ACE Module Radius with ACS 4.2

Hi,
I am able to authenticate to my ACE modules via Radius, but when I login it does not give my Admin rights. Does anyone have a fix for this? My ACS admin has been working with TAC since last week to no avail.
John...

You have to use a custom AV pair on TACACS server under user setup to make it work. ACE uses RBAC (role based Access Control) and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info is pushed from Tacacs server and user just get authenticated then the default role assigned by ACE is Network-Monitor.
Following steps (On tacacs server) will make it work
1. Select your user
2. goto tacas+ settings
3. Select " shell (exec)" checkbox
4. Select "custom attributes" checkbox
5. Type your context and role information in custom attrib box, using following format
shell:*
for e.g (if context name is Admin, domain is default-domain and you want to assign role "Admin" to this user )
shell:Admin*Admin default-domain
Hope it helps
Syed

Similar Messages

  • Can't auth to Nortels networks devices using RADIUS with ACS 5.1

    Hi,
    I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
    After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
    I can't manage to login using RADIUS and i get the following message.
    "Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
    But in my ACS View, I can see : "Authentication succeeded."
    I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
    I've got no problems with RADIUS Auth using other brand devices
    Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS  Authentication ?
    Regards.

    Are you sure that setting up a compound condition will help ?
    To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
    Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
    Here is my steps in the ACS View
    11001  Received RADIUS  Access-Request
    11017  RADIUS created a new  session
    Evaluating Service Selection  Policy
    15004  Matched rule
    15012  Selected Access  Service - Default Network Access
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity  Store - Internal Users
    24210  Looking up User in  Internal Users IDStore - radius
    24212  Found User in Internal  Users IDStore
    22037  Authentication Passed
    Evaluating Group Mapping  Policy
    Evaluating Exception  Authorization Policy
    15042  No rule was matched
    Evaluating Authorization  Policy
    15006  Matched Default Rule
    15016  Selected Authorization  Profile - Permit Access
    11002  Returned RADIUS  Access-Accept
    So I think the ACS does its job

  • ACE Module throughput

    Hi
    In the Datashhet of the ACE-Module (ACE20-MOD-K9) there is the following promise:
    Throughput
    16 Gbps*, 8 Gbps*, and 4 Gbps
    We have a base license, so I assume we have a throughput of 4Gbps (gigabits per second).
    Are these 4Gbps bidirectional or unidirectional?
    Is it 2Gbps in one direction and 2Gbps in the other direction?
    Imagine we have just 1 host (A) before the ACE module and just 1 host (B) behind the ACE module. Can I transfer data from A to B (unidirectional) with 4Gbps? Assume the hosts are connected with 10Gbps to the network and use multiple flows!
    How can I measure the effective used bandwith on the ACE module?
    What hapens, if host A tries to send data faster than 4Gbps? Does it deny single packets? Base on what? Does it deny additional sessions?
    How do I know that the ACE runs at it's bandwith limitation?
    Any Ideas?
    Thanks
    Patrik

    Hi Patrik,
    See my answers inline:
    We have a base license, so I assume we have a throughput of 4Gbps (gigabits per second).Are these 4Gbps bidirectional or unidirectional?Is it 2Gbps in one direction and 2Gbps in the other direction?
    It measures the total throughput going through the box. It includes both directions. Also take into account that, for any traffic through the ACE, the packets are seen twice (client to ACE and ACE to server), so the effective throughput is half of the licensed one.
    Imagine we have just 1 host (A) before the ACE module and just 1 host (B) behind the ACE module. Can I transfer data from A to B (unidirectional) with 4Gbps? Assume the hosts are connected with 10Gbps to the network and use multiple flows!
    You could get up to 2Gbps unidirectional. This traffic will go through the ACE twice, adding to the 4Gbps license
    How can I measure the effective used bandwith on the ACE module?
    With the "show resource usage" command
    What hapens, if host A tries to send data faster than 4Gbps? Does it deny single packets? Base on what? Does it deny additional sessions?
    It will drop packets that go over the bandwidth without taking into account to which connection they belong
    How do I know that the ACE runs at it's bandwith limitation?
    Again, "show resource usage"
    Regards
    Daniel

  • ACS support for ACE Module

    Does ACS for Windows 3.3 support AAA for the ACE module?

    I don't think that is correct. I am still
    having issues with ACE and ACS. See below:
    ACE version Software
    loader: Version 0.95
    system: Version A1(7b) [build 3.0(0)A1(7b)
    Cisco ACS version 4.0.1
    I am trying to authenticate admin users with AAA authentication for ACE management.
    This is what I've done:
    ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
    warning: numeric key will not be encrypted
    ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
    ACE-lab/Admin(config-tacacs+)# server ?
    TACACS+ server name
    ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
    can not find the TACACS+ server
    specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
    ACE-lab/Admin(config-tacacs+)#

  • A problem with ACL in the class-map on the ACE module

                      Hi all,
    I configured the following on the ACE module:
    object-group network test
      host 192.168.1.21
      host 192.168.1.22
      host 192.168.1.23
    object-group service port
      tcp eq www
      tcp eq 8080
    access-list T line 8 extended permit object-group port object-group test any
    I tried to configure a class-map for matching this ACL:
    ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
    ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
    Error: Cannot associate acl having object-group ACEs in class-map.
    So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
    Thank you
    Roman

    Hi Roman,
    I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
    Regards
    Daniel

  • Ace module in bridged mode with client nat

    Could someone confirm whatever a NAT is supported for ACE-20 module, please?
    Let me to explain technical details.
    I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
    if the configuration below is correct. ACE module should be configured in bridge mode with two
    vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
    NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
    "policy-map type loadbalance"
    Could you check two parts of configs and advise me if the ACE config is
    properly converted from CSM and will be working in the same way (especialy for NAT).
    Thank you in advance.
    CSM config
    =======
    vlan 36 client
      ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
      gateway 10.36.3.1
    vlan 436 server
      ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
    natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
    sticky 30 netmask 255.255.255.255 address source timeout 60
    probe SHAREPOINT tcp
      interval 30
      failed 120
      open 3
      port 80
    probe WEBMAIL-443 tcp
      interval 5
      failed 60
      open 2
      port 443
    serverfarm WEBMAIL-443
      nat server
      nat client WEB-MAIL
      predictor leastconns
      real 10.36.3.101 443
       inservice
      real 10.36.3.102 443
       inservice
      probe WEBMAIL-443
    serverfarm WEBMAIL-80
      nat server
      nat client WEB-MAIL
      predictor leastconns
      real 10.36.3.101 80
       inservice
      real 10.36.3.102 80
       inservice
      probe SHAREPOINT
    vserver WEBMAIL-443
      virtual 10.36.3.100 tcp https
      serverfarm WEBMAIL-443
      sticky 60 group 30
      replicate csrp sticky
      replicate csrp connection
      persistent rebalance
      inservice
    vserver WEBMAIL-80
      virtual 10.36.3.100 tcp www
      serverfarm WEBMAIL-80
      replicate csrp connection
      persistent rebalance
      inservice
    ACE config
    =======
    probe tcp WEBMAIL-443
      interval 5
      open 2
      passdetect interval 60
      port 443
    probe tcp SHAREPOINT
      interval 30
      open 3
      passdetect interval 120
      port 80
    serverfarm host WEBMAIL-443
      predictor leastconns
      probe WEBMAIL-443
      rserver 10-36-3-101 443
        inservice
      rserver 10-36-3-102 443
        inservice
    serverfarm host WEBMAIL-80
      predictor leastconns
      probe SHAREPOINT
      rserver 10-36-3-101 80
        inservice
      rserver 10-36-3-102 80
        inservice
    class-map match-all WEBMAIL-80
      match virtual-address 10.36.3.100 tcp eq www
    class-map match-all WEBMAIL-443
      match virtual-address 10.36.3.100 tcp eq https
    sticky ip-netmask 255.255.255.255 address source 30
      serverfarm WEBMAIL-443
      replicate sticky
      timeout 60
    policy-map type loadbalance first-match WEBMAIL-80
      class class-default
        serverfarm WEBMAIL-80
        nat dynamic 1025 vlan 436 serverfarm primary
    policy-map type loadbalance first-match WEBMAIL-443
      class class-default
        sticky-serverfarm 30
        nat dynamic 1025 vlan 436 serverfarm primary
    parameter-map type http HTTP_ADV_OPT
      persistence-rebalance
    policy-map multi-match IFVLAN36-POLICY
    class WEBMAIL-80
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-80
        loadbalance vip inservice
        loadbalance vip icmp-reply active
      class WEBMAIL-443
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-443
        loadbalance vip inservice
        loadbalance vip icmp-reply active
    interface vlan 36
      bridge-group 36
      service-policy input IFVLAN36-POLICY
      mac-sticky enable
      no shutdown
    interface vlan 436
      bridge-group 36
      nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
      no shutdown
    interface bvi 36
      ip address 10.36.3.3 255.255.255.0
      peer ip address 10.36.3.4 255.255.255.0
      no shutdown

    Hello F.Makarenko-
      You will want to use PAT while you do nat, so change the natpool configuration to this:
       nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
      You also need to apply the nat like this:
    policy-map multi-match IFVLAN36-POLICY
    class WEBMAIL-80
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-80
        loadbalance vip inservice
        loadbalance vip icmp-reply active
        nat dynamic 1025 vlan 436
      class WEBMAIL-443
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-443
        loadbalance vip inservice
        loadbalance vip icmp-reply active
        nat dynamic 1025 vlan 436
    If you are going to build out a lot of classes, you can instead do source nat like this:
    policy-map multi-match IFVLAN36-POLICY
    class WEBMAIL-80
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-80
        loadbalance vip inservice
        loadbalance vip icmp-reply active
    class WEBMAIL-443
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-443
        loadbalance vip inservice
        loadbalance vip icmp-reply active
    class class-default
        nat dynamic 1025 vlan 436
    Regards,
    Chris Higgins

  • Simple SLB with the ACE Module

    Hello,
    i have some problems with a ACE module i am currently tesing.
    I have a simple Serverfarm with two Servers.
    But there seems to be some Problems with the Loadbalancing i not understand:
    1) I use Round Robin, but the ACE seems to put me serval times to the same server. I notice this, because i have different content on both servers, also different URLs.
    2) withz the show serverfarm statement the total connects do not increment.
    switch/slb-c1# show serverfarm webfarm
    serverfarm : webfarm, type: HOST
    total rservers : 2
    ----------connections-----------
    real weight state current total
    ---+---------------------+------+------------+----------+--------------------
    rserver: web1
    10.0.33.201:0 8 OPERATIONAL 0 0
    rserver: web2
    10.0.33.200:0 8 OPERATIONAL 0 0
    switch/slb-c1# show service-policy L4_LB_VIP
    Status : ACTIVE
    Interface: vlan 300
    service-policy: L4_LB_VIP
    class: L4_VIP_CLASS
    loadbalance:
    L7 loadbalance policy: L7_SLB_POLICY
    VIP Route Metric : 77
    VIP Route Advertise : DISABLED
    VIP ICMP Reply : ENABLED
    VIP State: INSERVICE
    curr conns : 0 , hit count : 15
    dropped conns : 0
    client pkt count : 10198 , client byte count: 420991
    server pkt count : 23367 , server byte count: 34915173
    I have attatched the Config.
    Any Idea what is going on?

    what version do you have ?
    I would recommend to run the very recent A1.4.
    This is something that really should work.
    Gilles.

  • Monitoring the Cisco ACE module with SNMP

    We use 2 redundant Cisco ACE loadbalancer in our datacenter
    The models are ACE20-MOD-K9 with software A2(2.0)
    Does anybod know how to monitor the environment (cpu, memory) of such a module with snmp?
    We were not able to find an applicable MIB for that module.
    The CISCO-PROCESS-MIB.oid (ftp://ftp.cisco.com/pub/mibs/oid/CISCO-PROCESS-MIB.oid) seems not to reflect the correct oid's.
    What are the correct oid's for cpu and memory?
    Where can I find a detailed documentation for snmp-monitoring the cisco ace module?
    thanks

    Hi Patrik,
    to monitor the ACE I use these two MIB's:
    ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SLB-MIB.my
    ftp://ftp.cisco.com/pub/mibs/v2/CISCO-ENHANCED-SLB-MIB.my
    Example for CPU:
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Normale Tabelle";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    cpmCPUTotalEntry 1.3.6.1.4.1.9.9.109.1.1.1.1
    The resource usage and other interesting things you will find with a MIB browser.
    Achim

  • Cisco ACE Module with Bluecoat Cache Proxy, Transparent and spoofing client IP

    Hello Dears,
    I'm trying to implement Cache loadbalancing through Cisco ACE Module.
    I have 2 Bluecoat cache proxies, when i do configure transparent proxy without spoofing client IP, everything work properly, but when I enable spoofing client IP (reflect client IP address), clients are not able to access internet, although they are going to cache servers, I can see their sessions.
    I'm afraid that I have a problem in the returned traffic PBR.
    can anyone help please.
    Thanks

    Hi Ibrahim
    I ahve reviewed the config. The ACE config is all god but I do see some issue with the switch side. If you are doing ip spoofing, then "match ip address" in pbr should be the client ip address. However, what you did is ip address between the ACE and MSFC. Try to configure the test client ip address into the below access-list.
    msfc---vlan 265---ACE--vlan 264----CE farm
    interface vlan 265
      description Interface_With_MSFC_SUBS_2_INTERNET
      ip address 168.168.1.52 255.255.255.248
      access-group input PERMIT_ALL
      service-policy input L3L4_PM
      no shutdown
    ip route 0.0.0.0 0.0.0.0 168.168.1.50
    ip access-list extended HSDPA_2_CACHE
    permit tcp 168.168.0.0 0.0.255.255 any eq www   <<<-- wrong
    ip access-list extended Internet_2_CACHE
    permit tcp any eq www 168.168.0.0 0.0.255.255   <<<---wrong
    interface Vlan 265
    description Interface_With_ACE
    ip address 168.168.1.50 255.255.255.248
    route-map INTERNET_2_HSDPA permit 10
    description "PBR for Response HTTP Traffic"
    match ip address Internet_2_CACHE
    set ip next-hop 168.168.1.52
    route-map HSDPA_2_INTERNET permit 10
    match ip address HSDPA_2_CACHE
    set ip next-hop 168.168.1.52
    regards
    Andrew

  • AIRONET 1260 with new radius cisco ACS 4.x

    Hi, I have a new CISCO AIRONET 1260
    I have CISCO ACS 5.1 radius for VPN on ASA and tried to configure an NDG on it for AIRONET 1260 too and worked fine with IEEE 802.1x CISCO EAP-FAST authentication
    As I had some trouble to let users to authenticate only on VPN if are VPN users and only on CISCO AIRONET if need only WIFI AIRONET
    I tried exception policies rules but something not working. VPN was ok but not WIFI access denied for rule policy access
    I decided to install CISCO ACS 4.x on Windows 2003 that is on ACS 5 DVD
    I created NDG as done on ACS 5 put a shared secret , put on AIRONET too as done for ACS 5 but I receive an error against ACS 4.x
    To troubleshout it I tried
    http://www.cisco.com/en/US/partner/tech/tk722/tk720/technologies_configuration_example09186a00807bf3c8.shtml
    but not work ! I think to have done all fine owever on ACS 5 it worked in 5 minutes
    I searched log inside ACS 4 and found "Invalid message authenticator in EAP request" and I found this:
    https://supportforums.cisco.com/docs/DOC-3991
    Changed shared secret more times but ever not workign with ACS 4
    what's wrong?
    I need to have user and password prompt on client trying to authentincate on AIRONET WIFI and I need ACS INTERNAL USER no active directory, no LDAP , no external user database

    I have solved

  • APC (UPS) RADIUS authentication with ACS 5.X

    I am trying to do RADIUS authentication for APC (UPS) using ACS 5.2 Appliance. It is working fine with ACS 4.2, but unfortunately not with ACS 5.2. I tried creating RADIUS VSA (Vendor Specific Attributes) for APC in ACS 5.2.
    According to the APC dictionary file
    VENDOR APC 318
    # Attributes
    ATTRIBUTE APC-Service-Type 1 integer APC
    ATTRIBUTE APC-Outlets 2 string APC
    VALUE APC-Service-Type Admin 1
    VALUE APC-Service-Type Device 2
    VALUE APC-Service-Type ReadOnly 3
    # For devices with outlet users only
    VALUE APC-Service-Type Outlet 4
    I have added the attributes in blue(attached), how do I add the VALUE's (shown red) in ACS 5.2? What else should I do to get this working?
    The hit count on the ACS shows that it is getting authentication request from the APC appliance.
    Thanks in advance.

    Hi,
    I am working on the same issue and i manage to login (using Ldap A/D backend authentication). When using the standard Radius attribute Service-Type (1 for read-only and 6 for admin) i manage to get this working. I am however trying to use the APC VSAs (as above) without any success. The objective is to have outlet management for specific users, admin or read-only others. Did u manage to get this working and how?
    ./G

  • Issue with ACS 4 and AAA. Port scan shows no Radius but does show tacacs

    to start I am new to ACS so if this is an easy issue to solve please forgive me. I am trying to get Authentication working with ACS 4. I setup everything according to the instructions and when I try to test authentication with VPN concentrator I get a No active server found error. I have tried using an Internal user to start and I also have tried an AD account. If I port scan the ACS server I do not see it advertising port 1645 but I do see Port 49 for tacacs and I also see Ports 2000-2002. CSRadius is running.

    Actually, to avoid any issues I made CSRadius listen on BOTH sets of ports :)
    So unless that got changed without my knowing it should be listening on 1645/6 and 1812/3
    Darra

  • LMS PRIME 4.2 integrating with ACS 4.2

    Hello,
    i would like to integrate new lms prime 4.2 with acs.4.2 . .. !!
    is there document or user guide for this version of lms?
    Thanks in advance.
    Marwan

    IN LMS 4.2 there is nothing which is known as Integration (like LMS 3.x), since it added feature RBAC.
    Now ACS can just be used as PAM to have ciscoworks authenticated for Tacacs+ or Radius. After the auth is done, you should have a authorization set in LMS locally for user, else it will be given a default HELP DESK access.
    For more details check :
    Authentication Using Login Modules - Overview
    -Thanks

  • Reuse of context in ACE module

    Hi all, just have a question about som reuse of resources in a ACE module context.  I don't want to make a new context, and can reuse most of the existing configuration in one of my context.  The config is not complex and difficult, but I'm not sure if I can do this.
    The primary goal is to loadbalance 2 webservers with a new vip, new serverfarm, stickygroup, policy-map and different nat-pool.
    Since I haven't decided the ip addresses to be used, they are just xx in the config below.
    The changes I want to implement are in bold.  Will this work for me?
    probe http WEBGUI_D2
    description Probe for http mot webgui
    interval 10
    passdetect interval 10
    passdetect count 1
    request method get url /D2/auth/login.aspx
    expect status 200 302
    header User-Agent header-value "IDENTITY"
    rserver host cwi003
    description content server logon
    ip address 10.163.22.27
    inservice
    rserver host cwi004
    description content server logon
    ip address 10.163.22.28
    inservice
    rserver host cwi503
    description content server logon 2
    ip address 10.163.22.23
    inservice
    rserver host cwi504
    description content server logon 2
    ip address 10.163.22.24
    inservice
    serverfarm host SF_LOGON_D2
    probe WEBGUI_D2
    rserver cwi003 80
       inservice
    rserver cwi004 80
       inservice
    serverfarm host SF_LOGON2_D2
    probe WEBGUI_D2
    rserver cwi503 80
       inservice
    rserver cwi504 80
       inservice
    sticky ip-netmask 255.255.255.255 address source STICKYGROUP1
    timeout 20
    replicate sticky
    serverfarm SF_LOGON_D2
    serverfarm SF_LOGON2_D2
    class-map match-all VS_LOGON_D2
    3 match virtual-address 10.163.22.13 any
    class-map match-all VS_LOGON2_D2
    3 match virtual-address 10.163.22.xx any
    policy-map type loadbalance first-match PM_ONE_ARM_LB
    class class-default
       sticky-serverfarm STICKYGROUP1
    policy-map multi-match PM_ONE_ARM_MULTI_MATCH
    class VS_LOGON_D2
       loadbalance vip inservice
       loadbalance policy PM_ONE_ARM_LB
       nat dynamic 5 vlan 1240
    class VS_LOGON2_D2
       loadbalance vip inservice
       loadbalance policy PM_ONE_ARM_LB
       nat dynamic 6 vlan 1240
    interface vlan 1240
    description Client_server
    ip address 10.163.22.11 255.255.255.0
    peer ip address 10.163.22.12 255.255.255.0
    access-group input INBOUND
    nat-pool 5 10.163.22.14 10.163.22.17 netmask 255.255.255.192 pat
    nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
    service-policy input PM_ONE_ARM_MULTI_MATCH
    no shutdown
    ip route 0.0.0.0 0.0.0.0 10.163.22.1
    BR
    Geir

    Thanks for your reply.
    Hope I understand you correct.  This sould be the config I need to paste into the existing context.
    rserver host cwi503
      description content server logon 2
      ip address 10.163.22.23
      inservice
    rserver host cwi504
      description content server logon 2
      ip address 10.163.22.24
      inservice
    serverfarm host SF_LOGON2_D2
      probe WEBGUI_D2
      rserver cwi503 80
        inservice
      rserver cwi504 80
        inservice
    sticky ip-netmask 255.255.255.255 address source STICKYGROUP2
       timeout 20
       replicate sticky
       serverfarm SF_LOGON2_D2
    class-map match-all VS_LOGON2_D2
       3 match virtual-address 10.163.22.xx any
    policy-map type loadbalance first-match PM_ONE_ARM_LB2
      class class-default
        sticky-serverfarm STICKYGROUP2
    policy-map multi-match PM_ONE_ARM_MULTI_MATCH
      class VS_LOGON2_D2
        loadbalance vip inservice
        loadbalance policy PM_ONE_ARM_LB2
        nat dynamic 6 vlan 1240
    interface vlan 1240
      nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
    Br
    Geir

  • ACE module - Qos - set ip tos #

    All,
    Trying to mark traffic to/from L4 rules in the ACE.
    Documentation (like always) says it's really easy.  Mark traffic by using the "set ip tos <value>" command in Policy/Class configuration.  Ok, so I do this, set ip tos 24.
    Enable qos globally on the 6500 host, but don't see the traffic being marked.
    sh mls qos says that packets are being modified by module 5 (ACE)
    But I never see the tos value in any of my captures either via netflow from the host 6500, or at the firewall one hop away.
    sh mls qos:
    QoS is enabled globally
      Policy marking depends on port_trust
      QoS ip packet dscp rewrite enabled globally
      Input mode for GRE Tunnel is Pipe mode
      Input mode for MPLS is Pipe mode
    QoS Trust state is CoS on the following interface:
    Te3/1
    QoS Trust state is DSCP on the following interface:
    Gi2/3
      Vlan or Portchannel(Multi-Earl) policies supported: Yes
      Egress policies supported: Yes
    ----- Module [5] -----
      QoS global counters:
        Total packets: 207147888661
        IP shortcut packets: 0
        Packets dropped by policing: 0
        IP packets with TOS changed by policing: 2663386
        IP packets with COS changed by policing: 4889352
        Non-IP packets with COS changed by policing: 0
        MPLS packets with EXP changed by policing: 0
    Can someone explain to me what I've got wrong here?  Is the ACE simply marking traffic destined for the servers behind it and not the return traffic?  Am I missunderstanding something?

    Well... hopefully someone knows how to classify traffic coming from the ACE.
    I've given up on using the ACE to mark traffic as I'm fairly certain it won't do it.  At least not the way I want.
    However, now I've taken to marking ingress on the rserver switch ports... which has resulted in a partially sucessful solution.  Problem is, "partially" successful.
    You'll have a bunch of little conversations like this with no tos value full of push-acks:
    10:29:53.527526 207.161.222.68.2828 > 205.200.114.228.http: P 2954:3455(501) ack 203152 win 65535 (DF)
    10:29:53.527698 205.200.114.228.http > 207.161.222.68.2828: . ack 3455 win 32267
    10:29:53.555271 207.161.222.68.2828 > 205.200.114.228.http: P 3455:3686(231) ack 203152 win 65535 (DF)
    10:29:53.562676 205.200.114.228.http > 207.161.222.68.2828: P 203152:203784(632) ack 3686 win 32768
    10:29:53.674758 207.161.222.68.2828 > 205.200.114.228.http: P 3686:4036(350) ack 203784 win 64903 (DF)
    10:29:53.690853 205.200.114.228.http > 207.161.222.68.2828: P 203784:205244(1460) ack 4036 win 32768
    10:29:53.690863 205.200.114.228.http > 207.161.222.68.2828: P 205244:206704(1460) ack 4036 win 32768
    10:29:53.690871 205.200.114.228.http > 207.161.222.68.2828: P 206704:208164(1460) ack 4036 win 32768
    10:29:53.690879 205.200.114.228.http > 207.161.222.68.2828: P 208164:209624(1460) ack 4036 win 32768
    10:29:53.690887 205.200.114.228.http > 207.161.222.68.2828: P 209624:211084(1460) ack 4036 win 32768
    10:29:53.690895 205.200.114.228.http > 207.161.222.68.2828: P 211084:212544(1460) ack 4036 win 32768
    But then you'll see another conversation pop up with the correct markings
    10:31:53.845287 205.200.114.228.http > 207.161.222.68.2828: . 32753:34213(1460) ack 1082 win 62808 (DF) [tos 0x48]
    10:31:53.845298 205.200.114.228.http > 207.161.222.68.2828: . 34213:35673(1460) ack 1082 win 62808 (DF) [tos 0x48]
    10:31:53.845306 205.200.114.228.http > 207.161.222.68.2828: . 35673:37133(1460) ack 1082 win 62808 (DF) [tos 0x48]
    10:31:53.845313 205.200.114.228.http > 207.161.222.68.2828: . 37133:38593(1460) ack 1082 win 62808 (DF) [tos 0x48]
    10:31:53.845321 205.200.114.228.http > 207.161.222.68.2828: . 38593:40053(1460) ack 1082 win 62808 (DF) [tos 0x48]
    10:31:53.845328 205.200.114.228.http > 207.161.222.68.2828: . 40053:41513(1460) ack 1082 win 62808 (DF) [tos 0x48]
    10:31:53.845335 205.200.114.228.http > 207.161.222.68.2828: . 41513:42973(1460) ack 1082 win 62808 (DF) [tos 0x48]
    10:31:53.845343 205.200.114.228.http > 207.161.222.68.2828: . 42973:44433(1460) ack 1082 win 62808 (DF) [tos 0x48]
    I think what's happening, is that the conversations full of the P-acks is the load balancer communicating directly with the client (i.e. LB pretending to be the server), whereas the marked traffic is "data only" which the load balancer isn't mangling (like it might/probably is doing with the p-acks) on it's way back to the client.
    I also can't modify the configuration of the "virtual ten gig" interface that the 6500 uses as a connection to the ACE module, so can't mark traffic there either.  And though I still have a couple of things to try, I don't believe I can do egress marking on a trunk from the 6500 either (connection to the firewalls).
    So.... PLEASE... Anyone???  Ideas???

Maybe you are looking for

  • SWF animations not working properly when exported as PDF from InDesign

    I'm using InDesign CS5 and have created a document that I want to add interactivity and animations to. I've created buttons and page destionations, etc, which all work perfectly  when exported to a PDF but the simple animation that I wanted to includ

  • Creation of a procedure

    hi all, I have a text file called abc.txt which consits of the following data 001~ joshi (i.e account number and name - tilda seperated list). I have a table called abc which consits of two cols. acc_no and acc_name. My table consists of some data. N

  • How secure is redaction in adobe acrobat x pro? Can text be read once redacted?

    I have redacted and applied all the credit card info from some pdfs and saved them after.  Is there any way of undoing the redaction and being able to read the credit card info.  Your experience in this field will be much appreciated. KF.

  • Troubleshooting checklist?

    As I've made extensive use (my thanks to all of you on these forums!) of these Discussion pages, particularly for troubleshooting my slow Safari problem, one poster with regard to a possible incompatible plug-in problem affecting a Safari upgrade, in

  • Open .bbb files on a mac

    Hi, is there a way to open blackberry files (.bbb) on a mac? I really need that information, but i can´t find a program to open the files