ACE ipsec issue
Hello,
we are using the ACE to establish a redundancy for our vpn devices.
In this setup there is one aktiv and one standby box.
If the primary box goes down all the tunnels are put to the standby box, this is working as expected.
Now we have the Problem that If the primary box comes back online the tunnel is not correctly balanced back to the primary box.
On the backup box the tunnel is still in qm idle and on the no back in service primäry box the tunnel is stucked in the state ag_init_exch.
To get the tunnel back to the primary box the connection table on the ace need to get cleared. (clear conn all)
Thus we do have an active/standby construct stickiness is not required. (and its not working either i tried it)
Here the snipets of the config
serverfarm host backup_1
transparent
failaction purge
probe ICMP
rserver ONE
backup-rserver TWO
inservice
rserver TWO
inservice standby
class-map match-any IPSEC
match virtual-address 1.1.1.1 50
match virtual-address 1.1.1.1 udp eq 500
match virtual-address 1.1.1.1 udp eq 4500
policy-map type loadbalance first-match IPSEC
class class-default
serverfarm serverfarm host backup_1
Same setup but with two serverfarms
serverfarm host backup_1
transparent
failaction purge
probe ICMP
rserver ONE
inservice
serverfarm host backup_2
transparent
failaction purge
probe ICMP
rserver TWO
inservice
class-map match-any IPSEC
match virtual-address 1.1.1.1 50
match virtual-address 1.1.1.1 udp eq 500
match virtual-address 1.1.1.1 udp eq 4500
policy-map type loadbalance first-match IPSEC
class class-default
serverfarm host backup_1 backup backup_2
Thanks for any help in advanced
Hi again,
@Joo you are right if a scenario is used with an primary and a backup rserver, but if you use a primary and backup serverfarm it should work in theory, but it does not work in practice.
Enabling Load Balancing to a Server Farm (Configuring a Backup Server Farm)
You can load balance a client request for content to a server farm by using the serverfarm command in policy-map class configuration mode. Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location. The syntax of this command is as follows:
serverfarm name1 [backup name2 [sticky] [aggregate-state]]
The keywords, arguments, and options are as follows:
•name1—Unique identifier of the server farm. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
•backup name2—(Optional) Designates an existing server farm as a backup server farm in case all the servers in the original server farm become unavailable. When at least one server in the primary server farm becomes available again, the ACE sends all connections to the primary server farm. Enter the name of an existing server farm that you want to specify as a backup server farm as an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
regards
ed
Similar Messages
-
We would like to configure on ace like below:
the virtual ip address and port like this
: 10.10.10.10:8000,this ip address will be use to outside user request servie
and we have to configure server farm like below
real server 10.10.10.1:8001, 10.10.10.1:8002, 10.10.10.1:8003 ...
the ip address is same on 10.10.10.10:8000's serverfarm, but real server service is different, and this port should be loadbalanced and healchecked.
Is it possible solution? F5 big ip , Nortal is possible, but I don't know on ACE above issue.
If you ok. could you give me a sample configuration?page 2....
Also i forget to tell you to
8.create resourse-class
9. create context othr then admin context if you need multiple contexts:
(inside context add resource class)
10 class map type management (for remote access)
as follows:
Kindly find some config sample as follows:
ACE/Admin# sh run
Generating configuration....
resource-class ABCD_Resource
limit-resource all minimum 5.00 maximum unlimited
limit-resource sticky minimum 5.00 maximum unlimited
boot system image:c4710ace-mz.A3_2_1.bin
hostname ACE
context Admin
member ABCD_Resource
access-list everyone line 10 extended permit icmp any any
access-list everyone line 20 extended permit ip any any
access-list for-cap line 8 extended permit ip any any
probe http HTTP-Probe
port 8000
interval 2
faildetect 2
passdetect interval 15
request method head
probe icmp ICMP-Probe
interval 2
faildetect 2
passdetect interval 60
probe tcp TCP-8000
port 8000
interval 2
faildetect 2
passdetect interval 15
passdetect count 2
open 1
rserver host A
ip address 10.10.10.1
inservice
rserver host B
ip address 10.10.10.2
inservice
rserver host C
ip address 10.10.10.3
inservice
rserver host D
ip address 10.10.10.4
inservice
serverfarm host SF-8000-1
probe ICMP-Probe
probe TCP-8000
rserver A 8000
inservice
rserver B 8000
inservice
serverfarm host SF-8000-2
probe HTTP-Probe
probe ICMP-Probe
probe TCP-8000
rserver C 8000
inservice
rserver D 8000
inservice
class-map match-all L4-CLASS-REDIRECT-1
2 match virtual-address 10.10.60.10 tcp eq www
class-map match-all VIP-PORT-8000-1
2 match virtual-address 10.10.60.10 tcp eq https
class-map match-all VIP-PORT-8000-2
2 match virtual-address 10.10.60.12 tcp eq https
class-map type management match-any remote-mgmt
10 match protocol ssh any
20 match protocol telnet any
30 match protocol icmp any
40 match protocol http any
50 match protocol https any
class-map match-any server-initiated
3 match source-address 10.10.10.4 255.255.255.255
4 match source-address 10.10.10.3 255.255.255.255
policy-map type management first-match remote-access
class remote-mgmt
permit
policy-map type loadbalance first-match VIP-POLICY-8000-1
class class-default
policy-map multi-match Service-Policy-8000-1
class VIP-PORT-8000-1
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-1
loadbalance vip icmp-reply
nat dynamic 1 vlan 60
class L4-CLASS-REDIRECT-1
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-1
policy-map multi-match Service-Policy-8000-2
class VIP-PORT-8000-2
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-2
loadbalance vip icmp-reply
nat dynamic 1 vlan 60
ssl-proxy server SSL-Offload-Proxy-2
policy-map multi-match server-side
class server-initiated
nat dynamic 1 vlan 60
interface vlan 10
description APPPROD-Client-Vlan
bridge-group 10
mtu 1500
access-group input everyone
access-group output everyone
service-policy input remote-access
no shutdown
interface vlan 30
description management-vlan-interface
ip address 10.10.30.22 255.255.255.0
access-group input everyone
access-group output everyone
service-policy input remote-access
no shutdown
continued page 3...... -
ACE FTP issues with "inspect ftp"
Hello.
My clients want to access an FTP server, via ACE, and I am having some issues. They can login and issue only one command... the second command will not be accepted an after a few seconds the prompt shows the message "connection closed by remote host".
I have sniffed traffic and I see that the connection between the client and the ACE has a strange behaviour because ACE open connection to data using an source port of 1039 (it should be 20, since we are usind an active mode client); between the ACE and the real server runs in active mode (I see normal ftp-data packets).
Other strange thing is that I have FWSM and they let traffic pass from ACE to client (they should expect traffic comming from port 20 and not 1039)
I am doing source NAT and ACE is doing all the necessary changes on source IP adresses.
Anyone has seen similar behaviour?
Any help would be appreciated.
In attach I send my config and traffic sniffing.
Thanks in advance.
Joao Ribau
P.S. - client is 10.1.44.98; VIP is 10.1.9.150; real server 10.1.36.124Hello.
I didn´t mentioned this before but the gateway of all my networks is an ACE that is loadbalancing traffic to two firewall clusters. I think this is not important because I have a "catch all" VIP in all my interfaces; I assume that ACE forwards traffic with no restrictions or inspections leaving the inspection job to the firewalls and to the ACE that I use to load balance services.
Don´t think this could be the problem but just to make sure I decided to post it.
Best regards,
Joao Ribau.
P.S. - my configs on the ACE that loadbalance traffic to the firewalls are very straightforward. Serverfarms (interfaces of the firewalls), a class-map with a "catch-all" VIP, policy-map to for the serverfarm, a policy-map to tie the class to the serverfarm and finally a service-policy apllied to each interface. -
Standby cisco ACE loadbalancer issues (network connectivity)
Hi ALL,
We are having issues with the secondary (standby) load balancer ACE module on a 6500 switch. We see that the loadblanacer is not able to get onto the network which leads to problem with fault tolerance as well. Following is the ft status found on the load balancer for one of the contexts (this is the same pattern seen on all the contexts).
switch/Admin# sh ft group status
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
Peer State : FSM_FT_STATE_UNKNOWN
Peer Id : 1
No. of Contexts : 1
Sh arp on all the contexts shows the gateway/rserver to be unreachable. Please find the screenshot below for one of the contexts (the same pattern is seen on the LB for all other contexts)
switch/1_Context# sh arp
Context CSD_Context
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
172.21.128.97 00.00.00.00.00.00 vlan942 GATEWAY - dn
172.21.128.103 00.0b.fc.fe.1b.09 vlan942 ALIAS LOCAL _ up
172.21.128.105 00.12.43.dc.93.23 vlan942 INTERFACE LOCAL _ up
7.0.0.4 00.0b.fc.fe.1b.09 vlan943 NAT LOCAL _ up
- 7.0.0.6
172.21.147.196 00.0b.fc.fe.1b.09 vlan943 ALIAS LOCAL _ up
172.21.147.198 00.12.43.dc.93.24 vlan943 INTERFACE LOCAL _ up
172.21.147.200 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
172.21.147.202 00.00.00.00.00.00 vlan943 RSERVER - * 2 req dn
172.21.147.204 00.00.00.00.00.00 vlan943 RSERVER - dn
172.21.147.206 00.00.00.00.00.00 vlan943 RSERVER - dn
172.21.147.208 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
172.21.147.210 00.00.00.00.00.00 vlan943 RSERVER - * 2 req dn
172.21.147.212 00.00.00.00.00.00 vlan943 RSERVER - * 1 req dn
172.21.147.214 00.00.00.00.00.00 vlan943 RSERVER - * 1 req dn
172.21.147.216 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
7.0.0.1 00.0b.fc.fe.1b.09 vlan943 NAT LOCAL _ up
- 7.0.0.3
The problem is that we see the problem only on the secondary loadbalancer. primary is just running file
also i can see some traffic denial in admin context for resource usage
switch/Admin# sh resource usage
Allocation
Resource Current Peak Min Max Denied
Context: Admin
conc-connections 9 9 160000 6560000 0
mgmt-connections 0 46 2000 82000 0
proxy-connections 0 4 20972 859830 0
xlates 0 0 20972 859830 0
bandwidth 0 17715713 10000000 535000000 5799749
throughput 0 17710993 10000000 410000000 5799749
mgmt-traffic rate 0 4720 0 125000000 0
connection rate 0 43 20000 820000 0
ssl-connections rate 0 0 100 4100 0
mac-miss rate 0 1 40 1640 0
inspect-conn rate 0 0 120 4920 0
acl-memory 56336 56336 1570072 64460552 6
sticky 0 0 83886 0 0
regexp 0 0 20972 859832 0
syslog buffer 82944 82944 82944 3447808 0
syslog rate 0 44 2000 82000 25
Context: INTEGRATION_Context
conc-connections 0 3934 160000 0 0
mgmt-connections 0 98 2000 0 0
proxy-connections 0 33 20972 0 0
xlates 0 0 20972 0 0
bandwidth 0 10019910 10000000 125000000 40857
throughput 0 10000000 10000000 0 40857
mgmt-traffic rate 0 19910 0 125000000 0
connection rate 0 49 20000 0 0
ssl-connections rate 0 0 100 0 0
mac-miss rate 0 32 40 0 0
inspect-conn rate 0 58 120 0 0
acl-memory 11920 11920 1570072 0 0
sticky 0 1 83886 0 0
regexp 0 0 20972 0 0
syslog buffer 0 82944 82944 3447808 0
syslog rate 0 312 2000 0 0
these above 2 contexts are the only one which has bandwidth resource usage exceeding the limit. but i somehow am not sure if this is the issue. as there is just no traffic on the secondary .. then how can the bandwidth reach the threshold? can anyone throw some light on the below issue?
thanks and regards
kiranvlan on Standby_ACE switch
svclc multiple-vlan-interfaces
svclc module 1 vlan-group 1,4,12,13,
svclc vlan-group 1 968
svclc vlan-group 12 132
svclc vlan-group 13 367-372,374,375,379,380,538,805,807,808,818,913,915
svclc vlan-group 13 917-920,922-924,933,934,937,938,942-949,972,976-979,983
svclc vlan-group 13 984
ip subnet-zero
no ip source-route
vlans on standby ACE
switch/Admin# sh vlans
Vlans configured on SUP for this module
vlan132 vlan360 vlan367-375 vlan379-380 vlan538 vlan805 vlan807-808 vlan818 vlan913 vlan91
5 vlan917-920 vlan922-924 vlan930 vlan933-934 vlan937-938 vlan942-949 vlan968 vlan971-972 v
lan976-979 vlan983-984
switch/Admin#
Active_LB_host_switch is the switch hosting the active ACE thats connected on ten7/4 and 8/4 which is bundeled and made into
port-channel (po72)
CDP neighbor hosting the active ACE
Active_LB_host_switch
Ten 7/4 148 R S I WS-C6513 Ten 7/4
Active_LB_host_switch
Ten 8/4 156 R S I WS-C6513 Ten 8/4
Po72 allows all the vlans which is the configured for ACE modules.
Port Vlans allowed on trunk
Po72 132,140,181,359-383,538,668,702,805-808,815-816,818-820,836,907,909-920,922-925,
929-935,937-949,967-973,976-984,987,3212
vlan 968 is the FT vlan and the same hass been allowed on the trunk port.
everything looks good to me but still not sure why isnt the ACE module not coming to the network. it was working fine
a few months back but all of a sudden it lost the network connectivity. i am not even able to ping the physical ip of the
ACE module.
thanks and regards
kiran -
Hi,
ACE Reconciliation Task scheduler is not creating events on OIM and we could see that Users are being pulled in from ACE Servers (through RM logs) also the task status remains as Running forever.
Can some one please suggest or recommend a way to debug this issue?
ThanksHave you tried increasing the logging level to debug and checked the logs?
-
Hello all,
I cam across something when i was troubleshooting IPSEC VPN connections between two Cisco IAD 2431s. Here is a snapshot of config on one of the routers:
crypto map vpnmap 6 ipsec-isakmp
description To_Grovecity
set peer X.X.X.X
set transform-set vpnset
match address To_Grovecity
crypto map vpnmap 10 ipsec-isakmp
description To_Datacenter
set peer Y.Y.Y.Y
set transform-set vpnset
match address To_Datacenter
qos pre-classify
ip access-list extended To_Grovecity
permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255
ip access-list extended To_Datacenter
permit ip 10.24.96.0 0.0.0.255 10.11.12.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 172.31.46.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 10.80.102.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 10.24.69.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 192.168.15.0 0.0.0.255
From this router's LAN interface (10.24.96.1), I couldn't ping the router's LAN interface corresponding to the Grovecitypeer which is x.x.x.x. The LAN interface at Grovecity is 10.80.103.3
As soon as I removed the statement " permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255" which was unnecessarily present in the To_Datacenter ACL, things started working.
What confuses me is since the crypto map vpnmap for Grovecity is at sequence 6 and is before the vpnmap for Datacenter, the statement "
permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255" under the To-Datacenter ACL would never be considered and it doesn't matter if that staement is present in the ACL or not but apparently it does. HAs anyone faced this before or am I missng something?
Thanks
MukundhHi,
In order to successfully build a SA, the L2L peers need to exchange the same exact ACE (mirror of each other) along with other parameters like the transform-set, PFS group (if configured)...
Otherwise Phase II does not come up.
Thanks.
Portu.
Please rate any helpful posts. -
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hi,
This is with regards to my customer who is facing the following problem with Maxconns – “we are using TCP probes and MaxConn and MinConn are used to determine when a server is busy or not.
If the MaxConn is exceeded then busy server trips in and stops when the number of TCP sessions drop below MinConn.
However, we have a situation where if MaxConn is exceeded counting of TCP connections stops and the connections never come down.”
Customer has A2(1.4a) currently deployed in its network. On perusing the release notes I came across this bug CSCsy30440/CSCsy04371 - ACE: rservers may not accept conns even though they are out of maxconns. I am wondering if this is the issue that they might be facing currently.
Will this issue be resolved for them if I recommend that they move to A2(1.6a) or A2(2.3) release ?
Is there a workaround for this other than configuring a backup serverfarm which my customer already has configured? Would it make a difference if they used HTTP probes instead of TCP probes?
Also is there a way to simulate the connection count behavior using HTTP probes?
Would really appreciate some help with this issue.
Thanks & Regards
Vidhya NairVidhya,
you have to open a tac service request so that we can collect the necessary information with the lbinspect tool.
If you don't want to do any troubleshooting, simply upgrade to the latest version and see if that helps.
Gilles. -
Hi,
I have question in regards to Deploying configurations to ACE with ANM. I presume it should deploy it in few seconds but for me it takes 8 to 10 minutes. Can anyone suggest why is this taking so much time????
Thanks in advance.Do you have a large config? How many contexts?
Is there an issue with the connection between the ANM server and the ACE (low bandwidth,...)
Did you install the ANM on an approved server (meets the min requirements?)
ACE is well discovered by ANM?
Keep us posted. -
Hi,
The Sticky function of the ACE is not working. There were no changes been made on the device it was working fine before but not now,.
We have 2 ACE one is Active(ACE1) and Second one is Standby (ACE2).
Testing done till now:-
================
Done the Failover from Active(ACE1) to Standby (ACE2).
When ACE2 was Active the Sticky started working fine without any issues.
2) when I did the failover again back from ACE2 to ACE1 the problem arrise Sticky doesnt work any more.
Any suggestion about this strange behaviour?
Thanks in advance.
Regards
Alex.What version do you run ?
What type of sticky method ?
Could you get a
- show np 1 me-stats "-slb"
and a
- show np 2 me-stats "-slb"
Possibly get 2 occurences one before and one after a test.
Thanks,
Gilles. -
Hi all,
I implemented an ACE for "ACCOUNTCRM" and event background job is triggered to update the trace table whenever an account is created. However, I notice that the results return is incorrect due to some buffer issue which i suspect.
My scenario is agent in group A is only allowed to see accounts in group A (based on certain criteria). If the agent created an account in WebUI which does not meet the ACE rule, this new account should not appear in all account searching result list. But in my implementation, the new account is shown in the result list and which is wrong.
I tried to trace using the ACE simulator and I got correct result list. And If I launch a webUI to do the account creation, then log off or using another session to do searching, correct result list is displayed. However, if I create the account, followed by searching for the account at the same WebUI session, then the result list is wrong.
Anyone encountered such problem?
cheers,
ginniesolved by adding ACE general parameter.
cheers,
ginnie -
I am having an odd issue with a clients GSS/ACE setup. They have two data centers. Each has two ACE appliances running in active standby and one GSS. The GSS appliances are in an active standby set up as well. When they run on the primary GSS and ACE in their one data center, all the sites respond and work properly. However, when we tell the GSS to use the other ACE appliances, everything works except their main website. The main website uses kal-ap by VIP for the keepalive method. When I look at the GSS monitoring, it says the 'offline (load: 255)'. I have looked through the configuration the GSS for the Answers to both locations there aren't any differences. Secure kal-ap is configured on the ACE appliances at both locations and it looks like it is communicating with the GSS without any issues.
Here is something else I noticed. I checked the GSS while writing this post and noticed the primary GSS is showing offline (load: 255) for the main site for this client. However, the standby GSS is showing online for this site.
I am really not sure where to go with this issue, so any suggestions are appreciated.
TIA,
DanI am having an odd issue with a clients GSS/ACE setup. They have two data centers. Each has two ACE appliances running in active standby and one GSS. The GSS appliances are in an active standby set up as well. When they run on the primary GSS and ACE in their one data center, all the sites respond and work properly. However, when we tell the GSS to use the other ACE appliances, everything works except their main website. The main website uses kal-ap by VIP for the keepalive method. When I look at the GSS monitoring, it says the 'offline (load: 255)'. I have looked through the configuration the GSS for the Answers to both locations there aren't any differences. Secure kal-ap is configured on the ACE appliances at both locations and it looks like it is communicating with the GSS without any issues.
Here is something else I noticed. I checked the GSS while writing this post and noticed the primary GSS is showing offline (load: 255) for the main site for this client. However, the standby GSS is showing online for this site.
I am really not sure where to go with this issue, so any suggestions are appreciated.
TIA,
Dan -
ACE slowness issue when one server goes down
Hi,
We are having two application servers.Both are load balanced using ACE.
When we bring down one server, we find that when we upload some files into the second application server, its too slow.
But when primary server comes up again the performance increases.This issue happens only when we bring the primary server down.
We are using cookie based stickiness.Any ideas where we can look into.
Rgds.,
SachinDepending on the load-balancing algorithm or predictor that you configure, the ACE performs a series of checks and calculations to determine which server can best service each client request. The ACE bases server selection on several factors including the source or destination address, cookies, URLs, HTTP headers, or the server with the fewest connections with respect to load.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/slb/guide/classlb.html -
Hi,we have our main website https://abc.com and it provides links to users for various applications.If i go to https://abc.com and click the link xyz on it, i get back to main page again and current connections drops to 0. here my browser should be redirected to https://abc.com/xyz which is not happening. Traffic is getting tunnnled to https://abc.com as seen in logs in http catcher.
But if i type in https://abc.com/xyz in browser, i go to correct page.
below is my configuration. please let me know if any other configuration is needed, Below config is with 2 links but actual production has many links.
I have similar issue for another application where links on main page can not be accessed. that application works on http instead of https.
rserver redirect xyz
inservice
webhost-redirection "https://abc.com/xyz"
rserver redirect uvw
inservice
webhost-redirection "https://abc.com/uvw"
rserver host abc
ip address 1.1.1.1
inservice
serverfarm redirect xyz
rserver xyz
inservice
parameter-map type http case_param
case-insensitive
no persistence-rebalance (i also tried enabling it)
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
parameter-map type ssl abc
cipher RSA_WITH_3DES_EDE_CBC_SHA
ssl-proxy service abc
key abc
cert abc
ssl advanced-options abc
serverfarm redirect uvw
rserver uvw
inservice
serverfarm host abc
rserver abc
inservice
class-map type http loadbalance match-any map1
match http url /xyz.*
class-map type http loadbalance match-any map1
match http url /uvw.*
policy-map type loadbalance first-match ssl-abc
class map1
serverfarm xyz
class map2
serverfarm uvw
class class-default
serverfarm abc
class ssl-intranet
loadbalance vip inservice
loadbalance policy ssl-abc
loadbalance vip icmp-reply active
nat dynamic 1 vlan 368
appl-parameter http advanced-options case_param
ssl-proxy server abc
the IP address mentioned for abc.com (1.1.1.1) is on cisco CSS (VIP for www.abc.com for internal users) which is serving my internal clients. The CSS then points to actual server hosting abc.com. The ACE is serving clients coming from Internet and CSS is serving my internal clients which connect with http. Is this problem because of communication issue between ACE and CSS?
Can anybody suggest?class-map match-all intranet
2 match virtual-address 198.184.231.7 tcp eq www
class-map match-all ssl-intranet
2 match virtual-address 198.184.231.7 tcp eq https
I have 2 different policy maps .........intranet map redirects to ssl-intranet map which then makes redirection to individual applications.
policy-map multi-match external-lb
class extranet
loadbalance vip inservice
loadbalance policy extranet
loadbalance vip icmp-reply active
nat dynamic 1 vlan 368
appl-parameter http advanced-options case_param
class ssl-extranet
loadbalance vip inservice
loadbalance policy ssl-extranet
loadbalance vip icmp-reply active
nat dynamic 1 vlan 368
appl-parameter http advanced-options case_param -
Hello All
I will be grateful if someone can assist me with this please.
I am having issues with this setup and the VPN tunnel shows down. Can someone please advice where i may be going wrong. the test setup as below and i have also attached the current configs.
VPN_RTR#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/1.84
Session status: DOWN
Peer: 1.1.1.2 port 500
IPSEC FLOW: permit ip host 10.10.10.1 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Interface: GigabitEthernet0/1.85
Session status: DOWN
Peer: 1.1.1.6 port 500
IPSEC FLOW: permit ip host 10.10.11.1 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto mapHello,
Modify your ACL on both routers to identify interesting traffic which will be encrypted, in your case traffic beteen loopbacks in same VRF.
INETSERV1_TEST
ip access-list extended P1-VPN
permit ip host 10.10.10.1 host 192.168.0.1
ip access-list extended P3-VPN
permit ip host 10.10.11.1 host 192.168.1.1
VPN_RTR
ip access-list extended P1-VPN
permit ip host 192.168.0.1 host 10.10.10.1
ip access-list extended P3-VPN
permit ip host 192.168.1.1 host 10.10.11.1
After this change, you should be able to ping between loopbacks.
Best Regards
Please rate all helpful posts and close solved questions -
I'm working on a problem for a customer. The want two machines to communicate with each other using IPSEC with a pre-shared key.
I've got two machines, on the same segment named 26 and 42. 26 is a Solaris 9 (122300-x) machine and 42 is on 10 (03/05)
/etc/inet/secret/ike.preshared
On 42:
{ localidtype IP
localid 10.240.3.42
remoteidtype IP
remoteid 10.240.3.10
key f47cb0f432e14480951095f82b735ba80a9467d08f92c88068b6a56e
On 26:
{ localidtype IP
localid 10.240.3.10
remoteidtype IP
remoteid 10.240.3.42
key f47cb0f432e14480951095f82b735ba80a9467d08f92c88068b6a56e
For /etc/inet/ike/config
On 42:
# Label must be unique
{ label "42-26"
local_addr 10.240.3.42
remote_addr 10.240.3.10
p1_xform
{ auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
p2_pfs 5
On 26:
# Label must be unique
{ label "26-42"
local_addr 10.240.3.10
remote_addr 10.240.3.42
p1_xform
{ auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
p2_pfs 5
Finally edited /etc/inet/ipsecinit.conf to include:
On 42:
{daddr 10.240.3.10} apply {encr_algs 3des encr_auth_algs md5 sa shared}
{saddr 10.240.3.42} permit { auth_algs any}
On 26:
{daddr 10.240.3.42} apply {encr_algs 3des encr_auth_algs md5 sa shared}
{saddr 10.240.3.10} permit { auth_algs any}
After bringing up in.iked and starting ipsecconf I can pass traffic between the two. Things seem to be working because if I stop ipsecconf on just one host traffic stops.
The strange part is that with ipsec running on 26 (the Solaris 9 box) I get a very long hang when trying to login to the box, from any host. I get the same symptoms on ssh as I do on telnet. After a few minutes you're eventually logged in but the application is timing out.
I fired up truss to watch what sshd is doing while trying to log in and the failure seems to be a process trying to write to lastlog and utmpx.
I'm stumped. Can anyone offer any suggestion as to what I should be looking at or do you know if there's any inherent issue regarding my setup?
Help!Your IPsec policy configurations (ipsecconf(1M) input) is overly broad. You're requiring IPsec on more traffic than you wanted. THis is causing some of the oddness you're seeing in other network apps.
Also, starting in S9 and later, you can use synatically compact ipsecconf(1M) rules. Let's try these files instead, which only require protection between the two IP addresses for 42 and 26:
# This is 42's one
{laddr 10.240.3.42 raddr 10.240.3.10} ipsec {encr_algs 3des encr_auth_algs md5}
# THis is 26's one:
{laddr 10.240.3.10 raddr 10.240.3.42} ipsec {encr_algs 3des encr_auth_algs md5}
Hope this helps!
Dan McD. - Solaris Engineering http://blogs.sun.com/danmcd/
Maybe you are looking for
-
How do I specify the file extensions when opening a file in Labview?
When opening a file, the file open dialogue box appears with a drop down box called 'Files of type *.* I want to only display files of type IPC, and I will create all my files to have this extension. I have been using this technique in VB for some ti
-
CR XI Error message "package package name does not exist"
I am trying to use the Java API that is available for Crystal reports XI. I am using NetBeans v.5.5.1 for developing my Java code. The application does not seem to find the Crystal reports Java libraries, I cannot compile it successfully. For instanc
-
Hi all, I am struggling to install Forms 10G on Windows server 2008 machine. Can you please help me finding the solution. Its very urgent and nobody in our team or onsite team knows about it. Please, its very urgent and really helpful to me. Thank yo
-
Hello. I'm new on idoc mapping so I think that this is not very difficult for you guys. I'm trying to map ORDERS05's E1EDKA1 and E1EDP01 to an output xml. The problem is that this structures can have more than 1 occurrences and the mapping seems to
-
Upgrading EDGe line and transferring phone to a different line
Hey guys, I currently have one line on the EDGE program that is eligible for an edge upgrade - however, when I upgraded that line to the edge program back in Feb 2014, I did it for use on a different line on my account (basically used another line's