ACE Logging
Hi,
I want to enable the logging on the ACE appliance which is running in the multiple context mode. I want to see the log in case any VIP server or real server goes down it should send the trap or log to the syslog server. My ACE is running in routed mode and i want to have only specific logging in case any monitored service or server goes down.
Please let me know how to enabel on require logging and syslog.
Hi,
Can anybody help me out. Last day I enabled the logging but this causes the ACE to slow down and i was hardly able to log in.
before loggin the following was the configuraiton.
show logging
Syslog logging: disabled
but when i just entered the following command.
logging enable. I got disconnected and hardly i was able to disable the logging.
Please let me know how to enable only specific logging so that when one VIP server is not accessible it will send the log to syslog.
Please help me out.
Similar Messages
-
ACE logging hassle - GLBP m-cast denies...
Need some ideas:
Have a pair of ACE's in front of a data center application. The outside interfaces are properly denying GLBP m-cast traffic from the attached pair of 6509's on the same VLAN.
2/14/2011,10:04:11 AM,10.147.254.2,???,LOCAL4,WARNING,:%ACE-4-106023: Deny udp src vlan2577:165.201.107.195/3222 dst undetermined:224.0.0.102/3222 by access-group "Public" [0xffffffff, 0x0]
2/14/2011,10:04:11 AM,10.147.254.2,???,LOCAL4,WARNING,:%ACE-4-106023: Deny udp src vlan2577:165.201.107.194/3222 dst undetermined:224.0.0.102/3222 by access-group "Public" [0xffffffff, 0x0]
These messages or normal and expected but the denies fill up the ACE log to the tune of 30MB per day. I've looked at...
To tune out specific syslog messages:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/system/message/guide/config.html#wp1069411
ACE Syslog message guide:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/system/message/guide/messags.html#wp1145672
...but it appears if I tune out this syslog message 106023, I lose all deny reporting - don't want to do that.
Here is the existing ACL-list:
access-list Public remark Inbound Traffic
access-list Public line 1 extended permit icmp any any
access-list Public line 10 extended permit tcp any any eq https
access-list Public line 11 extended permit tcp any any eq www
I really don't want to recommend passing this m-cast traffic through the ACE, no purpose for it behind the ACE. Nor do I want to slow down the GLBP hellos just to solve a log record annoyance.
Any ideas on how I can reduce or eliminate these deny messages from the ACE log withough losing all deny visibility?
Thanks,
m.Still no joy on this one, but there was some faint hope with the solution below for ASA FW's that I got from engineering inside Cisco (Not TAC). Unfortunately, the ACE does not support the required 'shun' command. Thought I would just post the ASA solution in case folks run across this issue in other environments and maybe, just maybe, we can get the shun command on the ACE.
Shunning allows you to black-hole or refuse particular traffic at an interface based upon source-destination addressing. This action would also be logged, but with 'shun' you can also assign a unique SYSLOG ID to the shunned traffic and so tune it out completely from the logging. If it doesn't, then there is no elegant solution.
So, check out whether the ACE has the shun command available in it. If it has the command, then the following should apply:
Possible workaround-
shun 10.17.84.2 239.192.2.0 2222 2222
That way you'll get different syslog message ID for shun traffic and you can disable logging for that traffic by-
no logging message
Reference
http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1279897
http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logconf.html#wp1067974 -
ACE logging - rserver and probes
on CSS I get an info if a server fails the keepalive and get in state "down, up or suspended". This is logged in the traplog file on the CSS.
Is there any possibility on an ACE to have logs for rserver state changes like "PROBE-FAILED, OPERATIONAL and OUT-OF-SERVICE"
thx in advanceHi Gilles,
1. looks fine, but I miss the rserver Name in the log. it only appears the ip address of the server.
So it looks like that the "ip address log" is implemented :-(
b-sllb2001-09/db_bku-nK2# show rserver sthon
rserver : sthon, type: HOST
state : PROBE-FAILED
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: test.db.de
172.24.100.98:0 8 PROBE-FAILED 0 0
b-sllb2001-09/db_bku-nK2# show logging | i ACE-3
Jun 25 2008 09:20:14 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
Jun 25 2008 09:20:23 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
Jun 25 2008 09:20:54 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
Jun 25 2008 09:21:54 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
2. I can find nothing in the log when the probe gets "operational" or "out-of-service state".
Is thos correct ?
b-sllb2001-09/db_bku-nK2# show rserver sthon
rserver : sthon, type: HOST
state : OPERATIONAL
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: test.db.de
172.24.100.98:0 8 OPERATIONAL 0 0 -
Ace Logs from url or serverfarm
We are doing analysis on blocking the source IP's, the actual usage from this source IP's, to what URL's,
authenticated / non authenicated etc
is there any solution to trace out the User requests & url response from particular farm behind the source nat
referring the below discussion for my problem , can it be helpful for me
ACE: how do I check what status code does URL returnsHi Anand,
The short answer is no. You cannot get this information from the ACE because it doesn't include any transaction logging feature
The thread you were mentioning was regarding probes. For those it's actually possible to see the last return code returned by the server, but the ACE will neither show you this information for client connections.
I wish I could provide you a more satisfactory answer.
Best regards
Daniel -
I am tightening some of the existing ACLs in the Cisco ASA.
At the moment I am logging the traffic to see what type of traffic I am getting and configure new ACEs from there. So I am keeping the more open rule at the end while doing the logging.
I am noticing that even though I have an ACL for access to a Specific Host, still hits from that ACE (let's call it line 1) are appearing in the logs for the more open ACL (which is further down in the list - lets' call it line-10). The ACL line-1 has a very high hit rate - about 10 hits per second. Is this normal, that the hits seem to 'overflow' to other ACEs? I am revieing the log with teh Real-Time Log viewer for ASDM 6.4.
Any advice will be appreciated.Do you by chance have Netflow configured on the ASA? If so, try to uncheck "disable redundant syslog messages" check box.
Path in ASDM: Configuration > Device Management > Logging > NetFlow
Please remember to select a correct answer and rate helpful posts -
Hello,
We are having an issue with http based application loadbalanced by ACE - sometimes one of the page in the browser is partialy blank (some of the code referenced in main html document seems to be missing). We've discovered the following syslog message from ACE in regard to such http session:
Jul 8 2010 09:24:03 : %ACE-6-302023: Teardown TCP connection 0xd7f1 for vlan10:10.1.1.1/1783 to vlan20:10.1.2.1/443 duration 0:00:00 bytes 45497 Exception
What can be told about this "exception" code? Documentation isn't especially helpful in this case...
thanks
WMThe error code states connection setup error which could be a number of things.
https://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/system/message/guide/messags.html#wp1147957
Can you post the ACE config you are using first and any details of the webserver. Would be a good place to start.
Dave -
ACE sending malformed requests?
Hi,
Our ACE has several contexts, and in one of them we are seeing a single probe fail at random times, to a single particular rserver.
The logs of the ACE and the affected rserver at the same time are:
ACE logs:
%ACE-3-251010 Health probe failed for server 10.254.20.52 on port 80, received invalid status code
%ACE-3-251010 Health probe failed for server 10.254.20.52 on port 80, received invalid status code
%ACE-3-251010 Health probe failed for server 10.254.20.52 on port 80, server reply timeout
%ACE-3-251010 Health probe failed for server 10.254.20.52 on port 80, server reply timeout
rserver log:
[Mon Oct 13 18:02:12 2008] [error] [client 10.254.20.11] Client sent malformed Host header
[Mon Oct 13 19:35:37 2008] [error] [client 10.254.20.11] Client sent malformed Host header
[Mon Oct 13 20:32:30 2008] [error] [client 10.254.20.11] request failed: error reading the headers
[Mon Oct 13 21:36:22 2008] [error] [client 10.254.20.11] request failed: error reading the headers
The strange thing is that it is always the same target rserver that reports this error. Naturally, I've asked the server admins to look at this rserver, but they've seen the 'client request' errors in their logs and are suggesting the ACE is at fault.
This rserver also hosts other IP addresses that are used in the same context in different serverfarms - and it behaves as normal without error....it is just this single destination IP that seems to have a problem. Other IPs in the same serverfarm are ok.
Are there any more in-depth checks that I can do at the ACE level to verify that all is OK with the ACE?
The probe is setup like:
probe http 80-checker
interval 10
passdetect interval 3
request method get url /ping
expect status 200 200
Thanks
CameronI would like you to run sniffer on the Rserver and look into the HTTP Header of Probe request from ACE.
Check if the parameters expected by the RServer are in line with the http request used by ACE probe.
For example if RServer is expecting "www.xyz.com" as HOST then is ACE really using
"HOST:www.xyz.com" in the HTTP request header.
Thanks
Syed Iftekhar Ahmed -
Cisco Ace asymetric routing - DNS traffic
Hi,
I am wondering if Ace supports asymetric routing.
In my setup Ace is connected to router with two transit L3 interface. Interface on the router side belongs to different VRFs (e.g. VRF-A & VRF-B). Router is running MPLS in order to connect to internet-border gateway router then to internet.
Now issue is Ace got the default route with the next hop as the router's interface in VRF-A. However the server's subnet (SVI on Ace) is advertised on router in VRF-B.
So the outbound traffic(DNS query) from servers to internet takes the default route with next hop of router's int in VRF-A and inbound traffic (DNS response) comes back via MPLS using the VRF-B. That is because server's subnet is just advertised in VRF-B so remote internet broder-gateway will see the server's subnet with route-target applied to it in VRF-B.
When I enabled the reverse-path forwarding on the transit interface I could clearly see in the Ace logs that DNS response is getting dropped on the ace. I have evn removed the reverse-path forwarding(nothing in the logs - but DNS response from internet still cant reach the servers). I think logically its still asymetrical routing from Ace's point of view but not sure.
Please can anyone confirm the solution to this issue. I am thinking if I advertise server's subnet in VRF-A as well then it will be symterical routing but not 100% sure if it will fix it.
So just wondering if there are any other options advisable ?
ThanksIs it not possible to have a host route added to the destination server ? This would allow the traffic to be routed back the same way it came and thus the connection work ?
Try adding a static route onto the destination server along the lines of ...
route add [source address of server] mask 255.255.255.255 [IP address of ACE interface]
This would cause the traffic to be routed between the two hosts via the ACE module which is good because the ACE is acting as a router between the two network segments.
That's just what I would do but I understand that it may not be the option you want.
Good luck -
Cisco ACE A2(2.0) - webhost-redirection
Hello,
We are currently running the version ACE A2(2.0), pretty old one on Cisco ACE Module. We have applied webhost-redirection https://%h%p 302 but it doesn't seem to take effect and always go back to the host header value.
Is it a bug or a missing feature within A2(2.0) build ?
Please assist.
Thanks.Also is there a way to check in ACE logs as to what are the redirects taking place to identify any issues etc.
Thanks. -
Unable to view logging information on the context
Unable to see the ogging message on the user context on ACE,but able to view the logging on the Admin Context.
Admin# sh logging
Message logging: none
Buffered logging: enabled (level - debugging) maximum size 1048576
Buffer info: current size - 1048576 global pool - 1048576 used pool - 1048576
min - 0 max - 1048576
cur ptr = 916918 wrapped - yes
messages are displayed on the logging screen
production# sh logging
Message logging: none
Buffered logging: enabled (level - information) maximum size 0
Buffer info: current size - 0 global pool - 1048576 used pool - 1048576
min - 104448 max - 0
cur ptr = 0 wrapped - yes
on the production context cur ptr=0 and no message are displayedon the screen
not sure if I am missing any configNo logging message on ACE ,these are the commands issues on ACE
logging enable
logging fastpath
logging console 6
logging timestamp
logging history 7
logging buffered 7
logging monitor 6
This is the output I am getting
ace2/Admin# sh logging
Syslog logging: enabled
Facility: 20
History logging: enabled (level- debugging)
Trap logging: enabled (level - information)
Timestamp logging: enabled
Fastpath logging: enabled
Persist logging: disabled
Standby logging: disabled
Rate-limit logging: disabled (min - 0 max 100000 msgs/sec)
Console logging: enabled (level - information)
Monitor logging: enabled (level - information)
Device ID: disabled
Message logging: none
Buffered logging: enabled (level - debugging) maximum size 0
Buffer info: current size - 0 global pool - 1048576 used pool - 0
min - 0 max - 1048576
cur ptr = 0 wrapped - no
ace2/Admin# -
Can't DPV, log file error
I keep getting:
Err no - 7091, DPV and LACSLink Required Parameter. THe Log File Directory must be writable when either DPV or LACSLink is enabled.
I am running Windows 7 64-bit. Initially at install the auto updates didn't work. I got that fixed but now I get this.
Has anyone run into this issue before? I set security on all postalsoft folders to allow all for all groups. I don't think SAP supports windows 7 yet.Alex,
This information can be found in our knowledge base...
Install the most current version of software again with Full Administrator Rights and make sure there are full read and write permissions to the C:\Postalsoft installation directory.
OR
Open Windows Explorer and go to C:\Postalsoft. Create a new directory "folder" under Postalsoft called ACE. Then create a new folder under ACE called Log. The path would be C:\Postalsoft\ACE\Log.
The directory tree would then look like this:
+ Local Disk (C):
+ Postalsoft
+ ACE
+ Log
If your Postalsoft program is installed elsewhere, make sure you create this ACE\Log path under Postalsoft.
For future reference you may want to check the knowledge base first... hopefully this will save you some time and trouble. To get to the knowledge base go to https://service.sap.com/bosap-support - click on the link that says "Search the knowledge base of known issues: SAP Notes". Then you can type in the error or phrase you are looking for information on.
Hope this helps!
Thanks,
Kendra -
Cisco 6500 ACE ARP / mac-stick enable
Hi,
We recently found two entries on our ACE logs constantly complaining about ip/arp collisions(%ACE-4-405001), and on further investigation we saw that these IP's related to the mac addresses no longer existed anywhere in our network.
1 5 2014-06-07 06:00:03 2014-06-08 02:00:04 WARNING LOCAL4 ACE-CORE1: %ACE-4-405001: Received ARP RESPONSE collision from x.x.x.x yy.yy.yy.yy.yy.yy on interface vlan5
2 4 2014-06-07 10:59:48 2014-06-08 02:59:49 WARNING LOCAL4 ACE-CORE1: %ACE-4-405001: Received ARP RESPONSE collision from x.x.x.x yy.yy.yy.yy.yy.yy on interface vlan5
3 2 2014-06-07 06:59:48 2014-06-07 22:59:48 WARNING LOCAL4 ACE-CORE1: %ACE-4-405001: Received ARP RESPONSE collision from x.x.x.x yy.yy.yy.yy.yy.yy on interface vlan5
4 1 2014-06-07 10:00:04 2014-06-07 10:00:04 WARNING LOCAL4 ACE-CORE1: %ACE-4-405001: Received ARP RESPONSE collision from x.x.x.x yy.yy.yy.yy.yy.yy on interface vlan5
I exhausted the search for these two "ghost" ip's in our network, and finally remembered that our ACE configuration had a context we removed a few months back.
From this context we had the following configured on the interface:
interface vlan 18
description CHAT-DMZ-FW
bridge-group 1
mac-sticky enable
no shutdown
I want to confirm with you guys if anyone has seen something similar, or knows of this, but I believe the IP's learned mac addresses got "sticky" on the ACE admin context due to the mac-sticky enable command, even after we removed the context these entries persisted?
I finally used this command to remove the "ghost" IP's related to the mac addresses:
clear arp x.x.x.x no-refreshDear Friend,
Also confirm if the IP addresses were reachable though and as far as the Ghost synonym is referred, I can say there can be virtual mac-addresses, Ip addresses therein the network.
Thats it !
Parvesh -
Is there anyone who has an custom parser for Cisco ACE ?.
Can't understand why it isn't included by default as supported device in Cisco MARS.Hi.
I'm trying to make an custom parser for ACE logs.
And it works fine except denied icmp traffic, The problem is the event-id is the same in ACE (%ACE-4-106023).
The parser check for protocol type and src ip,src port and so on. Icmp however is logged without src port (pretty obvius) but the parser breaks if it dosn't get an src port.
%ACE-4-106023: Deny icmp src vlanx:x.x.x.x dst undetermined:y.y.y.y (type 11, code 0) by access-group "access-list" [0x20c017d8, 0x0]
%ACE-4-106023: Deny udp src vlanx:x.x.x.x/6155 dst undetermined:y.y.y.y/6155 by access-group "access-list" [0xffffffff, 0x0]
So what i am missing in my parser is an "IF proto=ICMP don't match src&dst ports".
Any ideas how i can make this work. -
Transparent ACE - 2 VLAN's, 1 context, 2 VIPs
Hi,
We have a 3 tier application that needs to be load balanced from client to middleware and from middleware to backend.
Usually we do this with multiple context's on the ACE.
This time we are doing this with multiple VLAN's within the same context. Is this possible?
setup
client VIP = 10.0.103.3 which is mapped to IRIS_Reporting serverfarm in VLAN47
middleware VIP = 10.0.103.4 which is mapped to IRIS_Web serverfarm in VLAN41
client VIP hits 10.0.103.3 and then middleware box then hits 10.0.103.4. First part is working fine but middleware cannot open connection to 10.0.103.4 VIP over tcp/80. In the ACE log i see the connection timing out...
Oct 5 2010 15:33:40 INTERNAL-LB: %ACE-6-302022: Built TCP connection 0x39181f for vlan347:10.0.4.18/49731 (10.0.4.18/49731) to vl
an47:10.0.103.4/80 (10.0.103.4/80)
Oct 5 2010 15:33:40 INTERNAL-LB: %ACE-6-302022: Built TCP connection 0x229206 for vlan41:10.0.4.18/49731 (10.0.4.18/49731) to vla
n341:10.0.103.4/80 (10.0.2.149/80)
Oct 5 2010 15:33:45 INTERNAL-LB: %ACE-6-302023: Teardown TCP connection 0x39181f for vlan347:10.0.4.18/49731 (10.0.4.18/49731) to
vlan47:10.0.103.4/80 (10.0.103.4/80) duration 0:00:05 bytes 104 SYN Timeout
Oct 5 2010 15:33:45 INTERNAL-LB: %ACE-6-302023: Teardown TCP connection 0x229206 for vlan41:10.0.4.18/49731 (10.0.4.18/49731) to
vlan341:10.0.103.4/80 (10.0.2.149/80) duration 0:00:05 bytes 232 TCP Reset
thanks,
John.Hi Ivan,
Here is the config,
access-list BPDU ethertype permit bpdu
access-list everyone line 10 extended permit ip any any
parameter-map type http HTTP_PARAM
server-conn reuse
case-insensitive
persistence-rebalance
parameter-map type generic SSLID_PARAM
set max-parse-length 70
parameter-map type ssl SSL_PARAM
session-cache timeout 300
parameter-map type connection TCP_PARAM
syn-data drop
exceed-mss allow
rserver host BL-VAN-CDMSPBI1
description IRIS Sharepoint Reporting Server
ip address 10.0.4.15
inservice
rserver host BL-VAN-CDMSPBI2
description IRIS Sharepoint Reporting Server
ip address 10.0.4.18
inservice
rserver host BL-VAN-ITSM03
description ITSM Reporting Server
ip address 10.0.4.16
inservice
rserver host BL-VAN-ITSM04
description ITSM Reporting Server
ip address 10.0.4.17
inservice
rserver host VM-VAN-CDMSPNT1
description IRIS Sharepoint Web Server
ip address 10.0.2.148
inservice
rserver host VM-VAN-CDMSPNT2
description IRIS Sharepoint Web Server
ip address 10.0.2.149
inservice
serverfarm host IRIS_Reporting
description IRIS Reporting Servers
failaction reassign
fail-on-all
rserver BL-VAN-CDMSPBI1 80
inservice
rserver BL-VAN-CDMSPBI2 80
serverfarm host IRIS_Web
description IRIS Front End Web Servers
failaction reassign
fail-on-all
rserver VM-VAN-CDMSPNT1 80
inservice
rserver VM-VAN-CDMSPNT2 80
inservice
serverfarm host ITSM_Reporting
description ITSM Reporting Servers
failaction reassign
rserver BL-VAN-ITSM03 80
inservice
rserver BL-VAN-ITSM04 80
inservice
class-map match-all IRIS_REPORTING_HTTP
2 match virtual-address 10.0.103.3 tcp eq www
class-map match-all IRIS_WEB_HTTP
2 match virtual-address 10.0.103.4 tcp eq www
class-map match-all ITSM_HTTP
2 match virtual-address 10.0.103.1 tcp eq www
class-map type management match-any PING
10 match protocol icmp any
20 match protocol snmp any
policy-map type management first-match PING-POLICY
class PING
permit
policy-map type loadbalance first-match IRIS_REPORTING_HTTP-l7slb
class class-default
serverfarm IRIS_Reporting
policy-map type loadbalance first-match IRIS_WEB_HTTP-l7slb
class class-default
serverfarm IRIS_Web
policy-map type loadbalance first-match ITSM_HTTP-l7slb
class class-default
serverfarm ITSM_Reporting
policy-map multi-match int41
class IRIS_WEB_HTTP
loadbalance vip inservice
loadbalance policy IRIS_WEB_HTTP-l7slb
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options HTTP_PARAM
connection advanced-options TCP_PARAM
policy-map multi-match int47
class ITSM_HTTP
loadbalance vip inservice
loadbalance policy ITSM_HTTP-l7slb
loadbalance vip icmp-reply active
loadbalance vip advertise active
class IRIS_REPORTING_HTTP
loadbalance vip inservice
loadbalance policy IRIS_REPORTING_HTTP-l7slb
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options HTTP_PARAM
connection advanced-options TCP_PARAM
interface vlan 41
description Client-Side VIP for Internal WEB LB
bridge-group 2
no icmp-guard
access-group input BPDU
access-group input everyone
service-policy input PING-POLICY
service-policy input int41
no shutdown
ip route inject vlan 41
interface vlan 47
description Client-Side VIP for Gen Applications LB
bridge-group 1
no icmp-guard
access-group input BPDU
access-group input everyone
service-policy input PING-POLICY
service-policy input int47
no shutdown
ip route inject vlan 47
interface vlan 341
description Server-Side for Internal WEB
bridge-group 2
no icmp-guard
access-group input BPDU
access-group input everyone
service-policy input PING-POLICY
no shutdown
interface vlan 347
description Server-Side for Gen Applications
bridge-group 1
no icmp-guard
access-group input BPDU
access-group input everyone
service-policy input PING-POLICY
no shutdown
interface bvi 1
ip address 10.0.4.58 255.255.255.192
alias 10.0.4.59 255.255.255.192
peer ip address 10.0.4.57 255.255.255.192
no shutdown
interface bvi 2
ip address 10.0.2.186 255.255.255.192
alias 10.0.2.187 255.255.255.192
peer ip address 10.0.2.185 255.255.255.192
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.4.62 -
ACE LB SSL Session ID in onearm mode
I am trying to set-up SSL stickyness using the session ID in a onearm configuration mode and can not access the website via the vip. I can browse to both servers directly.
The ACE is connected to a Cat 6500, via a 4 gigabit ethernet port-channel and only the management and onearm context vlan is trunked down the port-channel.
From the OneArm Mode context i am able to ping the MSFC (VLAN980) default gateway and both rservers. The rservers, Server Farm and Service Policy are all showing as in service. I am also able to ping the vip from any device on the network.
The incoming connection is establish and nat appears to take place, although the return session is report as init.
I have posted the configuration below and was hoping someone could make a few suggestions. One of the things i notice is on the MSFC the nat address isn't in the arp table, although, it's showing on the ACE.
logging enable
logging buffered 7
access-list everyoneline 1 extended permit ip any any
script file name SSL_PROBE_SCRIPT
probe scripted ssl443
port 443
interval 60
passdetect interval 60
script SSL_PROBE_SCRIPT
parameter-map type generic sslidparam
set max-parse-length 70
rserver host host1
ip address 192.168.20.129
inservice
rserver host host2
ip address 192.168.20.130
inservice
serverfarm host ssl-443
rserver host1
weight 10
probe ssl443
inservice
rserver host2
weight 10
probe ssl443
inservice
sticky layer4-payload sticky-443
timeout 720
serverfarm ssl-443
response sticky
layer4-payload offset 43 length 32 begin-pattern "\x20"
class-map type management match-any MANAGEMENT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol ssh any
6 match protocol telnet any
class-map match-any slb-vip
3 match virtual-address 192.168.198.50 tcp eq https
policy-map type management first-match MANAGEMENT-POLICY
class MANAGEMENT
permit
policy-map type loadbalance generic first-match slb-vip
class class-default
sticky-serverfarm sticky-443
policy-map multi-match SSL-STICKY
class slb-vip
loadbalance vip inservice
loadbalance policy slb-vip
loadbalance vip icmp-reply
nat dynamic 1 vlan 980
appl-parameter generic advanced-options sslidparam
interface vlan 980
ip address 192.168.198.4 255.255.255.0
peer ip address 192.168.198.5 255.255.255.0
access-group input everyone
nat-pool 1 192.168.198.6 192.168.198.6 netmask 255.255.255.255 pat
service-policy input MANAGEMENT-POLICY
service-policy input SSL-STICKY
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.198.1
sh conn
total current connections : 2
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
19828 1 in TCP 98 192.168.18.139:2411 192.168.198.50:443 ESTAB
19829 1 out TCP 98 192.168.20.129 :443 192.168.198.6:1059 INITThe problem was caused by an incorrect nat pool. Correct Mask was 255.255.255.0.
Maybe you are looking for
-
Boa noite, Como faço para informar o valor do frete (destacado na nota fiscal de compra do material) no pedido de compra (aba condições) e este valor ser utilizado na base de calculo do IPI? Criei uma nova condição cópia da condição FRB1, e atribui a
-
Multiple queries without multiple tables?
Greetings, Is there anyway I can choose between multiple queries and have the results come out on the one display table or do I have to have one display table per query? I'm thinking like having a dropdown list bound to queries and the results being
-
Flat file to tables (insert/update/delete) using utl file.--urgent
Hi all, Scenorio s here ... ex : emp EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO STATUS -- i/U/d flat file records willbe like this .... I^001^name^job^manager^10-dec-2002^90000^900^^ I^001^name^job^manager^10-dec-2002^90000^900^343^ U,002^name^job^
-
Send many reports using a single i bot..
hi all.. i have a requirement where i have to send many reports using a single i bot instance. How can this be achieved?? Plz help guys.. regards Mahi
-
Network Unlock in different Networks
hy, I use BitLocker with the NetworkUnlock in my organizaition. We have different locations where we use Bitlocker. I want to use just one WDS in the headquarter for the unlock, but this didn´t work. is that posible with one WDS or do I need in eve