ACE MAXCONNS issue
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hi,
This is with regards to my customer who is facing the following problem with Maxconns – “we are using TCP probes and MaxConn and MinConn are used to determine when a server is busy or not.
If the MaxConn is exceeded then busy server trips in and stops when the number of TCP sessions drop below MinConn.
However, we have a situation where if MaxConn is exceeded counting of TCP connections stops and the connections never come down.”
Customer has A2(1.4a) currently deployed in its network. On perusing the release notes I came across this bug CSCsy30440/CSCsy04371 - ACE: rservers may not accept conns even though they are out of maxconns. I am wondering if this is the issue that they might be facing currently.
Will this issue be resolved for them if I recommend that they move to A2(1.6a) or A2(2.3) release ?
Is there a workaround for this other than configuring a backup serverfarm which my customer already has configured? Would it make a difference if they used HTTP probes instead of TCP probes?
Also is there a way to simulate the connection count behavior using HTTP probes?
Would really appreciate some help with this issue.
Thanks & Regards
Vidhya Nair
Vidhya,
you have to open a tac service request so that we can collect the necessary information with the lbinspect tool.
If you don't want to do any troubleshooting, simply upgrade to the latest version and see if that helps.
Gilles.
Similar Messages
-
ACE Configuration Issue.
We would like to configure on ace like below:
the virtual ip address and port like this
: 10.10.10.10:8000,this ip address will be use to outside user request servie
and we have to configure server farm like below
real server 10.10.10.1:8001, 10.10.10.1:8002, 10.10.10.1:8003 ...
the ip address is same on 10.10.10.10:8000's serverfarm, but real server service is different, and this port should be loadbalanced and healchecked.
Is it possible solution? F5 big ip , Nortal is possible, but I don't know on ACE above issue.
If you ok. could you give me a sample configuration?page 2....
Also i forget to tell you to
8.create resourse-class
9. create context othr then admin context if you need multiple contexts:
(inside context add resource class)
10 class map type management (for remote access)
as follows:
Kindly find some config sample as follows:
ACE/Admin# sh run
Generating configuration....
resource-class ABCD_Resource
limit-resource all minimum 5.00 maximum unlimited
limit-resource sticky minimum 5.00 maximum unlimited
boot system image:c4710ace-mz.A3_2_1.bin
hostname ACE
context Admin
member ABCD_Resource
access-list everyone line 10 extended permit icmp any any
access-list everyone line 20 extended permit ip any any
access-list for-cap line 8 extended permit ip any any
probe http HTTP-Probe
port 8000
interval 2
faildetect 2
passdetect interval 15
request method head
probe icmp ICMP-Probe
interval 2
faildetect 2
passdetect interval 60
probe tcp TCP-8000
port 8000
interval 2
faildetect 2
passdetect interval 15
passdetect count 2
open 1
rserver host A
ip address 10.10.10.1
inservice
rserver host B
ip address 10.10.10.2
inservice
rserver host C
ip address 10.10.10.3
inservice
rserver host D
ip address 10.10.10.4
inservice
serverfarm host SF-8000-1
probe ICMP-Probe
probe TCP-8000
rserver A 8000
inservice
rserver B 8000
inservice
serverfarm host SF-8000-2
probe HTTP-Probe
probe ICMP-Probe
probe TCP-8000
rserver C 8000
inservice
rserver D 8000
inservice
class-map match-all L4-CLASS-REDIRECT-1
2 match virtual-address 10.10.60.10 tcp eq www
class-map match-all VIP-PORT-8000-1
2 match virtual-address 10.10.60.10 tcp eq https
class-map match-all VIP-PORT-8000-2
2 match virtual-address 10.10.60.12 tcp eq https
class-map type management match-any remote-mgmt
10 match protocol ssh any
20 match protocol telnet any
30 match protocol icmp any
40 match protocol http any
50 match protocol https any
class-map match-any server-initiated
3 match source-address 10.10.10.4 255.255.255.255
4 match source-address 10.10.10.3 255.255.255.255
policy-map type management first-match remote-access
class remote-mgmt
permit
policy-map type loadbalance first-match VIP-POLICY-8000-1
class class-default
policy-map multi-match Service-Policy-8000-1
class VIP-PORT-8000-1
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-1
loadbalance vip icmp-reply
nat dynamic 1 vlan 60
class L4-CLASS-REDIRECT-1
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-1
policy-map multi-match Service-Policy-8000-2
class VIP-PORT-8000-2
loadbalance vip inservice
loadbalance policy VIP-POLICY-8000-2
loadbalance vip icmp-reply
nat dynamic 1 vlan 60
ssl-proxy server SSL-Offload-Proxy-2
policy-map multi-match server-side
class server-initiated
nat dynamic 1 vlan 60
interface vlan 10
description APPPROD-Client-Vlan
bridge-group 10
mtu 1500
access-group input everyone
access-group output everyone
service-policy input remote-access
no shutdown
interface vlan 30
description management-vlan-interface
ip address 10.10.30.22 255.255.255.0
access-group input everyone
access-group output everyone
service-policy input remote-access
no shutdown
continued page 3...... -
ACE FTP issues with "inspect ftp"
Hello.
My clients want to access an FTP server, via ACE, and I am having some issues. They can login and issue only one command... the second command will not be accepted an after a few seconds the prompt shows the message "connection closed by remote host".
I have sniffed traffic and I see that the connection between the client and the ACE has a strange behaviour because ACE open connection to data using an source port of 1039 (it should be 20, since we are usind an active mode client); between the ACE and the real server runs in active mode (I see normal ftp-data packets).
Other strange thing is that I have FWSM and they let traffic pass from ACE to client (they should expect traffic comming from port 20 and not 1039)
I am doing source NAT and ACE is doing all the necessary changes on source IP adresses.
Anyone has seen similar behaviour?
Any help would be appreciated.
In attach I send my config and traffic sniffing.
Thanks in advance.
Joao Ribau
P.S. - client is 10.1.44.98; VIP is 10.1.9.150; real server 10.1.36.124Hello.
I didn´t mentioned this before but the gateway of all my networks is an ACE that is loadbalancing traffic to two firewall clusters. I think this is not important because I have a "catch all" VIP in all my interfaces; I assume that ACE forwards traffic with no restrictions or inspections leaving the inspection job to the firewalls and to the ACE that I use to load balance services.
Don´t think this could be the problem but just to make sure I decided to post it.
Best regards,
Joao Ribau.
P.S. - my configs on the ACE that loadbalance traffic to the firewalls are very straightforward. Serverfarms (interfaces of the firewalls), a class-map with a "catch-all" VIP, policy-map to for the serverfarm, a policy-map to tie the class to the serverfarm and finally a service-policy apllied to each interface. -
Standby cisco ACE loadbalancer issues (network connectivity)
Hi ALL,
We are having issues with the secondary (standby) load balancer ACE module on a 6500 switch. We see that the loadblanacer is not able to get onto the network which leads to problem with fault tolerance as well. Following is the ft status found on the load balancer for one of the contexts (this is the same pattern seen on all the contexts).
switch/Admin# sh ft group status
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
Peer State : FSM_FT_STATE_UNKNOWN
Peer Id : 1
No. of Contexts : 1
Sh arp on all the contexts shows the gateway/rserver to be unreachable. Please find the screenshot below for one of the contexts (the same pattern is seen on the LB for all other contexts)
switch/1_Context# sh arp
Context CSD_Context
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
172.21.128.97 00.00.00.00.00.00 vlan942 GATEWAY - dn
172.21.128.103 00.0b.fc.fe.1b.09 vlan942 ALIAS LOCAL _ up
172.21.128.105 00.12.43.dc.93.23 vlan942 INTERFACE LOCAL _ up
7.0.0.4 00.0b.fc.fe.1b.09 vlan943 NAT LOCAL _ up
- 7.0.0.6
172.21.147.196 00.0b.fc.fe.1b.09 vlan943 ALIAS LOCAL _ up
172.21.147.198 00.12.43.dc.93.24 vlan943 INTERFACE LOCAL _ up
172.21.147.200 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
172.21.147.202 00.00.00.00.00.00 vlan943 RSERVER - * 2 req dn
172.21.147.204 00.00.00.00.00.00 vlan943 RSERVER - dn
172.21.147.206 00.00.00.00.00.00 vlan943 RSERVER - dn
172.21.147.208 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
172.21.147.210 00.00.00.00.00.00 vlan943 RSERVER - * 2 req dn
172.21.147.212 00.00.00.00.00.00 vlan943 RSERVER - * 1 req dn
172.21.147.214 00.00.00.00.00.00 vlan943 RSERVER - * 1 req dn
172.21.147.216 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
7.0.0.1 00.0b.fc.fe.1b.09 vlan943 NAT LOCAL _ up
- 7.0.0.3
The problem is that we see the problem only on the secondary loadbalancer. primary is just running file
also i can see some traffic denial in admin context for resource usage
switch/Admin# sh resource usage
Allocation
Resource Current Peak Min Max Denied
Context: Admin
conc-connections 9 9 160000 6560000 0
mgmt-connections 0 46 2000 82000 0
proxy-connections 0 4 20972 859830 0
xlates 0 0 20972 859830 0
bandwidth 0 17715713 10000000 535000000 5799749
throughput 0 17710993 10000000 410000000 5799749
mgmt-traffic rate 0 4720 0 125000000 0
connection rate 0 43 20000 820000 0
ssl-connections rate 0 0 100 4100 0
mac-miss rate 0 1 40 1640 0
inspect-conn rate 0 0 120 4920 0
acl-memory 56336 56336 1570072 64460552 6
sticky 0 0 83886 0 0
regexp 0 0 20972 859832 0
syslog buffer 82944 82944 82944 3447808 0
syslog rate 0 44 2000 82000 25
Context: INTEGRATION_Context
conc-connections 0 3934 160000 0 0
mgmt-connections 0 98 2000 0 0
proxy-connections 0 33 20972 0 0
xlates 0 0 20972 0 0
bandwidth 0 10019910 10000000 125000000 40857
throughput 0 10000000 10000000 0 40857
mgmt-traffic rate 0 19910 0 125000000 0
connection rate 0 49 20000 0 0
ssl-connections rate 0 0 100 0 0
mac-miss rate 0 32 40 0 0
inspect-conn rate 0 58 120 0 0
acl-memory 11920 11920 1570072 0 0
sticky 0 1 83886 0 0
regexp 0 0 20972 0 0
syslog buffer 0 82944 82944 3447808 0
syslog rate 0 312 2000 0 0
these above 2 contexts are the only one which has bandwidth resource usage exceeding the limit. but i somehow am not sure if this is the issue. as there is just no traffic on the secondary .. then how can the bandwidth reach the threshold? can anyone throw some light on the below issue?
thanks and regards
kiranvlan on Standby_ACE switch
svclc multiple-vlan-interfaces
svclc module 1 vlan-group 1,4,12,13,
svclc vlan-group 1 968
svclc vlan-group 12 132
svclc vlan-group 13 367-372,374,375,379,380,538,805,807,808,818,913,915
svclc vlan-group 13 917-920,922-924,933,934,937,938,942-949,972,976-979,983
svclc vlan-group 13 984
ip subnet-zero
no ip source-route
vlans on standby ACE
switch/Admin# sh vlans
Vlans configured on SUP for this module
vlan132 vlan360 vlan367-375 vlan379-380 vlan538 vlan805 vlan807-808 vlan818 vlan913 vlan91
5 vlan917-920 vlan922-924 vlan930 vlan933-934 vlan937-938 vlan942-949 vlan968 vlan971-972 v
lan976-979 vlan983-984
switch/Admin#
Active_LB_host_switch is the switch hosting the active ACE thats connected on ten7/4 and 8/4 which is bundeled and made into
port-channel (po72)
CDP neighbor hosting the active ACE
Active_LB_host_switch
Ten 7/4 148 R S I WS-C6513 Ten 7/4
Active_LB_host_switch
Ten 8/4 156 R S I WS-C6513 Ten 8/4
Po72 allows all the vlans which is the configured for ACE modules.
Port Vlans allowed on trunk
Po72 132,140,181,359-383,538,668,702,805-808,815-816,818-820,836,907,909-920,922-925,
929-935,937-949,967-973,976-984,987,3212
vlan 968 is the FT vlan and the same hass been allowed on the trunk port.
everything looks good to me but still not sure why isnt the ACE module not coming to the network. it was working fine
a few months back but all of a sudden it lost the network connectivity. i am not even able to ping the physical ip of the
ACE module.
thanks and regards
kiran -
Hi,
ACE Reconciliation Task scheduler is not creating events on OIM and we could see that Users are being pulled in from ACE Servers (through RM logs) also the task status remains as Running forever.
Can some one please suggest or recommend a way to debug this issue?
ThanksHave you tried increasing the logging level to debug and checked the logs?
-
Hi,
I have question in regards to Deploying configurations to ACE with ANM. I presume it should deploy it in few seconds but for me it takes 8 to 10 minutes. Can anyone suggest why is this taking so much time????
Thanks in advance.Do you have a large config? How many contexts?
Is there an issue with the connection between the ANM server and the ACE (low bandwidth,...)
Did you install the ANM on an approved server (meets the min requirements?)
ACE is well discovered by ANM?
Keep us posted. -
Hi,
The Sticky function of the ACE is not working. There were no changes been made on the device it was working fine before but not now,.
We have 2 ACE one is Active(ACE1) and Second one is Standby (ACE2).
Testing done till now:-
================
Done the Failover from Active(ACE1) to Standby (ACE2).
When ACE2 was Active the Sticky started working fine without any issues.
2) when I did the failover again back from ACE2 to ACE1 the problem arrise Sticky doesnt work any more.
Any suggestion about this strange behaviour?
Thanks in advance.
Regards
Alex.What version do you run ?
What type of sticky method ?
Could you get a
- show np 1 me-stats "-slb"
and a
- show np 2 me-stats "-slb"
Possibly get 2 occurences one before and one after a test.
Thanks,
Gilles. -
ACE: buffer issue?
Hi all,
I implemented an ACE for "ACCOUNTCRM" and event background job is triggered to update the trace table whenever an account is created. However, I notice that the results return is incorrect due to some buffer issue which i suspect.
My scenario is agent in group A is only allowed to see accounts in group A (based on certain criteria). If the agent created an account in WebUI which does not meet the ACE rule, this new account should not appear in all account searching result list. But in my implementation, the new account is shown in the result list and which is wrong.
I tried to trace using the ACE simulator and I got correct result list. And If I launch a webUI to do the account creation, then log off or using another session to do searching, correct result list is displayed. However, if I create the account, followed by searching for the account at the same WebUI session, then the result list is wrong.
Anyone encountered such problem?
cheers,
ginniesolved by adding ACE general parameter.
cheers,
ginnie -
I am having an odd issue with a clients GSS/ACE setup. They have two data centers. Each has two ACE appliances running in active standby and one GSS. The GSS appliances are in an active standby set up as well. When they run on the primary GSS and ACE in their one data center, all the sites respond and work properly. However, when we tell the GSS to use the other ACE appliances, everything works except their main website. The main website uses kal-ap by VIP for the keepalive method. When I look at the GSS monitoring, it says the 'offline (load: 255)'. I have looked through the configuration the GSS for the Answers to both locations there aren't any differences. Secure kal-ap is configured on the ACE appliances at both locations and it looks like it is communicating with the GSS without any issues.
Here is something else I noticed. I checked the GSS while writing this post and noticed the primary GSS is showing offline (load: 255) for the main site for this client. However, the standby GSS is showing online for this site.
I am really not sure where to go with this issue, so any suggestions are appreciated.
TIA,
DanI am having an odd issue with a clients GSS/ACE setup. They have two data centers. Each has two ACE appliances running in active standby and one GSS. The GSS appliances are in an active standby set up as well. When they run on the primary GSS and ACE in their one data center, all the sites respond and work properly. However, when we tell the GSS to use the other ACE appliances, everything works except their main website. The main website uses kal-ap by VIP for the keepalive method. When I look at the GSS monitoring, it says the 'offline (load: 255)'. I have looked through the configuration the GSS for the Answers to both locations there aren't any differences. Secure kal-ap is configured on the ACE appliances at both locations and it looks like it is communicating with the GSS without any issues.
Here is something else I noticed. I checked the GSS while writing this post and noticed the primary GSS is showing offline (load: 255) for the main site for this client. However, the standby GSS is showing online for this site.
I am really not sure where to go with this issue, so any suggestions are appreciated.
TIA,
Dan -
ACE slowness issue when one server goes down
Hi,
We are having two application servers.Both are load balanced using ACE.
When we bring down one server, we find that when we upload some files into the second application server, its too slow.
But when primary server comes up again the performance increases.This issue happens only when we bring the primary server down.
We are using cookie based stickiness.Any ideas where we can look into.
Rgds.,
SachinDepending on the load-balancing algorithm or predictor that you configure, the ACE performs a series of checks and calculations to determine which server can best service each client request. The ACE bases server selection on several factors including the source or destination address, cookies, URLs, HTTP headers, or the server with the fewest connections with respect to load.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/slb/guide/classlb.html -
Hi,we have our main website https://abc.com and it provides links to users for various applications.If i go to https://abc.com and click the link xyz on it, i get back to main page again and current connections drops to 0. here my browser should be redirected to https://abc.com/xyz which is not happening. Traffic is getting tunnnled to https://abc.com as seen in logs in http catcher.
But if i type in https://abc.com/xyz in browser, i go to correct page.
below is my configuration. please let me know if any other configuration is needed, Below config is with 2 links but actual production has many links.
I have similar issue for another application where links on main page can not be accessed. that application works on http instead of https.
rserver redirect xyz
inservice
webhost-redirection "https://abc.com/xyz"
rserver redirect uvw
inservice
webhost-redirection "https://abc.com/uvw"
rserver host abc
ip address 1.1.1.1
inservice
serverfarm redirect xyz
rserver xyz
inservice
parameter-map type http case_param
case-insensitive
no persistence-rebalance (i also tried enabling it)
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
parameter-map type ssl abc
cipher RSA_WITH_3DES_EDE_CBC_SHA
ssl-proxy service abc
key abc
cert abc
ssl advanced-options abc
serverfarm redirect uvw
rserver uvw
inservice
serverfarm host abc
rserver abc
inservice
class-map type http loadbalance match-any map1
match http url /xyz.*
class-map type http loadbalance match-any map1
match http url /uvw.*
policy-map type loadbalance first-match ssl-abc
class map1
serverfarm xyz
class map2
serverfarm uvw
class class-default
serverfarm abc
class ssl-intranet
loadbalance vip inservice
loadbalance policy ssl-abc
loadbalance vip icmp-reply active
nat dynamic 1 vlan 368
appl-parameter http advanced-options case_param
ssl-proxy server abc
the IP address mentioned for abc.com (1.1.1.1) is on cisco CSS (VIP for www.abc.com for internal users) which is serving my internal clients. The CSS then points to actual server hosting abc.com. The ACE is serving clients coming from Internet and CSS is serving my internal clients which connect with http. Is this problem because of communication issue between ACE and CSS?
Can anybody suggest?class-map match-all intranet
2 match virtual-address 198.184.231.7 tcp eq www
class-map match-all ssl-intranet
2 match virtual-address 198.184.231.7 tcp eq https
I have 2 different policy maps .........intranet map redirects to ssl-intranet map which then makes redirection to individual applications.
policy-map multi-match external-lb
class extranet
loadbalance vip inservice
loadbalance policy extranet
loadbalance vip icmp-reply active
nat dynamic 1 vlan 368
appl-parameter http advanced-options case_param
class ssl-extranet
loadbalance vip inservice
loadbalance policy ssl-extranet
loadbalance vip icmp-reply active
nat dynamic 1 vlan 368
appl-parameter http advanced-options case_param -
Hi,
my question is about design.
At the left side, the server and the ACE vlan interfaces are directly connected to
the same vlan. VIP traffic flow is green, server management is brown.
The problem is, that with this design i'm restricted to one server vlan per context,
because the server gateway is the ACE and the ACE-gateway is the server-vlan-interface
at the core.
When the VIP is used, traffic flow is:
1) World is routed to the VIP-VLAN Interface on the core
2) Core sends traffic to the VIP
3) ACE sends traffic to the server through server-vlan-interface
4) server sends back to the ACE
5) ACE sends back to core through the VIP VLAN
6) core sends traffic to worl, everything is fine
Now our server admins want to administrate from different locations:
w/o adding host routes to the core:
1) Admin tries to connect to the server
2) World is routed to the Server-VLAN Interface on the core
3) Core sends traffic to the server
4) server send traffic to default-gw (ACE)
5) ACE drops traffic due to seeing traffic in only one direction, saying no matching session
Todo: Add host route into core to force the traffic to use the ace for
every single server.
with adding host routes to the core:
1) Admin tries to connect to the server
2) World is routed to the Server-VLAN Interface on the core
3) Core sends traffic to the ACE server-VLAN-interface, due to host route
4) ACE sending to the server
4) server send traffic to default-gw (ACE)
5) ACE to core via server-vlan-interface (default route), core to world and everything is fine
Now its impossible to add another Server-VLAN interface to the ACE, because the destinations
are all the same (world) and the gateway on the ACE have to be the VLAN routing instance, the core.
So i have a default route to one server-vlan-interface on the core and all traffic passing the ACE uses
this gw. The result is, that the traffic is blocked by our Firewall.
My plan is now to implement a transit-VLAN (shown on the right side of my pic) for making
my job easier (no host routes, no server admin needed (!) to change gateways..... ) and
overcome the different kind of problems.
My question is now:
Is ensured that the ACE will see all it's traffic ?
I think all should be fine, because the traffic path is unique.
Thanks for reading ^^ and for posting some opinions.
regards from germanyIf I understand correctly, the servers would not be directly connected to the ACE anymore.
Their gateway would not be the ACE anymore.
Problem with this is to guarantee that server response to a *world* request goes back to ACE.
Without any specific action/config, this won't happen.
The server will forward its response to its gateway which will send it directly to the outside world, bypassing ACE and creating the same asymetry you're trying to solve.
To solve this, you will need to do source nating on ACE.
But then your servers will lose information about client source ip address (no more stats based on that info).
Unless if you configure header insert and modify the server to read that info in each request.
As you can see this is not quite easy.
You could try bridge mode.
Create another vlan, and bridge it (BVI) with existing server vlan.
Keep the servers in their original vlan and connect the gateway to the new vlan (without changing ip addresses).
ACE will then be in the middle of GW and ACE.
Gilles. -
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:Standardowy;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
Hello
I am trying to allow access to one of the ace contexts from out-of-band network. I'd like to secure it so nothing from the ace side should be able to connect to the OOB network, and some particular hosts should have access to the ace context by ssh.
I have already configured the appropriate management class-map that secure the SSH access to the ace, but I have a problem with securing the opposite way. I've configured the ACL that deny all ip and icmp traffic and I applied it to the outside direction of the management vlan.
Unfortunately I can still ping and access some resources in the OOB network from the ACE context.
Do you know what else should I do to make it works ?
Thanks in advance for any help.
Regards
LucasHello
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:Standardowy;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
Thanks. I've check it from different vlan and in fact the ACL does not allow the traffic to pass through the ACE. I also observed that modification made in the ACL do not impact the already established sessions.
Do you know any recommendation regarding the management access design in the ACE environment? I am wondering if it is more recommended to implement one mgmt vlan for all the ACE contexts or one mgmt vlan per context.
Thank you for the answer.
Ragards
Lucas -
Hi,
I have identified a number of MIBs that I want our OSS systems to use to collect performance data relating to our ACE (ACE20-MOD-K9 running 30.(0)A2(1.6a)). I have identified the MIBS from the CISCO-SLB-MIB and the CISCO-ENHANCED-SLB-MIB but when our OSS Systems try to do an SNMP Walk on the ACE for these MIBs nearly all of them come back with the following message -
"no MIB objects contained under subtree"
The MIBs I have tried are the following -
1.3.6.1.4.1.9.9.470.1.1.1.1.17
1.3.6.1.4.1.9.9.470.1.1.1.1.18
1.3.6.1.4.1.9.9.470.1.1.1.1.19
1.3.6.1.4.1.9.9.470.1.1.3.1.11
1.3.6.1.4.1.9.9.470.1.1.3.1.12
1.3.6.1.4.1.9.9.470.1.1.3.1.13
1.3.6.1.4.1.9.9.161.1.3.1.1.5
1.3.6.1.4.1.9.9.161.1.3.1.1.13
1.3.6.1.4.1.9.9.161.1.4.1.1.17
The only one that comes back with a value is shown below -
1.3.6.1.4.1.9.9.161.1.4.2.1.7
cisco.ciscoMgmt.161.1.4.2.1.7.2.48 : Counter: 1091236
Has anyone experienced something like this or have any ideas on where we are going wrong. We have multiple Virtual Contexts configured and are trying to get the values from a specific context.
Thanks
StuartGood morning Stuart,
I do not know all the detail sof the configuration but what I can tell you is that in newer versions than A2(1.6a) there were some enhancement about the OIDs you report.
Please have a look at this document
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_2_x/release/note/RACEA2_2X.html
paragraph "Enhancements to the CISCO-ENHANCED-SLB-MIB".
You many need to replace cesRealServerStateUpwith cesRealServerStateUpRev1.
This translates into moving from 1.3.6.1.4.1.9.9.470.0.1 to 1.3.6.1.4.1.9.9.470.0.7.
You can use the Cisco "SNMP Object Navigator" available here:
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en
to translate all the options.
I would try a newer version and see if the situation improves.
Hope this helps,
Alessandro
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Dears,
I have Cisco 4710 configured, but my issue that I can't ping the Virtual IP.
Attached the configuration of the ACE4710.
Appreciate you support,
Regards.have u created resource class for stick connections in admin context?
resource-class sticky
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum unlimited
This is mandatory if u r using sticky based serverfarm in user contexts
Maybe you are looking for
-
How do I make my iPhoto Library's version number appear in the Get Info window?
I recently (within the past 2 weeks) purchased a new 27 inch iMac and have been importing data (applications and files) from my 2010 Macbook Pro via AirDrop. One of the first files I migrated over was my iPhoto Library. I doing so, I noticed a few
-
Help: I woud like to connect my iMac (10.6.2) to a video projector for a slide show. However, the projector doesn't show up on the device list when connected. I tried using the file export in iPhoto but to no avail. I'm using the iMac usb port to exp
-
Little snitch and dashboardadvisoryd
I installed little snitch and i get this message that dahsboardadvisoryd wants to connect to www.apple.com.edgekey.net so I want to know what is dashboardadvisoryd and should I allow it to connect forever
-
Blackberry curve 9300 stopped working.
It first started off with the scroller not working, then it was the keyboard. Every time I try to type my password to get on to my phone it says "password incorrect" so now I can't even log onto it. I have no idea how its happened and it's really ann
-
our system has 130 GB total include abap, java and GRC. we have 3710 users, 3304 role, 1211 profiles in the backend system the 3 full jobs tooks 80gb of the free space. now i need to run the full jobs again and i have only 5 gb left. 1. is there a jo