255
4 match source-address 10.10.10.3 255.255.255.255
policy-map type management first-match remote-access
class remote-mgmt
permit
policy-map type loadbalance first-match VIP-POLICY-8000-1
class class-default
policy-map multi-match Service-Policy-8000-1
class VIP-PORT-8000-1
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-1
loadbalance vip icmp-reply
nat dynamic 1 vlan 60
class L4-CLASS-REDIRECT-1
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-1
policy-map multi-match Service-Policy-8000-2
class VIP-PORT-8000-2
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-2
loadbalance vip icmp-reply
nat dynamic 1 vlan 60
ssl-proxy server SSL-Offload-Proxy-2
policy-map multi-match server-side
class server-initiated
nat dynamic 1 vlan 60
interface vlan 10
description APPPROD-Client-Vlan
bridge-group 10
mtu 1500
access-group input everyone
access-group output everyone
service-policy input remote-access
no shutdown
interface vlan 30
description management-vlan-interface
ip address 10.10.30.22 255.255.255.0
access-group input everyone
access-group output everyone
service-policy input remote-access
no shutdown
continued page 3......

ACE Configuration Guide

        I am new to ACE in our company there is ACE modules installed on 6509 switches as VSS configured and we are running ver A4(2.3) for ACE. Please guide me some good http link to start reading about ACE.
-Atul

I can not get rservers up or the VIPs active.... Help Me....
logging enable
logging timestamp
logging trap 5
logging history 5
logging buffered 6
logging persistent 5
logging monitor 5
logging queue 5000
boot system image:c4710ace-t1k9-mz.A5_1_2.bin
hostname x86ACE03
interface gigabitEthernet 1/1
switchport access vlan 700
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 701,704
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
ntp server 157.127.103.139
access-list ACL_10 line 8 extended permit ip any host 10.22.6.117
access-list ACL_10 line 16 extended permit icmp any host 10.22.6.117
access-list ACL_10 line 24 extended permit ip any host 10.22.6.116
access-list ACL_10 line 32 extended permit icmp any host 10.22.6.116
access-list ACL_10 line 34 extended permit icmp any host 10.22.6.118
access-list ACL_10 line 38 extended permit ip any host 10.22.6.118
access-list ACL_10 line 40 extended permit ip any host 10.22.6.119
access-list ACL_10 line 48 extended permit icmp any host 10.22.6.119
access-list ACL_20 line 8 extended permit ip any any
access-list ACL_20 line 16 extended permit icmp any any
access-list ACL_40 line 16 extended permit ip 10.22.7.2 255.255.255.224 any
access-list ACL_50 line 16 extended permit ip 10.22.7.34 255.255.255.224 any
access-list FILTER line 10 extended permit tcp any any eq https
access-list FILTER line 20 extended permit tcp any any eq www
probe icmp SERVICE_ICMP_PROBE
interval 10
passdetect interval 5
rserver host vsuiteFrontEnd-A
ip address 10.22.6.116 ! 10.22.7.2
probe SERVICE_ICMP_PROBE
inservice
rserver host vsuiteFrontEnd-CoreA
ip address 10.22.6.118 ! 10.22.7.34
probe SERVICE_ICMP_PROBE
inservice
serverfarm host rule-vsuiteFrontEnd-A
rserver vsuiteFrontEnd-A
   conn-limit max 4000000 min 1
   inservice
serverfarm host rule-vsuiteFrontEnd-CoreA
rserver vsuiteFrontEnd-CoreA
   conn-limit max 4000000 min 1
   inservice
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
parameter-map type connection rule-vsuiteFrontEnd-A_CONN_PARAM
set timeout inactivity 6400
parameter-map type connection rule-vsuiteFrontEnd-CoreA_CONN_PARAM
set timeout inactivity 6400
class-map type management match-any REMOTE_ACCESS_CLASS
description Enable remote management
2 match protocol xml-https any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
8 match protocol https any
class-map match-any SERVERSOURCED
2 match access-list ACL_40
class-map match-any SERVERSOURCED-CoreA
2 match access-list ACL_50
class-map match-all rule-vsuiteFrontEnd-A_CLASS
2 match virtual-address 10.22.6.117 tcp eq https
class-map match-all rule-vsuiteFrontEnd-CoreA_CLASS
2 match virtual-address 10.22.6.119 tcp eq https
policy-map type management first-match REMOTE_ACCESS_POLICY
class REMOTE_ACCESS_CLASS
   permit
policy-map type loadbalance first-match rule-vsuiteFrontEnd-A_POLICY
class class-default
   serverfarm rule-vsuiteFrontEnd-A
policy-map type loadbalance first-match rule-vsuiteFrontEnd-CoreA_POLICY
class class-default
   serverfarm rule-vsuiteFrontEnd-CoreA
policy-map multi-match POLICY
class rule-vsuiteFrontEnd-A_CLASS
   loadbalance vip inservice
   loadbalance policy rule-vsuiteFrontEnd-A_POLICY
   loadbalance vip icmp-reply active
   connection advanced-options rule-vsuiteFrontEnd-A_CONN_PARAM
policy-map multi-match POLICY-CoreA
class rule-vsuiteFrontEnd-CoreA_CLASS
   loadbalance vip inservice
   loadbalance policy rule-vsuiteFrontEnd-CoreA_POLICY
   loadbalance vip icmp-reply active
   connection advanced-options rule-vsuiteFrontEnd-CoreA_CONN_PARAM
policy-map multi-match SERVERSOURCED
class SERVERSOURCED
   nat dynamic 1 vlan 700
policy-map multi-match SERVERSOURCED-CoreA
class SERVERSOURCED-CoreA
   nat dynamic 2 vlan 700
service-policy input POLICY
service-policy input POLICY-CoreA
interface vlan 700
ip address 10.22.6.2 255.255.255.224
no icmp-guard
access-group input ACL_10
nat-pool 1 10.22.6.117 10.22.6.117 netmask 255.255.255.255 pat
nat-pool 2 10.22.6.119 10.22.6.119 netmask 255.255.255.255 pat
service-policy input REMOTE_ACCESS_POLICY
no shutdown
interface vlan 701
ip address 10.22.7.2 255.255.255.224
no icmp-guard
access-group input ACL_20
service-policy input SERVERSOURCED
no shutdown
interface vlan 704
ip address 10.22.7.34 255.255.255.224
no icmp-guard
access-group input ACL_20
service-policy input SERVERSOURCED-CoreA
no shutdown
ip route 0.0.0.0 0.0.0.0 10.22.6.1
x86ACE03/Admin#
x86ACE03/Admin# sh probe
probe       : SERVICE_ICMP_PROBE
type       : ICMP
state       : ACTIVE
   port     : 0          address   : 0.0.0.0
   addr type : -           interval : 10     pass intvl : 5
   pass count: 3           fail count: 3       recv timeout: 10
               ------------------ probe results ------------------
   associations     ip-address         port porttype probes failed passed health
   ------------ ----------------------+----+--------+------+------+------+------
   rserver     : vsuiteFrontEnd-A
                           10.22.6.116   0 --     78   78     0     FAILED
   rserver     : vsuiteFrontEnd-CoreA
                           10.22.6.118   0 --     459   459   0     FAILED
x86ACE03/Admin#
x86ACE03/Admin# sh service-policy
Policy-map : POLICY
Status     : ACTIVE
Context Global Policy:
service-policy: POLICY
   class: rule-vsuiteFrontEnd-A_CLASS
     loadbalance:
       L7 loadbalance policy: rule-vsuiteFrontEnd-A_POLICY
       VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
       VIP state: OUTOFSERVICE
       VIP DWS state: DWS_DISABLED
       Persistence Rebalance: DISABLED
       curr conns       : 0         , hit count       : 0
       dropped conns   : 0
       conns per second   : 0
       client pkt count : 0         , client byte count: 0
       server pkt count : 0         , server byte count: 0
       conn-rate-limit     : -         , drop-count : -
       bandwidth-rate-limit : -         , drop-count : -
     compression:
       bytes_in : 0                         bytes_out : 0
       Compression ratio : 0.00%
               Gzip: 0               Deflate: 0
     compression errors:
       User-Agent : 0               Accept-Encoding   : 0
       Content size: 0               Content type       : 0
       Not HTTP 1.1: 0              HTTP response error: 0
       Others     : 0
       Parameter-map(s):
         rule-vsuiteFrontEnd-A_CONN_PARAM
Policy-map : POLICY-CoreA
Status     : ACTIVE
Context Global Policy:
service-policy: POLICY-CoreA
   class: rule-vsuiteFrontEnd-CoreA_CLASS
     loadbalance:
       L7 loadbalance policy: rule-vsuiteFrontEnd-CoreA_POLICY
       VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
       VIP state: OUTOFSERVICE
       VIP DWS state: DWS_DISABLED
       Persistence Rebalance: DISABLED
       curr conns       : 0         , hit count       : 0
       dropped conns   : 0
       conns per second   : 0
       client pkt count : 0         , client byte count: 0
       server pkt count : 0         , server byte count: 0
       conn-rate-limit     : -         , drop-count : -
       bandwidth-rate-limit : -         , drop-count : -
     compression:
       bytes_in : 0                         bytes_out : 0
       Compression ratio : 0.00%
               Gzip: 0               Deflate: 0
     compression errors:
       User-Agent : 0               Accept-Encoding   : 0
       Content size: 0               Content type       : 0
       Not HTTP 1.1: 0              HTTP response error: 0
       Others     : 0
       Parameter-map(s):
         rule-vsuiteFrontEnd-CoreA_CONN_PARAM
Policy-map : SERVERSOURCED
Status     : ACTIVE
Interface: vlan 1 701
service-policy: SERVERSOURCED
   class: SERVERSOURCED
     nat:
       nat dynamic 1 vlan 700
       curr conns       : 0         , hit count       : 0
       dropped conns   : 0
       client pkt count : 0         , client byte count: 0
       server pkt count : 0         , server byte count: 0
       conn-rate-limit     : 0         , drop-count : 0
       bandwidth-rate-limit : 0         , drop-count : 0
Policy-map : SERVERSOURCED-CoreA
Status     : ACTIVE
Interface: vlan 1 704
service-policy: SERVERSOURCED-CoreA
   class: SERVERSOURCED-CoreA
     nat:
       nat dynamic 2 vlan 700
       curr conns       : 0         , hit count       : 0
       dropped conns   : 0
       client pkt count : 0         , client byte count: 0
       server pkt count : 0         , server byte count: 0
       conn-rate-limit     : 0         , drop-count : 0
       bandwidth-rate-limit : 0         , drop-count : 0
x86ACE03/Admin# sh serverfarm
   serverfarm           type     rservers predictor         current conns
+--------------------+---------+--------+------------------+---------------
   rule-vsuiteFrontEnd-A
                       HOST     1       ROUNDROBIN         0
   rule-vsuiteFrontEnd-CoreA
                       HOST     1       ROUNDROBIN         0
x86ACE03/Admin# sh serverfarm rule-vsuiteFrontEnd-A
serverfarm     : rule-vsuiteFrontEnd-A, type: HOST
total rservers : 1
state         : INACTIVE
DWS state     : DISABLED
                                               ----------connections-----------
       real                 weight state       current   total     failures
   ---+---------------------+------+------------+----------+----------+---------
   rserver: vsuiteFrontEnd-A
       10.22.6.116:0         8   PROBE-FAILED   0         0         0
x86ACE03/Admin# sh serverfarm rule-vsuiteFrontEnd-A
serverfarm     : rule-vsuiteFrontEnd-A, type: HOST
total rservers : 1
state         : INACTIVE
DWS state     : DISABLED
                                               ----------connections-----------
       real                 weight state       current   total     failures
   ---+---------------------+------+------------+----------+----------+---------
   rserver: vsuiteFrontEnd-A
       10.22.6.116:0         8   PROBE-FAILED   0         0         0
x86ACE03/Admin#

ACE Configuration Synchronization failure

I have defined the FT group on ACE, but i don't see configuration getting update on the other module.
The response for 'sh ft peer detail' is as follows
Peer Id : 1
State : FSM_PEER_STATE_DOWN
Maintenance mode : MAINT_MODE_OFF
FT Vlan : 200
My IP Addr : 1.1.1.1
Peer IP Addr : 1.1.1.2
Query Vlan : Not Configured
Peer Query IP Addr : 0.0.0.0
Heartbeat Interval : 200
Heartbeat Count : 20
Tx Packets : 0
Tx Bytes : 0
Rx Packets : 0
Rx Bytes : 0
Rx Error Bytes : 0
Tx Keepalive Packets : 0
Rx Keepalive Packets : 0
TL_CLOSE count : 0
FT_VLAN_DOWN count : 0
PEER_DOWN count : 1
SRG Compatibility : INIT
License Compatibility : INIT
FT Groups : 1
Please assist.

Can you please paste you configuration.
Did you configure both modules with the FT configuration?
Is the FT vlan available on both chassis?
Is the FT vlan trunked between the two chassis?

ACE Configuration Check

VIP : 10.10.10.10:8000
rserver server1
ip address 10.10.10.1
serverfarm SFARM1
rserver server1 8001
probe Probe_8001
rserver server2 8002
probe Probe_8002
rserver server3 8003
probe Probe_8003
rserver server4 8004
probe Probe_8004
I would like to loadbalance on just one single ip address and multiple ports like
above configuration on ACE. Is It possible configuration? please check
thank you.

ok. thank your response.
I picked up your configuration as follows:
rserver Server1
ip address 10.10.10.1
inservice
serverfarm Farm1
rserver Server1 8001
inservice
rserver Server1 8002
inservice
rserver Server1 8003
inservice
class-map MyVip
match virtual 10.10.10.10 tcp eq 8000
policy type loadbalance http first MyPolicy
class class-default
serverfarm Farm1
policy multimatch SLB
class MyVip
load policy MyPolicy
load vip inservice
interface vlan X
service in SLB
I know that there is no problem to configure one real server attached multiple service port for configuring SLB.
But I must healcheck on each multiple ports although one real server.
for example:
rserver Server1 8001
probe probe_8001
inservice
Is it working well?

ACE configuration using GUI

Hi all,
i configured ACE in multi context for failover. then i configured primary ACE using GUI after configuring server farm and click DM sync and SYNC all.Then i checked secondary ACE whether configuration is synced but its not sync with secondary.what might be the problem.

do a 'show ft group detail' and make sure you have config synch enabled
"Running cfg sync enabled : Enabled"
If not, you need to turn it on.
Also check the status.
"Running cfg sync status "
Sometimes it is enabled but not working because files can't be synched like ssl keys/certs or script probes.
Gilles.

ACE-20 Module: automated backup of configuration

Hi All,
I am currently stuck to setup an automated configuration backup for my ACE Blades.
I found a script to backup the ACE from the Cisco ANM box but unfortunately I am not very familiar with Linux.
Has someone a hint or already an automated solution (script) in place, to "pull" the ACE config from a Microsoft system ?
System State:
ACE IOS A2.(1).5
Thanks in advanced for your reply
Saluti
Alessandro

Hello Alessandro,
If you upgrade to the latest ACE software, which is A2(3.0), you can take advantage of the new backup and restore feature. With this, the ACE will backup all of the following and add it to a .tgz file:
Running-configuration files
Startup-configuration files
Checkpoints
SSL certificates
SSL keys
Health-monitoring scripts
Licenses
You could use an Expect script to periodically log into the ACE, create the backup, and copy it off the ACE. The backup and restore feature is documented here:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/administration/guide/managesw.html#wp1244360
Another option for you would be to use the Application Networking Manager (ANM). It is a graphical user interface for ACE configuration, management, and monitoring. It also allows you to perform backups (and restores).
ANM - Performing Device Backup and Restore Functions
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/3.0/user/guide/UG_virtual_contexts.html#wpxref82223
Hope this helps,
Sean

Configuring Sticky TCP Connections on ACE

I have 6 ACE configuration guides/case study example configurations and all have a slightly different way of configuring sticky connections in the admin context. What is the right way to configure it?
Thanks!
Matt

Here is the 7th config :)
You didnt mention which persistence method you are interested in. Following is an example for source ip based stickiness
rserver host APP1-SERVER1
ip address 10.10.10.101
inservice
rserver host APP1-SERVER2
ip address 10.10.10.102
inservice
serverfarm host APP1-SFARM
probe http80
predictor leastconn
failaction purge
rserver APP1-SERVER1
inservice
rserver APP1-SERVER 2
inservice
Sticky ip-netmask 255.255.255.255 address source APP1-STICKY-GP
timeout 60
replicate sticky
server-farm APP1-SFARM
class-map match-any APP1-VIP-CLASS
description class-map for APP1
match virtual-address 192.168.0.100 tcp eq 80
policy-map type loadbalance first-match APP1-POLICY
class class-default
sticky-serverfarm APP1-STICKY-GP
policy-map multi-match VIPS
class APP1-VIP-CLASS
loadbalance vip inservice
loadbalance policy APP1-POLICY
loadbalance vip icmp-reply
interface vlan 20
ip address 192.168.0.1 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input VIPS
no shutdown
HTH
Syed Iftekhar Ahmed

Configuration help - ACE redirection

Please see the below ACE configuration. It is currently in place for both load balancing and redirection. Here are the 4 current scenarios...
1. https://www.URL1.com is the desired URL and will be load balanced. Certificate is for this URL.
2. http://www.URL1.com will redirect the client to https://www/URL1.com for appropriate load balancing.
3. URL1.com resolves to the same vip ip address as www.URL1.com, so http://URL1.com will redirect the client to https://URL1.com
4. https://URL1.com will be load balanced, but client gets a certificate error since the cert is not associated with this address.
How can I redirect http://URL1.com and https://URL1.com to https://www.URL1.com? Can I create a L7 policy map in addition to the existing L4 policy map?
Thanks for any help you can give.
rserver host URL1-ws07
ip address 1.1.1.1
inservice
rserver host URL1-ws08
ip address 1.1.2.1
inservice
rserver host URL1-ws09
ip address 1.1.3.1
inservice
rserver host URL1-ws10
ip address 1.1.4.1
inservice
rserver host URL1-ws06
ip address 1.1.5.1
inservice
!************** Generic redirect rserver used by many policy maps to redirect clear text addresses to secure addresses *************
rserver redirect server-rd
webhost-redirection https://%h%p 301
inservice
ssl-proxy service URL1
key URL10911-key
cert URL10911-cert
chaingroup verisign-ev-cg
serverfarm host URL1
description www.URL1.com
probe port_80
rserver URL1-ws07 80
    inservice
rserver URL1-ws08 80
    inservice
rserver URL1-ws09 80
    inservice
rserver URL1-ws10 80
    inservice
rserver URL1-ws06 80
    inservice
sticky http-cookie acecookie sticky-URL1
cookie insert browser-expire
replicate sticky
serverfarm URL1
!***************** Redirect to https *****************
class-map match-all URL1-vip
2 match virtual-address 2.2.2.2 tcp eq https
class-map match-all URL1-vip-rd
2 match virtual-address 2.2.2.2 tcp eq www
policy-map type loadbalance first-match URL1-lb
class class-default
    sticky-serverfarm sticky-URL1
    action https-rewrite
    insert-http X-Forwarded-For header-value "%is"
policy-map type loadbalance first-match URL1-rd
class class-default
    serverfarm server-rd
policy-map multi-match yellow-policy
class URL1-vip-rd
    loadbalance vip inservice
    loadbalance policy URL1-rd
    loadbalance vip icmp-reply active
class URL1-vip
    loadbalance vip inservice
    loadbalance policy URL1-lb
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options generic-http-parameter-map
    ssl-proxy server URL1

Hi there,
If all the URLs respond to the same VIP then you need to modify your server-rd as follows:
rserver redirect server-rd
webhost-redirection https://www.URL1.com/%p 301
inservice
That would take care of the HTTP part.
For HTTPS we can't do much as decryption happens before URL matching, you'll get the certificate
error before being sent to the correct domain. The only way you can get HTTPS working is either with:
- Wildcard Certificate: *.URL1.com
- SAN certificate: You can include multiple domains into the same SSL certificate.
HTH
Pablo

Cisco ACE - dynamic header rewrite

Can the ACE do dynamic http host and URL rewrites using an action list and variables?
I need to rewrite a URL like this...
http://*.domain.com rewritten to http://www.domain.com/user1/*
For example...
http://mikeyd.domain.com would be rewritten to http://www.domain.com/user1/mikeyd
... and so on for a large number of user names at the beginning of the URL string.
I am trying to find the action-list syntax for header rewrite and having trouble figuring this out. Would a redirection be a better option?
Thanks, in advance, for any help with this.

It's more related to disaster recovery planning than ACE configuration
The cleanest way is to use L2 extension.
Otherwise you can use VMWare SRM to change the ip addresses of your VMs, or run an OSPF process and replicate all the subnets and put it in the "shutdown state" (or announcing it with a very high cost, proximity routing will do the rest - ACE module can do this for the VIPs with OSPF route health injection, ACE4710 doesn't support RHI but on the upstream router you can define an IP SLA probe and perform conditionnal redistribution), or use a dummy VRF with all your subnets and when enabling DRP, perform route leaking... use NAT with DNS-based failover etc...
There is no generic answer to your problem.

ACE FTP inspect with port range

Hi everyone,
I have a problem with passive FTP with fixed port range.
I configured a ftp server with a fixed port range of 60000 - 60500 for the data channel.
And the ace is configured with "inspect ftp" on policy of ftp-serverfarm.
A tcpdump on server I can see that the server uses the portrange in response packet.
(x,x,x,x,34,195) = 60099
But on client I can see that the port on packet is change to another port. The ace is between server and client.
On CCO I found a document "http://www.ciscosystems.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/command/reference/policy.html#wp1006925" ->> Enables FTP inspection. The ACE inspects FTP packets, translates the address and the port that are embedded in the payload, and opens up a secondary channel for data.
I don't understand why the ace change the port in ftp payload.
Is it possible to create the same port range on ace configuration of connectio to client?
Thanks
René

You don't need inspect ftp with one server because you can avoid it.
You can for example configure a loopback on the server with the vip address and configure the serverfarm as transparent on ACE.
Then for the data channel, since your range of ports is quite small, you can catch it with a class-map and simply forward to the server.
Like this, the server will use the vip address in all packets exchange with the cleint (no need to nat the payload) and when the client opens a data connection, the traffic is matched with the class-map and the connection can be forwarded to the server using the same transparent serverfarm.
Less chance to run into compatibility issue.
Better performance since we can switch traffic with inspecting its content.
Gilles.

ACE: Read users under a particular User Group

Hi Experts,
We have a requirement, in which we want a particular view to be displayed only to few particular users, who are present in some Custom Defined ACE User Groups.
Can someone please provide me with the Function modules/ Coding part, by which i can get all the users of a particular User Group of ACE (say 'ZCRMADMIN' in our case), that we define in SPRO->Basic Functions -> ACE.
Thanks in advance,
Rohit

Hello, Rohit!
First of all read these blogs:
The concept and implementation of CRM-ACE
Configuration & Implementation of CRM Access Control Engine (ACE)-Part 1
Then in this blog there are code samples:
Configuration & Implementation of CRM Access Control Engine (ACE)-Part 2
If you will steel have any questions, post it here, I'll try to help you.
Best regards,
Artur Litvinov.

ACE Configuration

Similar Messages

Maybe you are looking for